Commit `c412d9d`

mo khan <mo@mokhan.ca>

2015-06-28 03:32:22

harden the ssl nginx configuration.

master

1 parent d07fcf2

Changed files (1)

templates

default

nginx_unix.erb

@@ -5,18 +5,23 @@ upstream backend {
 client_max_body_size 4G;
 
 server {
-  listen 80 default deferred;
+  listen 80 deferred;
   server_name <%= @domain %>;
   rewrite        ^ https://$server_name$request_uri? permanent;
 }
 
 server {
-  listen 443;
+  listen 443 default_server;
   server_name  <%= @domain %>;
   root         <%= @current_path %>/public;
   ssl on;
   ssl_certificate             /etc/nginx/ssl/<%= @domain %>.crt;
   ssl_certificate_key         /etc/nginx/ssl/<%= @domain %>.key;
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+  ssl_prefer_server_ciphers on;
+  ssl_session_cache shared:SSL:10m;
+
   error_log /var/log/nginx/<%= @domain %>.error.log;
   access_log /var/log/nginx/<%= @domain %>.access.log;

Commit c412d9d

Commit `c412d9d`