angie: adjust SSL configuration
This commit is contained in:
parent
d3684274e3
commit
5b8ef5329e
@ -1 +0,0 @@
|
|||||||
grpc_ssl_verify on;
|
|
@ -1,4 +1,8 @@
|
|||||||
{%- for k, v in j2cfg.tls.conf_cmd.items() %}
|
{%- for k, v in j2cfg.tls.conf_cmd.items() %}
|
||||||
{#- TODO: precise quotation #}
|
{#- TODO: precise quotation #}
|
||||||
grpc_ssl_conf_command {{ k }} {{ v.__repr__() }};
|
grpc_ssl_conf_command {{ k }} {{ v.__repr__() }};
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
|
|
||||||
|
grpc_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
|
||||||
|
grpc_ssl_verify on;
|
||||||
|
grpc_ssl_server_name on;
|
@ -1 +0,0 @@
|
|||||||
grpc_ssl_trusted_certificate ${NGX_SSL_CERT_FILE};
|
|
@ -1 +0,0 @@
|
|||||||
proxy_ssl_verify on;
|
|
@ -1,4 +1,8 @@
|
|||||||
{%- for k, v in j2cfg.tls.conf_cmd.items() %}
|
{%- for k, v in j2cfg.tls.conf_cmd.items() %}
|
||||||
{#- TODO: precise quotation #}
|
{#- TODO: precise quotation #}
|
||||||
proxy_ssl_conf_command {{ k }} {{ v.__repr__() }};
|
proxy_ssl_conf_command {{ k }} {{ v.__repr__() }};
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
|
|
||||||
|
proxy_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
|
||||||
|
proxy_ssl_verify on;
|
||||||
|
proxy_ssl_server_name on;
|
@ -1,4 +1,8 @@
|
|||||||
{%- for k, v in j2cfg.tls.conf_cmd.items() %}
|
{%- for k, v in j2cfg.tls.conf_cmd.items() %}
|
||||||
{#- TODO: precise quotation #}
|
{#- TODO: precise quotation #}
|
||||||
uwsgi_ssl_conf_command {{ k }} {{ v.__repr__() }};
|
uwsgi_ssl_conf_command {{ k }} {{ v.__repr__() }};
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
|
|
||||||
|
uwsgi_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
|
||||||
|
uwsgi_ssl_verify on;
|
||||||
|
uwsgi_ssl_server_name on;
|
@ -1 +0,0 @@
|
|||||||
uwsgi_ssl_trusted_certificate ${NGX_SSL_CERT_FILE};
|
|
@ -74,20 +74,20 @@ tls:
|
|||||||
profiles:
|
profiles:
|
||||||
modern:
|
modern:
|
||||||
protocols: TLSv1.3
|
protocols: TLSv1.3
|
||||||
#prefer_server_ciphers: false
|
#prefer_server_ciphers: off
|
||||||
session_tickets: false
|
session_tickets: off
|
||||||
session_timeout: 1d
|
session_timeout: 1d
|
||||||
intermediate:
|
intermediate:
|
||||||
protocols: TLSv1.2 TLSv1.3
|
protocols: TLSv1.2 TLSv1.3
|
||||||
#prefer_server_ciphers: false
|
#prefer_server_ciphers: off
|
||||||
ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
|
ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
|
||||||
dhparam: /etc/angie/tls.d/ffdhe2048.pem
|
dhparam: tls.d/ffdhe2048.pem
|
||||||
session_tickets: false
|
session_tickets: off
|
||||||
session_timeout: 1d
|
session_timeout: 1d
|
||||||
old:
|
old:
|
||||||
protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
|
protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
|
||||||
prefer_server_ciphers: true
|
prefer_server_ciphers: on
|
||||||
ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
|
ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
|
||||||
dhparam: /etc/angie/tls.d/dh1024.pem
|
dhparam: tls.d/dh1024.pem
|
||||||
session_tickets: false
|
session_tickets: off
|
||||||
session_timeout: 1d
|
session_timeout: 1d
|
||||||
|
@ -2,9 +2,7 @@
|
|||||||
ssl_protocols {{ ssl_profile.protocols }};
|
ssl_protocols {{ ssl_profile.protocols }};
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
{%- if ssl_profile.prefer_server_ciphers %}
|
{%- if ssl_profile.prefer_server_ciphers %}
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers {{ ssl_profile.prefer_server_ciphers }};
|
||||||
{%- else %}
|
|
||||||
ssl_prefer_server_ciphers off;
|
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
{%- if ssl_profile.ciphers %}
|
{%- if ssl_profile.ciphers %}
|
||||||
ssl_ciphers {{ ssl_profile.ciphers }};
|
ssl_ciphers {{ ssl_profile.ciphers }};
|
||||||
|
Loading…
Reference in New Issue
Block a user