NGINX: Set ssl_prefer_server_ciphers to on & remove robot tags.

This commit is contained in:
Viyurz 2024-02-13 13:58:10 +01:00
parent 3f72b76693
commit 283514ef73

View file

@ -4,7 +4,7 @@ include /etc/nginx/modules-enabled/*.conf;
events { events {
worker_connections 768; worker_connections 768;
# multi_accept on; multi_accept off;
} }
http { http {
@ -36,16 +36,12 @@ http {
ssl_certificate_key /etc/letsencrypt/live/viyurz.fr/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/viyurz.fr/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/viyurz.fr/chain.pem; ssl_trusted_certificate /etc/letsencrypt/live/viyurz.fr/chain.pem;
# modern configuration
# ssl_protocols TLSv1.3;
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam /etc/nginx/dhparam.txt; ssl_dhparam /etc/nginx/dhparam.txt;
ssl_prefer_server_ciphers off; ssl_prefer_server_ciphers on;
ssl_session_timeout 1d; ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; ssl_session_cache shared:MozSSL:10m;
@ -68,7 +64,7 @@ http {
resolver 185.12.64.12 [a01:4ff:ff00::add:2] [2a01:4ff:ff00::add:1]; resolver 185.12.64.12 [a01:4ff:ff00::add:2] [2a01:4ff:ff00::add:1];
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Robots-Tag "noindex, nofollow" always; # add_header X-Robots-Tag "noindex, nofollow" always;
add_header Set-Cookie "Path=/; HttpOnly; Secure"; add_header Set-Cookie "Path=/; HttpOnly; Secure";
proxy_set_header Host $host; proxy_set_header Host $host;