angie: adjust SSL configuration

2024-09-20 22:51:30 +03:00 · 2024-09-20 22:51:30 +03:00 · 5b8ef5329e
commit 5b8ef5329e
parent d3684274e3
9 changed files with 24 additions and 18 deletions
--- a/angie/conf.dist/grpc/ssl-verify.conf
+++ b/angie/conf.dist/grpc/ssl-verify.conf
@ -1 +0,0 @@
 grpc_ssl_verify on;
--- a/angie/conf.dist/grpc/ssl-cmd.conf.j2
+++ b/angie/conf.dist/grpc/ssl-cmd.conf.j2
@ -2,3 +2,7 @@
 {#- TODO: precise quotation #}
 grpc_ssl_conf_command  {{ k }}  {{ v.__repr__() }};
 {%- endfor %}
 grpc_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
 grpc_ssl_verify on;
 grpc_ssl_server_name on;
--- a/angie/conf.dist/grpc/tls-ca-file.conf.in
+++ b/angie/conf.dist/grpc/tls-ca-file.conf.in
@ -1 +0,0 @@
 grpc_ssl_trusted_certificate ${NGX_SSL_CERT_FILE};
--- a/angie/conf.dist/proxy/ssl-verify.conf
+++ b/angie/conf.dist/proxy/ssl-verify.conf
@ -1 +0,0 @@
 proxy_ssl_verify on;
--- a/angie/conf.dist/proxy/ssl-cmd.conf.j2
+++ b/angie/conf.dist/proxy/ssl-cmd.conf.j2
@ -2,3 +2,7 @@
 {#- TODO: precise quotation #}
 proxy_ssl_conf_command  {{ k }}  {{ v.__repr__() }};
 {%- endfor %}
 proxy_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
 proxy_ssl_verify on;
 proxy_ssl_server_name on;
--- a/angie/conf.dist/uwsgi/ssl-cmd.conf.j2
+++ b/angie/conf.dist/uwsgi/ssl-cmd.conf.j2
@ -2,3 +2,7 @@
 {#- TODO: precise quotation #}
 uwsgi_ssl_conf_command  {{ k }}  {{ v.__repr__() }};
 {%- endfor %}
 uwsgi_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
 uwsgi_ssl_verify on;
 uwsgi_ssl_server_name on;
--- a/angie/conf.dist/uwsgi/tls-ca-file.conf.in
+++ b/angie/conf.dist/uwsgi/tls-ca-file.conf.in
@ -1 +0,0 @@
 uwsgi_ssl_trusted_certificate ${NGX_SSL_CERT_FILE};
--- a/angie/j2cfg.dist/00-defaults.yml.j2
+++ b/angie/j2cfg.dist/00-defaults.yml.j2
@ -74,20 +74,20 @@ tls:
  profiles:
    modern:
      protocols: TLSv1.3
-     #prefer_server_ciphers: false
+     #prefer_server_ciphers: off
-      session_tickets: false
+      session_tickets: off
      session_timeout: 1d
    intermediate:
      protocols: TLSv1.2 TLSv1.3
-     #prefer_server_ciphers: false
+     #prefer_server_ciphers: off
      ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
-      dhparam: /etc/angie/tls.d/ffdhe2048.pem
+      dhparam: tls.d/ffdhe2048.pem
-      session_tickets: false
+      session_tickets: off
      session_timeout: 1d
    old:
      protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
-      prefer_server_ciphers: true
+      prefer_server_ciphers: on
      ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
-      dhparam: /etc/angie/tls.d/dh1024.pem
+      dhparam: tls.d/dh1024.pem
-      session_tickets: false
+      session_tickets: off
      session_timeout: 1d
--- a/angie/snip.dist/ssl-profile.j2m
+++ b/angie/snip.dist/ssl-profile.j2m
@ -2,9 +2,7 @@
 ssl_protocols {{ ssl_profile.protocols }};
 {%- endif %}
 {%- if ssl_profile.prefer_server_ciphers %}
-ssl_prefer_server_ciphers on;
+ssl_prefer_server_ciphers {{ ssl_profile.prefer_server_ciphers }};
 {%- else %}
 ssl_prefer_server_ciphers off;
 {%- endif %}
 {%- if ssl_profile.ciphers %}
 ssl_ciphers {{ ssl_profile.ciphers }};
		`@ -1 +0,0 @@`
			`grpc_ssl_trusted_certificate ${NGX_SSL_CERT_FILE};`
		`@ -1 +0,0 @@`
			`uwsgi_ssl_trusted_certificate ${NGX_SSL_CERT_FILE};`