diff --git a/nginx-rp/dhparam.txt b/nginx-rp/dhparam.txt new file mode 100644 index 0000000..088f967 --- /dev/null +++ b/nginx-rp/dhparam.txt @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- \ No newline at end of file diff --git a/nginx-rp/docker-compose.yaml b/nginx-rp/docker-compose.yaml index d11e01c..583e5b9 100644 --- a/nginx-rp/docker-compose.yaml +++ b/nginx-rp/docker-compose.yaml @@ -6,5 +6,6 @@ services: network_mode: host volumes: - ./nginx.conf:/etc/nginx/nginx.conf + - ./dhparam.txt:/dhparam.txt - /etc/letsencrypt/live/viyurz.fr:/etc/letsencrypt/live/viyurz.fr - /etc/letsencrypt/archive/viyurz.fr:/etc/letsencrypt/archive/viyurz.fr diff --git a/nginx-rp/nginx.conf b/nginx-rp/nginx.conf index a33d8d5..ec569bc 100644 --- a/nginx-rp/nginx.conf +++ b/nginx-rp/nginx.conf @@ -34,13 +34,13 @@ http { ssl_trusted_certificate /etc/letsencrypt/live/viyurz.fr/chain.pem; # modern configuration - ssl_protocols TLSv1.3; + # ssl_protocols TLSv1.3; # intermediate configuration - # ssl_protocols TLSv1.2 TLSv1.3; - # ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam - # ssl_dhparam /path/to/dhparam; + ssl_dhparam /dhparam.txt; ssl_prefer_server_ciphers off;