1
0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2024-11-26 02:57:04 +00:00

move nginx-ssl to be a global configuration file rather than including it into each server block

This commit is contained in:
Joshua Tauberer 2015-09-27 17:13:11 +00:00
parent 6c8ee1862a
commit 834c42bc50
3 changed files with 5 additions and 5 deletions

View File

@ -26,19 +26,19 @@
# but with a small exception (DES-CBC3-SHA) for IE8/XP users. # but with a small exception (DES-CBC3-SHA) for IE8/XP users.
# #
# Reference client: https://www.ssllabs.com/ssltest/analyze.html # Reference client: https://www.ssllabs.com/ssltest/analyze.html
ssl_prefer_server_ciphers on; # ssl_prefer_server_ciphers on; # This is the default in Ubuntu 14.04/nginx 1.4.6 and it is an error to repeat it at the http level.
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED'; ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
# Cut out (the old, broken) SSLv3 entirely. # Cut out (the old, broken) SSLv3 entirely.
# This **excludes IE6 users** and (apparently) Yandexbot. # This **excludes IE6 users** and (apparently) Yandexbot.
# Just comment out if you need to support IE6, bless your soul. # Just comment out if you need to support IE6, bless your soul.
ssl_protocols TLSv1.2 TLSv1.1 TLSv1; #ssl_protocols TLSv1.2 TLSv1.1 TLSv1; # This is the default in Ubuntu 14.04/nginx 1.4.6 and it is an error to repeat it at the http level.
# Turn on session resumption, using a 10 min cache shared across nginx processes, # Turn on session resumption, using a 10 min cache shared across nginx processes,
# as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html # as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html
ssl_session_cache shared:SSL:10m; ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m; ssl_session_timeout 10m;
keepalive_timeout 70; #keepalive_timeout 70; # in Ubuntu 14.04/nginx 1.4.6 the default is 65, so plenty good
# Buffer size of 1400 bytes fits in one MTU. # Buffer size of 1400 bytes fits in one MTU.
# nginx 1.5.9+ ONLY # nginx 1.5.9+ ONLY

View File

@ -31,7 +31,6 @@ server {
ssl_certificate $SSL_CERTIFICATE; ssl_certificate $SSL_CERTIFICATE;
ssl_certificate_key $SSL_KEY; ssl_certificate_key $SSL_KEY;
include /etc/nginx/nginx-ssl.conf;
# ADDITIONAL DIRECTIVES HERE # ADDITIONAL DIRECTIVES HERE
} }

View File

@ -25,8 +25,9 @@ rm -f /etc/nginx/sites-enabled/default
# Copy in a nginx configuration file for common and best-practices # Copy in a nginx configuration file for common and best-practices
# SSL settings from @konklone. Replace STORAGE_ROOT so it can find # SSL settings from @konklone. Replace STORAGE_ROOT so it can find
# the DH params. # the DH params.
rm -f /etc/nginx/nginx-ssl.conf # we used to put it here
sed "s#STORAGE_ROOT#$STORAGE_ROOT#" \ sed "s#STORAGE_ROOT#$STORAGE_ROOT#" \
conf/nginx-ssl.conf > /etc/nginx/nginx-ssl.conf conf/nginx-ssl.conf > /etc/nginx/conf.d/ssl.conf
# Fix some nginx defaults. # Fix some nginx defaults.
# The server_names_hash_bucket_size seems to prevent long domain names! # The server_names_hash_bucket_size seems to prevent long domain names!