From: Arkadiusz Miśkiewicz <arekm@maven.pl>
Date: Tue, 22 Oct 2019 12:49:42 +0000 (+0200)
Subject: - update to current intermediate mozilla recommendation
X-Git-Tag: auto/th/nginx-1.16.1-2~1
X-Git-Url: http://git.pld-linux.org/?p=packages%2Fnginx.git;a=commitdiff_plain;h=4909bed3ffea5821136c797652c48ce277f293b2

- update to current intermediate mozilla recommendation
---

diff --git a/nginx.conf b/nginx.conf
index 701b61d..63f7a9e 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -57,13 +57,15 @@ http {
 		#ssl_dhparam /etc/nginx/dhparam.pem;
 
 		# modern tweak to your needs.
-		# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.14.0&openssl=1.1.1&hsts=yes&profile=modern
-		#ssl_protocols TLSv1.2 TLSv1.3;
-		#ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
-		#ssl_prefer_server_ciphers on;
+		# https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.0&config=intermediate
 
-		# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
-		#add_header Strict-Transport-Security max-age=15768000;
+		# intermediate configuration
+		# ssl_protocols TLSv1.2 TLSv1.3;
+		# ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+		# ssl_prefer_server_ciphers off;
+
+		# HSTS (ngx_http_headers_module is required) (63072000 seconds)
+		# add_header Strict-Transport-Security "max-age=63072000" always;
 
 		# OCSP Stapling ---
 		# fetch OCSP records from URL in ssl_certificate and cache them