MIRRORS/layerindex-web
1
0
Fork 0
mirror of git://git.yoctoproject.org/layerindex-web.git synced 2025-07-05 05:04:46 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

docker: improve nginx https configuration security

Browse Source 
* Limit to TLS 1.2 and the most secure ciphers
* Set some other recommended ssl_* settings
* Disable gzip

Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
This commit is contained in:
Paul Eggleton 2019-04-18 10:41:54 +12:00
parent 17029e1e6f
commit 570d9dc7ad
1 changed files with 14 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
docker/nginx-ssl.conf
View File

@ -83,8 +83,13 @@ http {
server_name _;
ssl_certificate /etc/letsencrypt/live/layers.openembedded.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/layers.openembedded.org/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-CCM:AES128-CCM:AES128-SHA256:AES256-CCM:AES256-SHA256:DHE-RSA-AES128-CCM:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-CCM:DHE-RSA-AES256-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA256:!aNULL:!eNULL;
ssl_ecdh_curve prime256v1;
ssl_session_cache shared:SSL:12m;
ssl_session_timeout 12m;
gzip off;
keepalive_timeout 5;
@ -99,8 +104,13 @@ http {
server_name layers.openembedded.org;
ssl_certificate /etc/letsencrypt/live/layers.openembedded.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/layers.openembedded.org/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-CCM:AES128-CCM:AES128-SHA256:AES256-CCM:AES256-SHA256:DHE-RSA-AES128-CCM:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-CCM:DHE-RSA-AES256-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA256:!aNULL:!eNULL;
ssl_ecdh_curve prime256v1;
ssl_session_cache shared:SSL:12m;
ssl_session_timeout 12m;
gzip off;
keepalive_timeout 20;