diff --git a/conf/nginx-ssl.conf b/conf/nginx-ssl.conf index 307f0398..21cdf419 100644 --- a/conf/nginx-ssl.conf +++ b/conf/nginx-ssl.conf @@ -26,19 +26,19 @@ # but with a small exception (DES-CBC3-SHA) for IE8/XP users. # # Reference client: https://www.ssllabs.com/ssltest/analyze.html -ssl_prefer_server_ciphers on; +# ssl_prefer_server_ciphers on; # This is the default in Ubuntu 14.04/nginx 1.4.6 and it is an error to repeat it at the http level. ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED'; # Cut out (the old, broken) SSLv3 entirely. # This **excludes IE6 users** and (apparently) Yandexbot. # Just comment out if you need to support IE6, bless your soul. -ssl_protocols TLSv1.2 TLSv1.1 TLSv1; +#ssl_protocols TLSv1.2 TLSv1.1 TLSv1; # This is the default in Ubuntu 14.04/nginx 1.4.6 and it is an error to repeat it at the http level. # Turn on session resumption, using a 10 min cache shared across nginx processes, # as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; -keepalive_timeout 70; +#keepalive_timeout 70; # in Ubuntu 14.04/nginx 1.4.6 the default is 65, so plenty good # Buffer size of 1400 bytes fits in one MTU. # nginx 1.5.9+ ONLY diff --git a/conf/nginx.conf b/conf/nginx.conf index 03d07375..34117efc 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -31,7 +31,6 @@ server { ssl_certificate $SSL_CERTIFICATE; ssl_certificate_key $SSL_KEY; - include /etc/nginx/nginx-ssl.conf; # ADDITIONAL DIRECTIVES HERE } diff --git a/setup/web.sh b/setup/web.sh index 9f1fdfb7..6a412b98 100755 --- a/setup/web.sh +++ b/setup/web.sh @@ -25,8 +25,9 @@ rm -f /etc/nginx/sites-enabled/default # Copy in a nginx configuration file for common and best-practices # SSL settings from @konklone. Replace STORAGE_ROOT so it can find # the DH params. +rm -f /etc/nginx/nginx-ssl.conf # we used to put it here sed "s#STORAGE_ROOT#$STORAGE_ROOT#" \ - conf/nginx-ssl.conf > /etc/nginx/nginx-ssl.conf + conf/nginx-ssl.conf > /etc/nginx/conf.d/ssl.conf # Fix some nginx defaults. # The server_names_hash_bucket_size seems to prevent long domain names!