diff --git a/docker/nginx-ssl.conf b/docker/nginx-ssl.conf index 8b81fd9..9776b8f 100644 --- a/docker/nginx-ssl.conf +++ b/docker/nginx-ssl.conf @@ -83,8 +83,13 @@ http { server_name _; ssl_certificate /etc/letsencrypt/live/layers.openembedded.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/layers.openembedded.org/privkey.pem; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers HIGH:!aNULL:!MD5; + ssl_protocols TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-CCM:AES128-CCM:AES128-SHA256:AES256-CCM:AES256-SHA256:DHE-RSA-AES128-CCM:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-CCM:DHE-RSA-AES256-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA256:!aNULL:!eNULL; + ssl_ecdh_curve prime256v1; + ssl_session_cache shared:SSL:12m; + ssl_session_timeout 12m; + gzip off; keepalive_timeout 5; @@ -99,8 +104,13 @@ http { server_name layers.openembedded.org; ssl_certificate /etc/letsencrypt/live/layers.openembedded.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/layers.openembedded.org/privkey.pem; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers HIGH:!aNULL:!MD5; + ssl_protocols TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-CCM:AES128-CCM:AES128-SHA256:AES256-CCM:AES256-SHA256:DHE-RSA-AES128-CCM:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-CCM:DHE-RSA-AES256-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA256:!aNULL:!eNULL; + ssl_ecdh_curve prime256v1; + ssl_session_cache shared:SSL:12m; + ssl_session_timeout 12m; + gzip off; keepalive_timeout 20;