2015-10-04 19:32:42 +02:00
|
|
|
# Default TLS settings
|
|
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
|
|
ssl_ciphers kEECDH+AESGCM:kEECDH+AES:kEECDH:EDH+AESGCM:kEDH+AES:kEDH:AESGCM:ALL:!LOW:!EXP:!MD5:!aNULL:!eNULL:!RC4:!DSS;
|
|
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
ssl_session_cache shared:SSL:10m;
|
|
|
|
|
2017-08-20 13:56:10 +02:00
|
|
|
ssl_dhparam {{ salt['pillar.get']('nginx:sslkeydir', '/etc/nginx/ssl/private') }}/dhparams.pem;
|
2015-10-04 19:32:42 +02:00
|
|
|
|
|
|
|
# OCSP stapling
|
|
|
|
ssl_stapling on;
|
|
|
|
ssl_stapling_verify on;
|
|
|
|
|
|
|
|
# use Google's DNS
|
|
|
|
resolver 8.8.8.8;
|
|
|
|
resolver_timeout 5s;
|