krd/angie-conv-image
1
0
Fork 0
Code

angie: adjust SSL configuration

Browse Source
This commit is contained in:
Konstantin Demin 2024-09-20 22:51:30 +03:00
parent d3684274e3
commit 5b8ef5329e
Signed by: krd
GPG Key ID: 4D56F87A8BA65FD0
9 changed files with 24 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
angie/conf.dist/grpc/ssl-verify.conf
View File

@ -1 +0,0 @@
grpc_ssl_verify on;

6
angie/conf.dist/grpc/ssl-cmd.conf.j2 → angie/conf.dist/grpc/ssl.conf.j2
View File

@ -1,4 +1,8 @@
{%- for k, v in j2cfg.tls.conf_cmd.items() %}
{#- TODO: precise quotation #}
grpc_ssl_conf_command {{ k }} {{ v.__repr__() }};
{%- endfor %}
{%- endfor %}
grpc_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
grpc_ssl_verify on;
grpc_ssl_server_name on;

1
angie/conf.dist/grpc/tls-ca-file.conf.in
View File

@ -1 +0,0 @@
grpc_ssl_trusted_certificate ${NGX_SSL_CERT_FILE};

1
angie/conf.dist/proxy/ssl-verify.conf
View File

@ -1 +0,0 @@
proxy_ssl_verify on;

6
angie/conf.dist/proxy/ssl-cmd.conf.j2 → angie/conf.dist/proxy/ssl.conf.j2
View File

@ -1,4 +1,8 @@
{%- for k, v in j2cfg.tls.conf_cmd.items() %}
{#- TODO: precise quotation #}
proxy_ssl_conf_command {{ k }} {{ v.__repr__() }};
{%- endfor %}
{%- endfor %}
proxy_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
proxy_ssl_verify on;
proxy_ssl_server_name on;

6
angie/conf.dist/uwsgi/ssl-cmd.conf.j2 → angie/conf.dist/uwsgi/ssl.conf.j2
View File

@ -1,4 +1,8 @@
{%- for k, v in j2cfg.tls.conf_cmd.items() %}
{#- TODO: precise quotation #}
uwsgi_ssl_conf_command {{ k }} {{ v.__repr__() }};
{%- endfor %}
{%- endfor %}
uwsgi_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
uwsgi_ssl_verify on;
uwsgi_ssl_server_name on;

1
angie/conf.dist/uwsgi/tls-ca-file.conf.in
View File

@ -1 +0,0 @@
uwsgi_ssl_trusted_certificate ${NGX_SSL_CERT_FILE};

16
angie/j2cfg.dist/00-defaults.yml.j2
View File

@ -74,20 +74,20 @@ tls:
profiles:
modern:
protocols: TLSv1.3
#prefer_server_ciphers: false
session_tickets: false
#prefer_server_ciphers: off
session_tickets: off
session_timeout: 1d
intermediate:
protocols: TLSv1.2 TLSv1.3
#prefer_server_ciphers: false
#prefer_server_ciphers: off
ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
dhparam: /etc/angie/tls.d/ffdhe2048.pem
session_tickets: false
dhparam: tls.d/ffdhe2048.pem
session_tickets: off
session_timeout: 1d
old:
protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
prefer_server_ciphers: true
prefer_server_ciphers: on
ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
dhparam: /etc/angie/tls.d/dh1024.pem
session_tickets: false
dhparam: tls.d/dh1024.pem
session_tickets: off
session_timeout: 1d

4
angie/snip.dist/ssl-profile.j2m
View File

@ -2,9 +2,7 @@
ssl_protocols {{ ssl_profile.protocols }};
{%- endif %}
{%- if ssl_profile.prefer_server_ciphers %}
ssl_prefer_server_ciphers on;
{%- else %}
ssl_prefer_server_ciphers off;
ssl_prefer_server_ciphers {{ ssl_profile.prefer_server_ciphers }};
{%- endif %}
{%- if ssl_profile.ciphers %}
ssl_ciphers {{ ssl_profile.ciphers }};