1
0

angie: adjust SSL configuration

This commit is contained in:
Konstantin Demin 2024-09-20 22:51:30 +03:00
parent d3684274e3
commit 5b8ef5329e
Signed by: krd
GPG Key ID: 4D56F87A8BA65FD0
9 changed files with 24 additions and 18 deletions

View File

@ -1 +0,0 @@
grpc_ssl_verify on;

View File

@ -2,3 +2,7 @@
{#- TODO: precise quotation #} {#- TODO: precise quotation #}
grpc_ssl_conf_command {{ k }} {{ v.__repr__() }}; grpc_ssl_conf_command {{ k }} {{ v.__repr__() }};
{%- endfor %} {%- endfor %}
grpc_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
grpc_ssl_verify on;
grpc_ssl_server_name on;

View File

@ -1 +0,0 @@
grpc_ssl_trusted_certificate ${NGX_SSL_CERT_FILE};

View File

@ -1 +0,0 @@
proxy_ssl_verify on;

View File

@ -2,3 +2,7 @@
{#- TODO: precise quotation #} {#- TODO: precise quotation #}
proxy_ssl_conf_command {{ k }} {{ v.__repr__() }}; proxy_ssl_conf_command {{ k }} {{ v.__repr__() }};
{%- endfor %} {%- endfor %}
proxy_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
proxy_ssl_verify on;
proxy_ssl_server_name on;

View File

@ -2,3 +2,7 @@
{#- TODO: precise quotation #} {#- TODO: precise quotation #}
uwsgi_ssl_conf_command {{ k }} {{ v.__repr__() }}; uwsgi_ssl_conf_command {{ k }} {{ v.__repr__() }};
{%- endfor %} {%- endfor %}
uwsgi_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
uwsgi_ssl_verify on;
uwsgi_ssl_server_name on;

View File

@ -1 +0,0 @@
uwsgi_ssl_trusted_certificate ${NGX_SSL_CERT_FILE};

View File

@ -74,20 +74,20 @@ tls:
profiles: profiles:
modern: modern:
protocols: TLSv1.3 protocols: TLSv1.3
#prefer_server_ciphers: false #prefer_server_ciphers: off
session_tickets: false session_tickets: off
session_timeout: 1d session_timeout: 1d
intermediate: intermediate:
protocols: TLSv1.2 TLSv1.3 protocols: TLSv1.2 TLSv1.3
#prefer_server_ciphers: false #prefer_server_ciphers: off
ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
dhparam: /etc/angie/tls.d/ffdhe2048.pem dhparam: tls.d/ffdhe2048.pem
session_tickets: false session_tickets: off
session_timeout: 1d session_timeout: 1d
old: old:
protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
prefer_server_ciphers: true prefer_server_ciphers: on
ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
dhparam: /etc/angie/tls.d/dh1024.pem dhparam: tls.d/dh1024.pem
session_tickets: false session_tickets: off
session_timeout: 1d session_timeout: 1d

View File

@ -2,9 +2,7 @@
ssl_protocols {{ ssl_profile.protocols }}; ssl_protocols {{ ssl_profile.protocols }};
{%- endif %} {%- endif %}
{%- if ssl_profile.prefer_server_ciphers %} {%- if ssl_profile.prefer_server_ciphers %}
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers {{ ssl_profile.prefer_server_ciphers }};
{%- else %}
ssl_prefer_server_ciphers off;
{%- endif %} {%- endif %}
{%- if ssl_profile.ciphers %} {%- if ssl_profile.ciphers %}
ssl_ciphers {{ ssl_profile.ciphers }}; ssl_ciphers {{ ssl_profile.ciphers }};