🗝
summary refs log tree commit diff
path: root/nginx
diff options
context:
space:
mode:
authormia <mia@mia.jetzt>2024-07-22 09:43:54 -0700
committermia <mia@mia.jetzt>2024-07-22 09:43:54 -0700
commit66a6fcd862cbb4b4505fab2bcd1d0b6a4ae06535 (patch)
tree9eb1852b5bf0606a7a5dcc1dc19ab0d092433192 /nginx
parent809608c7ef4801f80adbd0ae07301e39c11e3951 (diff)
downloadcallosum-66a6fcd862cbb4b4505fab2bcd1d0b6a4ae06535.tar.gz
callosum-66a6fcd862cbb4b4505fab2bcd1d0b6a4ae06535.zip
modernize
switch to mozilla's ssl settings
add https redirect
fix ipv6 support
Diffstat (limited to 'nginx')
-rw-r--r--nginx/nginx.conf23
-rw-r--r--nginx/server.conf2
2 files changed, 22 insertions, 3 deletions
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index 336c8d2..e3f92c9 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -25,23 +25,40 @@ http {
 	}
 
 	proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=pcache:32m max_size=20g;
+
+	# mozilla ssl settings via https://ssl-config.mozilla.org/
+
+	ssl_session_timeout 1d;
 	ssl_session_cache shared:SSL:10m;
+	ssl_session_tickets off;
+
+	ssl_protocols TLSv1.3;
+	ssl_prefer_server_ciphers off;
 
-	ssl_protocols TLSv1.2 TLSv1.3;
 	ssl_stapling on;
 	ssl_stapling_verify on;
-	ssl_prefer_server_ciphers on;
-
 	resolver 127.0.0.53;
 
 	# dummy host
 	server {
 		listen 443 quic reuseport default_server;
+		listen [::]:443 quic reuseport default_server;
 		listen 443 ssl reuseport default_server;
+		listen [::]:443 ssl reuseport default_server;
 		server_name _;
 		ssl_certificate /etc/tls/mia.jetzt.crt;
 		ssl_certificate_key /etc/tls/mia.jetzt.key;
 	}
 
+	# https redirect
+	server {
+		listen 80 default_server;
+		listen [::]:80 default_server;
+		server_name _;
+		location / {
+			return 301 https://$host$request_uri;
+		}
+	}
+
 	%SERVERS%
 }
diff --git a/nginx/server.conf b/nginx/server.conf
index d4f35f3..31908db 100644
--- a/nginx/server.conf
+++ b/nginx/server.conf
@@ -1,6 +1,8 @@
 server {
 	listen 443 quic;
+	listen [::]:443 quic;
 	listen 443 ssl;
+	listen [::]:443 ssl;
 	server_name %HOST% *.%HOST%;
 	add_header alt-svc 'h3=":443"; ma=86400';
 	ssl_certificate /etc/tls/%HOST%.crt;