angie/conf.dist/grpc/ssl-cmd.conf.j2

@@ -1,8 +1,4 @@
 {%- for k, v in j2cfg.tls.conf_cmd.items() %}
 {#- TODO: precise quotation #}
 grpc_ssl_conf_command  {{ k }}  {{ v.__repr__() }};
-{%- endfor %}
+{%- endfor %}
-
-grpc_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
-grpc_ssl_verify on;
-grpc_ssl_server_name on;

angie/conf.dist/grpc/ssl-verify.conf

@@ -0,0 +1 @@
+grpc_ssl_verify on;

angie/conf.dist/grpc/tls-ca-file.conf.in

@@ -0,0 +1 @@
+grpc_ssl_trusted_certificate ${NGX_SSL_CERT_FILE};

angie/conf.dist/proxy/ssl-cmd.conf.j2

@@ -1,8 +1,4 @@
 {%- for k, v in j2cfg.tls.conf_cmd.items() %}
 {#- TODO: precise quotation #}
 proxy_ssl_conf_command  {{ k }}  {{ v.__repr__() }};
-{%- endfor %}
+{%- endfor %}
-
-proxy_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
-proxy_ssl_verify on;
-proxy_ssl_server_name on;

angie/conf.dist/proxy/ssl-verify.conf

@@ -0,0 +1 @@
+proxy_ssl_verify on;

angie/conf.dist/uwsgi/ssl-cmd.conf.j2

@@ -1,8 +1,4 @@
 {%- for k, v in j2cfg.tls.conf_cmd.items() %}
 {#- TODO: precise quotation #}
 uwsgi_ssl_conf_command  {{ k }}  {{ v.__repr__() }};
-{%- endfor %}
+{%- endfor %}
-
-uwsgi_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
-uwsgi_ssl_verify on;
-uwsgi_ssl_server_name on;

angie/conf.dist/uwsgi/tls-ca-file.conf.in

@@ -0,0 +1 @@
+uwsgi_ssl_trusted_certificate ${NGX_SSL_CERT_FILE};

angie/j2cfg.dist/00-defaults.yml.j2

@@ -74,20 +74,20 @@ tls:
   profiles:
     modern:
       protocols: TLSv1.3
-     #prefer_server_ciphers: off
+     #prefer_server_ciphers: false
-      session_tickets: off
+      session_tickets: false
       session_timeout: 1d
     intermediate:
       protocols: TLSv1.2 TLSv1.3
-     #prefer_server_ciphers: off
+     #prefer_server_ciphers: false
       ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
-      dhparam: tls.d/ffdhe2048.pem
+      dhparam: /etc/angie/tls.d/ffdhe2048.pem
-      session_tickets: off
+      session_tickets: false
       session_timeout: 1d
     old:
       protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
-      prefer_server_ciphers: on
+      prefer_server_ciphers: true
       ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
-      dhparam: tls.d/dh1024.pem
+      dhparam: /etc/angie/tls.d/dh1024.pem
-      session_tickets: off
+      session_tickets: false
       session_timeout: 1d

angie/snip.dist/ssl-profile.j2m

@@ -2,7 +2,9 @@
 ssl_protocols {{ ssl_profile.protocols }};
 {%- endif %}
 {%- if ssl_profile.prefer_server_ciphers %}
-ssl_prefer_server_ciphers {{ ssl_profile.prefer_server_ciphers }};
+ssl_prefer_server_ciphers on;
+{%- else %}
+ssl_prefer_server_ciphers off;
 {%- endif %}
 {%- if ssl_profile.ciphers %}
 ssl_ciphers {{ ssl_profile.ciphers }};

doc/examples/njs/README.md

@@ -1,22 +1,5 @@
 # print env via NJS
 
-Dockerfile:
-
-```dockerfile
-FROM docker.io/rockdrilla/angie-conv:v0.0.1
-
-COPY /site/ /etc/angie/site/
-
-## install 'angie-module-njs' and process package contents
-RUN apt-install-angie-mod.sh njs ; \
-    apt-clean.sh
-
-## load ngx_http_js_module
-ENV NGX_HTTP_MODULES='njs'
-```
-
----
-
 configuration:
 
 ```nginx
@@ -33,8 +16,6 @@ server {
 }
 ```
 
----
-
 NJS script:
 
 ```js
@@ -52,7 +33,20 @@ function report(r) {
 export default { report };
 ```
 
----
+Dockerfile:
+
+```dockerfile
+FROM docker.io/rockdrilla/angie-conv:v0.0.1
+
+COPY /site/ /etc/angie/site/
+
+## install 'angie-module-njs' and process package contents
+RUN apt-install-angie-mod.sh njs ; \
+    apt-clean.sh
+
+## load ngx_http_js_module
+ENV NGX_HTTP_MODULES='njs'
+```
 
 Test URI e.g. with `curl`:
 ```sh

doc/examples/perl/README.md

@@ -1,22 +1,5 @@
 # print env via Perl
 
-Dockerfile:
-
-```dockerfile
-FROM docker.io/rockdrilla/angie-conv:v0.0.1
-
-COPY /site/ /etc/angie/site/
-
-## install 'angie-module-perl' and process package contents
-RUN apt-install-angie-mod.sh perl ; \
-    apt-clean.sh
-
-## load ngx_http_perl_module
-ENV NGX_HTTP_MODULES='perl'
-```
-
----
-
 configuration:
 
 ```nginx
@@ -33,8 +16,6 @@ server {
 }
 ```
 
----
-
 Perl script:
 
 ```perl
@@ -62,7 +43,20 @@ sub report {
 __END__
 ```
 
----
+Dockerfile:
+
+```dockerfile
+FROM docker.io/rockdrilla/angie-conv:v0.0.1
+
+COPY /site/ /etc/angie/site/
+
+## install 'angie-module-perl' and process package contents
+RUN apt-install-angie-mod.sh perl ; \
+    apt-clean.sh
+
+## load ngx_http_perl_module
+ENV NGX_HTTP_MODULES='perl'
+```
 
 Test URI e.g. with `curl`:
 ```sh

doc/examples/ssl/README.md

@@ -1,5 +1,20 @@
 # SSL with subdomains
 
+configuration:
+
+```nginx
+server {
+    listen 8443 ssl;
+
+    server_name example.org;
+
+    ssl_certificate      tls.d/example.org.chain.crt;
+    ssl_certificate_key  tls.d/example.org.pem;
+
+    root static.d/example.org;
+}
+```
+
 Dockerfile:
 
 ```dockerfile
@@ -12,45 +27,7 @@ COPY /tls/    /etc/angie/tls/
 ENV NGX_HTTP_CONFLOAD='ssl'
 ```
 
----
+Optional cut-off SSL server block:
-
-configuration:
-
-```nginx
-server {
-    listen 8443 ssl;
-
-    server_name www.example.org;
-
-    ssl_certificate      tls.d/www.example.org.chain.crt;
-    ssl_certificate_key  tls.d/www.example.org.pem;
-
-    root static.d/www.example.org;
-}
-```
-
----
-
-configuration for wildcard certificate:
-
-```nginx
-server {
-    listen 8443 ssl;
-
-    server_name .example.org;
-
-    ssl_certificate      tls.d/example.org.chain.crt;
-    ssl_certificate_key  tls.d/example.org.pem;
-
-    root static.d/example.org;
-}
-```
-
-*Note: certificate must have* `X509v3 Subject Alternative Name` *property with value like* `DNS:example.org, DNS:*.example.org` .
-
----
-
-(optional) configuration for cut-off SSL server block (see [documentation](https://angie.software/en/configuration/modules/http/http_ssl/#ssl-reject-handshake) for rationale):
 
 ```nginx
 server {
@@ -65,8 +42,6 @@ server {
 }
 ```
 
----
-
 Test URI e.g. with `curl`:
 ```sh
 curl --cacert ./tls/ca/root-ca.crt --capath /nonexistent --resolve example.org:8443:127.0.0.1 https://example.org:8443/