diff options
author | mia <mia@mia.jetzt> | 2024-07-22 09:43:54 -0700 |
---|---|---|
committer | mia <mia@mia.jetzt> | 2024-07-22 09:43:54 -0700 |
commit | 66a6fcd862cbb4b4505fab2bcd1d0b6a4ae06535 (patch) | |
tree | 9eb1852b5bf0606a7a5dcc1dc19ab0d092433192 /nginx | |
parent | 809608c7ef4801f80adbd0ae07301e39c11e3951 (diff) | |
download | callosum-66a6fcd862cbb4b4505fab2bcd1d0b6a4ae06535.tar.gz callosum-66a6fcd862cbb4b4505fab2bcd1d0b6a4ae06535.zip |
modernize
switch to mozilla's ssl settings add https redirect fix ipv6 support
Diffstat (limited to 'nginx')
-rw-r--r-- | nginx/nginx.conf | 23 | ||||
-rw-r--r-- | nginx/server.conf | 2 |
2 files changed, 22 insertions, 3 deletions
diff --git a/nginx/nginx.conf b/nginx/nginx.conf index 336c8d2..e3f92c9 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -25,23 +25,40 @@ http { } proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=pcache:32m max_size=20g; + + # mozilla ssl settings via https://ssl-config.mozilla.org/ + + ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; - ssl_protocols TLSv1.2 TLSv1.3; ssl_stapling on; ssl_stapling_verify on; - ssl_prefer_server_ciphers on; - resolver 127.0.0.53; # dummy host server { listen 443 quic reuseport default_server; + listen [::]:443 quic reuseport default_server; listen 443 ssl reuseport default_server; + listen [::]:443 ssl reuseport default_server; server_name _; ssl_certificate /etc/tls/mia.jetzt.crt; ssl_certificate_key /etc/tls/mia.jetzt.key; } + # https redirect + server { + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + location / { + return 301 https://$host$request_uri; + } + } + %SERVERS% } diff --git a/nginx/server.conf b/nginx/server.conf index d4f35f3..31908db 100644 --- a/nginx/server.conf +++ b/nginx/server.conf @@ -1,6 +1,8 @@ server { listen 443 quic; + listen [::]:443 quic; listen 443 ssl; + listen [::]:443 ssl; server_name %HOST% *.%HOST%; add_header alt-svc 'h3=":443"; ma=86400'; ssl_certificate /etc/tls/%HOST%.crt; |