mirror of
https://github.com/mail-in-a-box/mailinabox.git
synced 2024-11-24 02:37:05 +00:00
47de93961e
* Set ssl_stapling_verify to off per https://sslmate.com/blog/post/ocsp_stapling_in_apache_and_nginx ('on' has no security benefits). * Set resolver to 127.0.0.1, instead of Google Public DNS, because we might as well use our local nameserver anyway. * Remove the commented line which per the link above would never be necessary anyway. OCSP seems to work just fine after these changes.
75 lines
3.2 KiB
Plaintext
75 lines
3.2 KiB
Plaintext
# from: https://gist.github.com/konklone/6532544
|
|
###################################################################################
|
|
|
|
# Basically the nginx configuration I use at konklone.com.
|
|
# I check it using https://www.ssllabs.com/ssltest/analyze.html?d=konklone.com
|
|
#
|
|
# To provide feedback, please tweet at @konklone or email eric@konklone.com.
|
|
# Comments on gists don't notify the author.
|
|
#
|
|
# Thanks to WubTheCaptain (https://wubthecaptain.eu) for his help and ciphersuites.
|
|
# Thanks to Ilya Grigorik (https://www.igvita.com) for constant inspiration.
|
|
|
|
# Path to certificate and private key.
|
|
# The .crt may omit the root CA cert, if it's a standard CA that ships with clients.
|
|
#ssl_certificate /path/to/unified.crt;
|
|
#ssl_certificate_key /path/to/my-private-decrypted.key;
|
|
|
|
# Tell browsers to require SSL (warning: difficult to change your mind)
|
|
add_header Strict-Transport-Security max-age=31536000;
|
|
|
|
# Prefer certain ciphersuites, to enforce Forward Secrecy and avoid known vulnerabilities.
|
|
#
|
|
# Forces forward secrecy in all browsers and clients that can use TLS,
|
|
# but with a small exception (DES-CBC3-SHA) for IE8/XP users.
|
|
#
|
|
# Reference client: https://www.ssllabs.com/ssltest/analyze.html
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
|
|
|
|
# Cut out (the old, broken) SSLv3 entirely.
|
|
# This **excludes IE6 users** and (apparently) Yandexbot.
|
|
# Just comment out if you need to support IE6, bless your soul.
|
|
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
|
|
|
|
# Turn on session resumption, using a 10 min cache shared across nginx processes,
|
|
# as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html
|
|
ssl_session_cache shared:SSL:10m;
|
|
ssl_session_timeout 10m;
|
|
keepalive_timeout 70;
|
|
|
|
# Buffer size of 1400 bytes fits in one MTU.
|
|
# nginx 1.5.9+ ONLY
|
|
#ssl_buffer_size 1400;
|
|
|
|
# SPDY header compression (0 for none, 9 for slow/heavy compression). Preferred is 6.
|
|
#
|
|
# BUT: header compression is flawed and vulnerable in SPDY versions 1 - 3.
|
|
# Disable with 0, until using a version of nginx with SPDY 4.
|
|
spdy_headers_comp 0;
|
|
|
|
# Now let's really get fancy, and pre-generate a 2048 bit random parameter
|
|
# for DH elliptic curves. If not created and specified, default is only 1024 bits.
|
|
#
|
|
# Generated by OpenSSL with the following command:
|
|
# openssl dhparam -outform pem -out dhparam2048.pem 2048
|
|
#
|
|
# Note: raising the bits to 2048 excludes Java 6 clients. Comment out if a problem.
|
|
ssl_dhparam STORAGE_ROOT/ssl/dh2048.pem;
|
|
|
|
|
|
# OCSP stapling - means nginx will poll the CA for signed OCSP responses,
|
|
# and send them to clients so clients don't make their own OCSP calls.
|
|
# http://en.wikipedia.org/wiki/OCSP_stapling
|
|
#
|
|
# while the ssl_certificate above may omit the root cert if the CA is trusted,
|
|
# ssl_trusted_certificate below must point to a chain of **all** certs
|
|
# in the trust path - (your cert, intermediary certs, root cert)
|
|
#
|
|
# 8.8.8.8 and 8.8.4.4 below are Google's public IPv4 DNS servers.
|
|
# nginx will use them to talk to the CA.
|
|
ssl_stapling on;
|
|
ssl_stapling_verify off;
|
|
resolver 127.0.0.1 valid=86400;
|
|
resolver_timeout 10;
|