Commit 06977309 authored by Aral Balkan's avatar Aral Balkan
Browse files

Updated SSL config to get A+ of SSLLabs test.

parent 96f2e2b6
......@@ -150,6 +150,10 @@ echo -e " * Carrying out site settings template substitutions…"
sudo sed -i "s/{SERVER_NAMES}/${serverName}/g" /etc/nginx/sites-available/http.conf
sudo sed -i "s/{SERVER_NAMES}/${serverName}/g" /etc/nginx/sites-available/https.conf
# Generate unique Diffie Hellman Group
sudo mkdir /etc/nginx/ssl
sudo openssl dhparam -out /etc/nginx/ssl/dhparams.pem 2048
# Create the home directory
mkdir /home/ubuntu/archive
......
......@@ -8,7 +8,24 @@ server {
ssl_certificate /etc/letsencrypt/certs/archive.better.fyi/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/certs/archive.better.fyi/privkey.pem;
# Serve the site from the git repository.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Add perfect forward secrecy
# Implement a unique Diffie Hellman Group
# (See https://weakdh.org/sysadmin.html for details on generating your own.)
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
ssl_ecdh_curve secp521r1;
# Implement HSTS
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
# --- End of SSL-specific setup ---
# Serve the static site.
root /home/ubuntu/archive/;
index index.html index.htm;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment