From 342d8ef5e1d988877efbd1bc5d333640d7523570 Mon Sep 17 00:00:00 2001
From: Patrick Spek <p.spek@tyil.nl>
Date: Sun, 17 Apr 2022 10:45:53 +0200
Subject: Initial commit

---
 playbooks.d/webserver/share/snippets.d/ssl.conf | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 playbooks.d/webserver/share/snippets.d/ssl.conf

(limited to 'playbooks.d/webserver/share/snippets.d/ssl.conf')

diff --git a/playbooks.d/webserver/share/snippets.d/ssl.conf b/playbooks.d/webserver/share/snippets.d/ssl.conf
new file mode 100644
index 0000000..68bcdf0
--- /dev/null
+++ b/playbooks.d/webserver/share/snippets.d/ssl.conf
@@ -0,0 +1,16 @@
+# SSL settings
+ssl_protocols TLSv1.3 TLSv1.2;
+
+ssl_buffer_size 4K;
+ssl_dhparam /etc/nginx/dhparam.pem;
+ssl_ecdh_curve secp521r1:secp384r1;
+ssl_prefer_server_ciphers on;
+ssl_session_cache shared:le_nginx_SSL:2m;
+ssl_session_tickets off;
+ssl_session_timeout 1440m;
+
+# Ciphers
+ssl_ciphers 'EECDH+AESGCM:EECDH+AES256:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES256-SHA';
+
+# Additional headers
+add_header Strict-Transport-Security "max-age=63072000" always;
-- 
cgit v1.1