12 changed files with 62 additions and 105 deletions
--- a/angie/conf.dist/grpc/ssl-cmd.conf.j2
+++ b/angie/conf.dist/grpc/ssl-cmd.conf.j2
@ -2,7 +2,3 @@
 {#- TODO: precise quotation #}
 grpc_ssl_conf_command  {{ k }}  {{ v.__repr__() }};
 {%- endfor %}
-
-grpc_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
-grpc_ssl_verify on;
-grpc_ssl_server_name on;
--- a/angie/conf.dist/grpc/ssl-verify.conf
+++ b/angie/conf.dist/grpc/ssl-verify.conf
@ -0,0 +1 @@
+grpc_ssl_verify on;
--- a/angie/conf.dist/grpc/tls-ca-file.conf.in
+++ b/angie/conf.dist/grpc/tls-ca-file.conf.in
@ -0,0 +1 @@
+grpc_ssl_trusted_certificate ${NGX_SSL_CERT_FILE};
--- a/angie/conf.dist/proxy/ssl-cmd.conf.j2
+++ b/angie/conf.dist/proxy/ssl-cmd.conf.j2
@ -2,7 +2,3 @@
 {#- TODO: precise quotation #}
 proxy_ssl_conf_command  {{ k }}  {{ v.__repr__() }};
 {%- endfor %}
-
-proxy_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
-proxy_ssl_verify on;
-proxy_ssl_server_name on;
--- a/angie/conf.dist/proxy/ssl-verify.conf
+++ b/angie/conf.dist/proxy/ssl-verify.conf
@ -0,0 +1 @@
+proxy_ssl_verify on;
--- a/angie/conf.dist/uwsgi/ssl-cmd.conf.j2
+++ b/angie/conf.dist/uwsgi/ssl-cmd.conf.j2
@ -2,7 +2,3 @@
 {#- TODO: precise quotation #}
 uwsgi_ssl_conf_command  {{ k }}  {{ v.__repr__() }};
 {%- endfor %}
-
-uwsgi_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
-uwsgi_ssl_verify on;
-uwsgi_ssl_server_name on;
--- a/angie/conf.dist/uwsgi/tls-ca-file.conf.in
+++ b/angie/conf.dist/uwsgi/tls-ca-file.conf.in
@ -0,0 +1 @@
+uwsgi_ssl_trusted_certificate ${NGX_SSL_CERT_FILE};
--- a/angie/j2cfg.dist/00-defaults.yml.j2
+++ b/angie/j2cfg.dist/00-defaults.yml.j2
@ -74,20 +74,20 @@ tls:
  profiles:
    modern:
      protocols: TLSv1.3
-     #prefer_server_ciphers: off
-      session_tickets: off
+     #prefer_server_ciphers: false
+      session_tickets: false
      session_timeout: 1d
    intermediate:
      protocols: TLSv1.2 TLSv1.3
-     #prefer_server_ciphers: off
+     #prefer_server_ciphers: false
      ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
-      dhparam: tls.d/ffdhe2048.pem
-      session_tickets: off
+      dhparam: /etc/angie/tls.d/ffdhe2048.pem
+      session_tickets: false
      session_timeout: 1d
    old:
      protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
-      prefer_server_ciphers: on
+      prefer_server_ciphers: true
      ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
-      dhparam: tls.d/dh1024.pem
-      session_tickets: off
+      dhparam: /etc/angie/tls.d/dh1024.pem
+      session_tickets: false
      session_timeout: 1d
--- a/angie/snip.dist/ssl-profile.j2m
+++ b/angie/snip.dist/ssl-profile.j2m
@ -2,7 +2,9 @@
 ssl_protocols {{ ssl_profile.protocols }};
 {%- endif %}
 {%- if ssl_profile.prefer_server_ciphers %}
-ssl_prefer_server_ciphers {{ ssl_profile.prefer_server_ciphers }};
+ssl_prefer_server_ciphers on;
+{%- else %}
+ssl_prefer_server_ciphers off;
 {%- endif %}
 {%- if ssl_profile.ciphers %}
 ssl_ciphers {{ ssl_profile.ciphers }};
--- a/doc/examples/njs/README.md
+++ b/doc/examples/njs/README.md
@ -1,22 +1,5 @@
 # print env via NJS

-Dockerfile:
-
-```dockerfile
-FROM docker.io/rockdrilla/angie-conv:v0.0.1
-
-COPY /site/ /etc/angie/site/
-
-## install 'angie-module-njs' and process package contents
-RUN apt-install-angie-mod.sh njs ; \
-    apt-clean.sh
-
-## load ngx_http_js_module
-ENV NGX_HTTP_MODULES='njs'
-```
-
---
-
 configuration:

 ```nginx
@ -33,8 +16,6 @@ server {
 }
 ```

---
-
 NJS script:

 ```js
@ -52,7 +33,20 @@ function report(r) {
 export default { report };
 ```

---
+Dockerfile:
+
+```dockerfile
+FROM docker.io/rockdrilla/angie-conv:v0.0.1
+
+COPY /site/ /etc/angie/site/
+
+## install 'angie-module-njs' and process package contents
+RUN apt-install-angie-mod.sh njs ; \
+    apt-clean.sh
+
+## load ngx_http_js_module
+ENV NGX_HTTP_MODULES='njs'
+```

 Test URI e.g. with `curl`:
 ```sh
--- a/doc/examples/perl/README.md
+++ b/doc/examples/perl/README.md
@ -1,22 +1,5 @@
 # print env via Perl

-Dockerfile:
-
-```dockerfile
-FROM docker.io/rockdrilla/angie-conv:v0.0.1
-
-COPY /site/ /etc/angie/site/
-
-## install 'angie-module-perl' and process package contents
-RUN apt-install-angie-mod.sh perl ; \
-    apt-clean.sh
-
-## load ngx_http_perl_module
-ENV NGX_HTTP_MODULES='perl'
-```
-
---
-
 configuration:

 ```nginx
@ -33,8 +16,6 @@ server {
 }
 ```

---
-
 Perl script:

 ```perl
@ -62,7 +43,20 @@ sub report {
 __END__
 ```

---
+Dockerfile:
+
+```dockerfile
+FROM docker.io/rockdrilla/angie-conv:v0.0.1
+
+COPY /site/ /etc/angie/site/
+
+## install 'angie-module-perl' and process package contents
+RUN apt-install-angie-mod.sh perl ; \
+    apt-clean.sh
+
+## load ngx_http_perl_module
+ENV NGX_HTTP_MODULES='perl'
+```

 Test URI e.g. with `curl`:
 ```sh
--- a/doc/examples/ssl/README.md
+++ b/doc/examples/ssl/README.md
@ -1,5 +1,20 @@
 # SSL with subdomains

+configuration:
+
+```nginx
+server {
+    listen 8443 ssl;
+
+    server_name example.org;
+
+    ssl_certificate      tls.d/example.org.chain.crt;
+    ssl_certificate_key  tls.d/example.org.pem;
+
+    root static.d/example.org;
+}
+```
+
 Dockerfile:

 ```dockerfile
@ -12,45 +27,7 @@ COPY /tls/    /etc/angie/tls/
 ENV NGX_HTTP_CONFLOAD='ssl'
 ```

---
-
-configuration:
-
-```nginx
-server {
-    listen 8443 ssl;
-
-    server_name www.example.org;
-
-    ssl_certificate      tls.d/www.example.org.chain.crt;
-    ssl_certificate_key  tls.d/www.example.org.pem;
-
-    root static.d/www.example.org;
-}
-```
-
---
-
-configuration for wildcard certificate:
-
-```nginx
-server {
-    listen 8443 ssl;
-
-    server_name .example.org;
-
-    ssl_certificate      tls.d/example.org.chain.crt;
-    ssl_certificate_key  tls.d/example.org.pem;
-
-    root static.d/example.org;
-}
-```
-
-*Note: certificate must have* `X509v3 Subject Alternative Name` *property with value like* `DNS:example.org, DNS:*.example.org` .
-
---
-
-(optional) configuration for cut-off SSL server block (see [documentation](https://angie.software/en/configuration/modules/http/http_ssl/#ssl-reject-handshake) for rationale):
+Optional cut-off SSL server block:

 ```nginx
 server {
@ -65,8 +42,6 @@ server {
 }
 ```

---
-
 Test URI e.g. with `curl`:
 ```sh
 curl --cacert ./tls/ca/root-ca.crt --capath /nonexistent --resolve example.org:8443:127.0.0.1 https://example.org:8443/
				`@ -0,0 +1 @@`
				`grpc_ssl_trusted_certificate ${NGX_SSL_CERT_FILE};`
				`@ -0,0 +1 @@`
				`uwsgi_ssl_trusted_certificate ${NGX_SSL_CERT_FILE};`