nginx: Better SSL config

Signed-off-by: Thomas Schneider <thomas@fsmpi.rwth-aachen.de>

nginx: Better SSL config
5d9c278d · Thomas Schneider · b3392233 · 5d9c278d
Verified Commit 5d9c278d authored 7 years ago by Thomas Schneider
--- a/request-tracker/templates/nginx-rt.j2
+++ b/request-tracker/templates/nginx-rt.j2
@@ -2,6 +2,16 @@ server {
 	listen 443 ssl;
 	ssl_certificate /etc/ssl/nginx.crt;
 	ssl_certificate_key /etc/ssl/private/nginx.key;
+	ssl_session_timeout 1d;
+	ssl_session_cache shared:SSL:50m;
+	ssl_session_tickets off;
+	ssl_trusted_certificate /etc/ssl/certs/T-TeleSec_GlobalRoot_Class_2.pem;
+	ssl_protocols TLSv1.2;
+	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+	ssl_prefer_server_ciphers on;
+	ssl_stapling on;
+	ssl_stapling_verify on;
 	server_name {{rt_webdomain}};
 	access_log  /var/log/nginx/access.log;