From 4909bed3ffea5821136c797652c48ce277f293b2 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Arkadiusz=20Mi=C5=9Bkiewicz?= <arekm@maven.pl>
Date: Tue, 22 Oct 2019 14:49:42 +0200
Subject: [PATCH] - update to current intermediate mozilla recommendation

---
 nginx.conf | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/nginx.conf b/nginx.conf
index 701b61d..63f7a9e 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -57,13 +57,15 @@ http {
 		#ssl_dhparam /etc/nginx/dhparam.pem;
 
 		# modern tweak to your needs.
-		# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.14.0&openssl=1.1.1&hsts=yes&profile=modern
-		#ssl_protocols TLSv1.2 TLSv1.3;
-		#ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
-		#ssl_prefer_server_ciphers on;
+		# https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.0&config=intermediate
 
-		# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
-		#add_header Strict-Transport-Security max-age=15768000;
+		# intermediate configuration
+		# ssl_protocols TLSv1.2 TLSv1.3;
+		# ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+		# ssl_prefer_server_ciphers off;
+
+		# HSTS (ngx_http_headers_module is required) (63072000 seconds)
+		# add_header Strict-Transport-Security "max-age=63072000" always;
 
 		# OCSP Stapling ---
 		# fetch OCSP records from URL in ssl_certificate and cache them
-- 
2.44.0