-
Notifications
You must be signed in to change notification settings - Fork 11
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
28 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -73,3 +73,8 @@ target/ | |
|
||
.idea | ||
.vscode | ||
|
||
# ignore certificate symlinks | ||
*.crt | ||
*.key | ||
*.pem |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; | ||
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
# from https://syslink.pl/cipherlist/ | ||
# more instructions here https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-18-04 | ||
|
||
ssl_protocols TLSv1.2; | ||
ssl_prefer_server_ciphers on; | ||
ssl_dhparam /etc/nginx/dhparam.pem; | ||
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; | ||
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 | ||
ssl_session_timeout 10m; | ||
ssl_session_cache shared:SSL:10m; | ||
ssl_session_tickets off; # Requires nginx >= 1.5.9 | ||
ssl_stapling on; # Requires nginx >= 1.3.7 | ||
ssl_stapling_verify on; # Requires nginx => 1.3.7 | ||
resolver 8.8.8.8 8.8.4.4 valid=300s; | ||
resolver_timeout 5s; | ||
# Disable strict transport security for now. You can uncomment the following | ||
# line if you understand the implications. | ||
# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; | ||
add_header X-Frame-Options DENY; | ||
add_header X-Content-Type-Options nosniff; | ||
add_header X-XSS-Protection "1; mode=block"; |