This repository was archived by the owner on Jul 13, 2023. It is now read-only.
forked from willem-delbare/docker-lets-encrypt-proxy
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathtls-server.conf
More file actions
42 lines (37 loc) · 2.03 KB
/
tls-server.conf
File metadata and controls
42 lines (37 loc) · 2.03 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# SCOPE: http.server
# See: https://gist.github.com/plentz/6737338
# See: https://github.com/GUI/lua-resty-auto-ssl
# Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits
#
# You may generate Diffie-Hellman parameters with:
#
# openssl dhparam -out /etc/ssl/dhparam.pem 4096
#
ssl_dhparam /cache/ssl/dhparam.pem;
# enable session resumption to improve https performance
# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
# SSL Session ticket encryption key. Must be shared among instances.
#
# openssl rand 48 > ticket.key
#
# ssl_session_ticket_key /etc/ssl/session.key;
# enables server-side protection from BEAST attacks
# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
ssl_prefer_server_ciphers on;
# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
ssl_protocols TLSv1.2;
# ciphers chosen for forward secrecy and compatibility
# http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
# You must still define a static ssl_certificate file for nginx to start.
#
# You may generate a self-signed fallback with:
#
# openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 \
# -subj '/CN=sni-support-required-for-valid-ssl' \
# -keyout /etc/ssl/resty-auto-ssl-fallback.key \
# -out /etc/ssl/resty-auto-ssl-fallback.crt
ssl_certificate /cache/ssl/resty-auto-ssl-fallback.crt;
ssl_certificate_key /cache/ssl/resty-auto-ssl-fallback.key;