73 lines
2.8 KiB
YAML
73 lines
2.8 KiB
YAML
cache_bypass:
|
|
- '$http_authorization'
|
|
- '$http_pragma'
|
|
- '$http_upgrade'
|
|
|
|
compress_types:
|
|
- application/atom+xml
|
|
- application/javascript
|
|
- application/json
|
|
- application/vnd.api+json
|
|
- application/rss+xml
|
|
- application/x-javascript
|
|
- application/xhtml+xml
|
|
- application/xml
|
|
- image/svg+xml
|
|
- image/x-icon
|
|
- text/css
|
|
- text/javascript
|
|
- text/plain
|
|
- text/xml
|
|
|
|
request_headers:
|
|
## '$req_connection' is defined in /angie/autoconf/http-request-headers-basic.conf.j2
|
|
Connection: '$req_connection'
|
|
Upgrade: '$http_upgrade'
|
|
## do not pass Accept-Encoding to backend
|
|
Accept-Encoding: ""
|
|
## almost all browsers doesn't support this
|
|
#Early-Data: '$ssl_early_data'
|
|
Early-Data: ""
|
|
|
|
response_headers: {}
|
|
|
|
tls:
|
|
## https://docs.openssl.org/3.0/man3/SSL_CONF_cmd/#supported-configuration-file-commands
|
|
conf_cmd:
|
|
Options: PrioritizeChaCha
|
|
stapling:
|
|
enable: false
|
|
verify: true
|
|
profiles:
|
|
modern:
|
|
protocols: TLSv1.3
|
|
#prefer_server_ciphers: off
|
|
session_tickets: off
|
|
session_timeout: 1d
|
|
intermediate:
|
|
protocols: TLSv1.2 TLSv1.3
|
|
#prefer_server_ciphers: off
|
|
ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
|
|
dhparam: tls/ffdhe2048.pem
|
|
session_tickets: off
|
|
session_timeout: 1d
|
|
old:
|
|
protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
|
|
prefer_server_ciphers: on
|
|
ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
|
|
dhparam: tls/dh1024.pem
|
|
session_tickets: off
|
|
session_timeout: 1d
|
|
|
|
## well-known values are:
|
|
## - 'off' - don't use "realip" module
|
|
## - 'proxy_protocol' - get information from PROXY protocol if listen directive has "proxy_protocol" option
|
|
## - 'X-Forwarded-For' - get information from 'X-Forwarded-For' header
|
|
## - 'X-Real-IP' - get information from 'X-Real-IP' header
|
|
## any other value will be treated as uncommon (but valid?) header
|
|
real_ip_from: off
|
|
## list of trusted sources to be used in "realip" module
|
|
## ref: https://en.angie.software/angie/docs/configuration/modules/http/http_realip/
|
|
## if empty, defaults to "unix:"
|
|
trusted_sources: []
|