From 1c0da15f03e2b0afa158fb9e49cf9e0ba8e36d46 Mon Sep 17 00:00:00 2001 From: Raymon Mens Date: Sat, 30 Jul 2022 06:15:42 +0200 Subject: [PATCH] Update default SSL config (#133) * Update default SSL config Disable insecure ciphers and protocols. Bump ssl_session_timeout to recommended 1d. Based on Mozilla Guideline v5.6. * Update nginx-cuda.conf --- nginx-cuda.conf | 9 +++++---- nginx.conf | 9 +++++---- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/nginx-cuda.conf b/nginx-cuda.conf index cba1e20..fb4c8e9 100644 --- a/nginx-cuda.conf +++ b/nginx-cuda.conf @@ -39,10 +39,11 @@ http { access_log /dev/stdout combined; # Uncomment these lines to enable SSL. - # ssl_ciphers HIGH:!aNULL:!MD5; - # ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - # ssl_session_cache shared:SSL:10m; - # ssl_session_timeout 10m; + # ssl_protocols TLSv1.2 TLSv1.3; + # ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + # ssl_prefer_server_ciphers off; + # ssl_session_cache shared:SSL:10m; + # ssl_session_timeout 1d; server { listen ${HTTP_PORT}; diff --git a/nginx.conf b/nginx.conf index 36ce267..627f62c 100644 --- a/nginx.conf +++ b/nginx.conf @@ -48,10 +48,11 @@ http { access_log /dev/stdout combined; # Uncomment these lines to enable SSL. - # ssl_ciphers HIGH:!aNULL:!MD5; - # ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - # ssl_session_cache shared:SSL:10m; - # ssl_session_timeout 10m; + # ssl_protocols TLSv1.2 TLSv1.3; + # ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + # ssl_prefer_server_ciphers off; + # ssl_session_cache shared:SSL:10m; + # ssl_session_timeout 1d; server { listen ${HTTP_PORT};