From c20cb9592c111e4003d59f4db52b77ffee408755 Mon Sep 17 00:00:00 2001 From: VirtuBox Date: Mon, 5 Mar 2018 21:20:55 +0100 Subject: [PATCH] add tls dynamic records patch directive --- etc/nginx/nginx-intermediate.conf | 5 +- etc/nginx/nginx-tls12.conf | 149 ------------------------------ etc/nginx/nginx.conf | 9 +- 3 files changed, 10 insertions(+), 153 deletions(-) delete mode 100644 etc/nginx/nginx-tls12.conf diff --git a/etc/nginx/nginx-intermediate.conf b/etc/nginx/nginx-intermediate.conf index c689459..b7df8b3 100644 --- a/etc/nginx/nginx-intermediate.conf +++ b/etc/nginx/nginx-intermediate.conf @@ -51,6 +51,9 @@ http #See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/ aio threads; + # tls dynamic records patch directive + ssl_dyn_rec_enable on; + ## # GeoIP module configuration, before removing comments # read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840 @@ -68,7 +71,7 @@ http ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d; ssl_session_tickets off; - ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1; + ssl_ecdh_curve X25519:P-521:P-384:P-256; ##Common headers for security more_set_headers "X-Frame-Options : SAMEORIGIN"; diff --git a/etc/nginx/nginx-tls12.conf b/etc/nginx/nginx-tls12.conf deleted file mode 100644 index 33be771..0000000 --- a/etc/nginx/nginx-tls12.conf +++ /dev/null @@ -1,149 +0,0 @@ -user www-data; -worker_processes auto; -worker_cpu_affinity auto; -worker_rlimit_nofile 100000; -pid /run/nginx.pid; - -events -{ - worker_connections 16384; - multi_accept on; - use epoll; -} - -http -{ - ## - # EasyEngine Settings - ## - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 30; - types_hash_max_size 2048; - - server_tokens off; - reset_timedout_connection on; - add_header X-Powered-By "EasyEngine v3.7.5 - Optimized by VirtuBox"; - add_header rt-Fastcgi-Cache $upstream_cache_status; - - # Limit Request - limit_req_status 403; - limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; - - #Simple DOS mitigation - ##Max c/s by ip - limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m; - limit_conn limit_per_ip 40; - - ##Max rq/s by ip - limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s; - limit_req zone=allips burst=400 nodelay; - - # Proxy Settings - # set_real_ip_from proxy-server-ip; - # real_ip_header X-Forwarded-For; - - fastcgi_read_timeout 300; - client_max_body_size 100m; - - #See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/ - aio threads; - - ## - # GeoIP module configuration, before removing comments - # read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840 - ## - #geoip_country /usr/share/GeoIP/GeoIP.dat; - #geoip_city /usr/share/GeoIP/GeoIPCity.dat; - - ## - # SSL Settings - ## - # intermediate configuration. tweak to your needs. - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:50m; - ssl_session_timeout 1d; - ssl_session_tickets off; - ssl_ecdh_curve secp384r1; - - ##Common headers for security - more_set_headers "X-Frame-Options : SAMEORIGIN"; - more_set_headers "X-Xss-Protection : 1; mode=block"; - more_set_headers "X-Content-Type-Options : nosniff"; - more_set_headers "Referrer-Policy : strict-origin-when-cross-origin"; - - ## - # Basic Settings - ## - # server_names_hash_bucket_size 64; - # server_name_in_redirect off; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - ## - # Logging Settings - # access_log disabled for performance - ## - - access_log off; - error_log /var/log/nginx/error.log; - - # Log format Settings - log_format rt_cache '$remote_addr $upstream_response_time $upstream_cache_status [$time_local] ' - '$http_host "$request" $status $body_bytes_sent ' - '"$http_referer" "$http_user_agent"'; - - ## - # Gzip Settings - ## - - gzip on; - gzip_disable "msie6"; - - gzip_vary on; - gzip_proxied any; - gzip_comp_level 6; - gzip_buffers 16 8k; - gzip_http_version 1.1; - gzip_types - application/atom+xml - application/javascript - application/json - application/rss+xml - application/vnd.ms-fontobject - application/x-font-ttf - application/x-web-app-manifest+json - application/xhtml+xml - application/xml - font/opentype - image/svg+xml - image/x-icon - text/css - text/plain - text/x-component - text/xml - text/javascript; - - ## - # Brotli Settings - ## - - brotli on; - brotli_static on; - brotli_buffers 16 8k; - brotli_comp_level 6; - brotli_types *; - - - ## - # Virtual Host Configs - ## - include /etc/nginx/conf.d/*.conf; - include /etc/nginx/sites-enabled/*; -} - diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf index 845d0d3..d104883 100644 --- a/etc/nginx/nginx.conf +++ b/etc/nginx/nginx.conf @@ -50,6 +50,9 @@ http #See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/ aio threads; + + # tls dynamic records patch directive + ssl_dyn_rec_enable on; ## # GeoIP module configuration, before removing comments @@ -64,10 +67,10 @@ http ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:EECDH+CHACHA20:EECDH+AESGCM'; ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:20m; - ssl_session_timeout 15m; + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 1d; ssl_session_tickets off; - ssl_ecdh_curve X25519:P-256:P-384:P-521; + ssl_ecdh_curve X25519:P-521:P-384:P-256; ##Common headers for security more_set_headers "X-Frame-Options : SAMEORIGIN";