From 45dae089643574663fc8304f21b09421794b48d2 Mon Sep 17 00:00:00 2001
From: Florian Pritz <bluewind@xinu.at>
Date: Sun, 18 Sep 2016 15:21:45 +0200
Subject: [PATCH] nginx: Update SSL settings

Include link to mozilla's config generator (looks like the settings
came from there) and update ssl_session_* settings to their current
recommendation.

Signed-off-by: Florian Pritz <bluewind@xinu.at>
---
 roles/nginx/templates/sslsettings.conf | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/roles/nginx/templates/sslsettings.conf b/roles/nginx/templates/sslsettings.conf
index 27b7f30b6..40dd8f9e7 100644
--- a/roles/nginx/templates/sslsettings.conf
+++ b/roles/nginx/templates/sslsettings.conf
@@ -1,9 +1,15 @@
+# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.1&openssl=1.0.2&hsts=yes&profile=modern
 ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+
 ssl_protocols TLSv1.2;
 ssl_prefer_server_ciphers on;
 ssl_dhparam /etc/ssl/dhparams.pem;
-ssl_session_timeout  5m;
-ssl_session_cache    shared:SSL:10m;
-ssl_stapling        on;
+
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:50m;
+ssl_session_tickets off;
+
+ssl_stapling on;
 ssl_stapling_verify on;
+
 add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
-- 
GitLab