From e8db6b7b815b8519f73a072c559328b660553ca1 Mon Sep 17 00:00:00 2001 From: Brad Touesnard Date: Tue, 28 May 2024 18:07:27 +0000 Subject: [PATCH] SSL improvements --- dhparam | 8 ++++++++ global/server/ssl.conf | 9 +++++---- nginx.conf | 4 ++-- sites-available/single-site-with-caching.com | 6 +++--- sites-available/single-site.com | 6 +++--- 5 files changed, 21 insertions(+), 12 deletions(-) create mode 100644 dhparam diff --git a/dhparam b/dhparam new file mode 100644 index 0000000..088f967 --- /dev/null +++ b/dhparam @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- \ No newline at end of file diff --git a/global/server/ssl.conf b/global/server/ssl.conf index 04f0c4f..356b4eb 100644 --- a/global/server/ssl.conf +++ b/global/server/ssl.conf @@ -2,12 +2,13 @@ # and recommend further improvements. # Don't use outdated SSLv3 protocol. Protects against BEAST and POODLE attacks. -ssl_protocols TLSv1.2; +ssl_protocols TLSv1.2 TLSv1.3; # Use secure ciphers -ssl_ciphers EECDH+CHACHA20:EECDH+AES; -ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1; -ssl_prefer_server_ciphers on; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; +ssl_dhparam /etc/nginx/dhparam; +ssl_prefer_server_ciphers off; +ssl_session_tickets off; # Define the size of the SSL session cache in MBs. ssl_session_cache shared:SSL:10m; diff --git a/nginx.conf b/nginx.conf index d7b809a..5ddb596 100644 --- a/nginx.conf +++ b/nginx.conf @@ -1,6 +1,6 @@ -# The user account used by the worker processes. If following along with Hosting WordPress Yourself, +# The user account used by the worker processes. If following along with our guide, # it's recommened to set this to your username, but only when running a single user access server. -# https://deliciousbrains.com/hosting-wordpress-yourself-nginx-php-mysql/ +# https://spinupwp.com/hosting-wordpress-yourself-nginx-php-mysql/ user www-data; # Set to number of CPU cores, auto will try to autodetect. diff --git a/sites-available/single-site-with-caching.com b/sites-available/single-site-with-caching.com index 9b3ac41..965355b 100644 --- a/sites-available/single-site-with-caching.com +++ b/sites-available/single-site-with-caching.com @@ -4,7 +4,7 @@ fastcgi_cache_path /sites/single-site-with-caching.com/cache levels=1:2 keys_zone=single-site-with-caching.com:100m inactive=60m; server { - # Ports to listen on, uncomment one. + # Ports to listen on listen 443 ssl http2; listen [::]:443 ssl http2; @@ -69,8 +69,8 @@ server { # Redirect www to non-www server { - listen 443; - listen [::]:443; + listen 443 ssl http2; + listen [::]:443 ssl http2; server_name www.single-site-with-caching.com; return 301 https://single-site-with-caching.com$request_uri; diff --git a/sites-available/single-site.com b/sites-available/single-site.com index 8900670..7ca4613 100644 --- a/sites-available/single-site.com +++ b/sites-available/single-site.com @@ -1,5 +1,5 @@ server { - # Ports to listen on, uncomment one. + # Ports to listen on listen 443 ssl http2; listen [::]:443 ssl http2; @@ -51,8 +51,8 @@ server { # Redirect www to non-www server { - listen 443; - listen [::]:443; + listen 443 ssl http2; + listen [::]:443 ssl http2; server_name www.single-site.com; return 301 https://single-site.com$request_uri;