lsemenenko/wordpress-nginx
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

SSL improvements

Browse Source
This commit is contained in:
Brad Touesnard 2024-05-28 18:07:27 +00:00
parent b5f439c9cd
commit e8db6b7b81
5 changed files with 21 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
dhparam Normal file
View File

@ -0,0 +1,8 @@
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----

9
global/server/ssl.conf
View File

@ -2,12 +2,13 @@
# and recommend further improvements. # and recommend further improvements.
# Don't use outdated SSLv3 protocol. Protects against BEAST and POODLE attacks. # Don't use outdated SSLv3 protocol. Protects against BEAST and POODLE attacks.
ssl_protocols TLSv1.2; ssl_protocols TLSv1.2 TLSv1.3;
# Use secure ciphers # Use secure ciphers
ssl_ciphers EECDH+CHACHA20:EECDH+AES; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1; ssl_dhparam /etc/nginx/dhparam;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers off;
ssl_session_tickets off;
# Define the size of the SSL session cache in MBs. # Define the size of the SSL session cache in MBs.
ssl_session_cache shared:SSL:10m; ssl_session_cache shared:SSL:10m;

4
nginx.conf
View File

@ -1,6 +1,6 @@
# The user account used by the worker processes. If following along with Hosting WordPress Yourself, # The user account used by the worker processes. If following along with our guide,
# it's recommened to set this to your username, but only when running a single user access server. # it's recommened to set this to your username, but only when running a single user access server.
# https://deliciousbrains.com/hosting-wordpress-yourself-nginx-php-mysql/ # https://spinupwp.com/hosting-wordpress-yourself-nginx-php-mysql/
user www-data; user www-data;
# Set to number of CPU cores, auto will try to autodetect. # Set to number of CPU cores, auto will try to autodetect.

6
sites-available/single-site-with-caching.com
View File

@ -4,7 +4,7 @@
fastcgi_cache_path /sites/single-site-with-caching.com/cache levels=1:2 keys_zone=single-site-with-caching.com:100m inactive=60m; fastcgi_cache_path /sites/single-site-with-caching.com/cache levels=1:2 keys_zone=single-site-with-caching.com:100m inactive=60m;
server { server {
# Ports to listen on, uncomment one. # Ports to listen on
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
@ -69,8 +69,8 @@ server {
# Redirect www to non-www # Redirect www to non-www
server { server {
listen 443; listen 443 ssl http2;
listen [::]:443; listen [::]:443 ssl http2;
server_name www.single-site-with-caching.com; server_name www.single-site-with-caching.com;
return 301 https://single-site-with-caching.com$request_uri; return 301 https://single-site-with-caching.com$request_uri;

6
sites-available/single-site.com
View File

@ -1,5 +1,5 @@
server { server {
# Ports to listen on, uncomment one. # Ports to listen on
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
@ -51,8 +51,8 @@ server {
# Redirect www to non-www # Redirect www to non-www
server { server {
listen 443; listen 443 ssl http2;
listen [::]:443; listen [::]:443 ssl http2;
server_name www.single-site.com; server_name www.single-site.com;
return 301 https://single-site.com$request_uri; return 301 https://single-site.com$request_uri;