web: split TLS configuration and make it stronger
Resources: - https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ - https://weakdh.org/sysadmin.html
This commit is contained in:
parent
c34b4814df
commit
415f10406f
|
@ -2,11 +2,10 @@ server {
|
|||
listen 80 default_server;
|
||||
listen 443 ssl;
|
||||
|
||||
ssl_certificate /config/keys/cert.crt;
|
||||
ssl_certificate_key /config/keys/cert.key;
|
||||
|
||||
server_name _;
|
||||
|
||||
include /config/nginx/ssl.conf;
|
||||
|
||||
client_max_body_size 0;
|
||||
|
||||
root /usr/share/jitsi-meet;
|
||||
|
|
16
web/rootfs/defaults/ssl.conf
Normal file
16
web/rootfs/defaults/ssl.conf
Normal file
|
@ -0,0 +1,16 @@
|
|||
# session settings
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
ssl_session_tickets off;
|
||||
|
||||
# Diffie-Hellman parameter for DHE cipher suites
|
||||
ssl_dhparam /config/nginx/dhparams.pem;
|
||||
|
||||
# ssl certs
|
||||
ssl_certificate /config/keys/cert.crt;
|
||||
ssl_certificate_key /config/keys/cert.key;
|
||||
|
||||
# protocols
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS;
|
|
@ -12,6 +12,14 @@ if [[ ! -f /config/nginx/nginx.conf ]]; then
|
|||
cp /defaults/nginx.conf /config/nginx/nginx.conf
|
||||
fi
|
||||
|
||||
if [[ ! -f /config/nginx/ssl.conf ]]; then
|
||||
cp /defaults/ssl.conf /config/nginx/ssl.conf
|
||||
fi
|
||||
|
||||
if [ ! -f "/config/nginx/dhparams.pem" ]; then
|
||||
openssl dhparam -out /config/nginx/dhparams.pem 2048
|
||||
fi
|
||||
|
||||
if [[ ! -f /config/nginx/site-confs/default ]]; then
|
||||
tpl /defaults/default > /config/nginx/site-confs/default
|
||||
fi
|
||||
|
|
Loading…
Reference in New Issue
Block a user