|
|
@@ -3,8 +3,33 @@ server {
|
|
|
listen [::]:80 default_server;
|
|
|
listen 443 ssl http2 default_server;
|
|
|
listen [::]:443 ssl http2 default_server;
|
|
|
+
|
|
|
+ # SSL configuration
|
|
|
+ # SSL cert/key files
|
|
|
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
|
|
|
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
|
|
|
+ # For production regenerate this dhparam key by running:
|
|
|
+ # $> openssl dhparam -out dhparam.pem 4096
|
|
|
+ ssl_dhparam /etc/ssl/private/dhparam.pem;
|
|
|
+
|
|
|
+ # SSL ciphers/protocols
|
|
|
+ ssl_protocols TLSv1.3 TLSv1.2;
|
|
|
+ ssl_prefer_server_ciphers on;
|
|
|
+ ssl_ecdh_curve secp521r1:secp384r1;
|
|
|
+ ssl_ciphers EECDH+AESGCM:EECDH+AES256;
|
|
|
+
|
|
|
+ # SSL misc
|
|
|
+ ssl_session_cache shared:TLS:2m;
|
|
|
+ ssl_buffer_size 4k;
|
|
|
+
|
|
|
+ # OCSP stapling
|
|
|
+ ssl_stapling on;
|
|
|
+ ssl_stapling_verify on;
|
|
|
+ resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]; # Cloudflare
|
|
|
+
|
|
|
+ # Set HSTS to 365 days
|
|
|
+ # Note: Activate this on production usage
|
|
|
+ #add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
|
|
|
|
|
|
location /.well-known/webfinger {
|
|
|
proxy_http_version 1.1;
|
Florian Paul Azim Hoberg