lesstif · November 3, 2020 23:47
diff --git a/nginx-ssl-tls-secure.conf b/nginx-ssl-tls-secure.conf
 ssl_protocols TLSv1.2 TLSv1.3;

 ssl_prefer_server_ciphers off;

 ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

 ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
 ssl_session_cache shared:SSL:10m;
 ssl_session_tickets off; # Requires nginx >= 1.5.9
 ssl_stapling on; # Requires nginx >= 1.3.7
 ssl_stapling_verify on; # Requires nginx => 1.3.7
 #resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
 resolver_timeout 5s;

 add_header Strict-Transport-Security "max-age=63072000" always;
 #add_header Strict-Transport-Security "max-age=108000; includeSubdomains; preload";

 add_header X-Frame-Options SAMEORIGIN;
 add_header X-Content-Type-Options nosniff;
	ssl_protocols TLSv1.2 TLSv1.3;

	ssl_prefer_server_ciphers off;

	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

	ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off; # Requires nginx >= 1.5.9
	ssl_stapling on; # Requires nginx >= 1.3.7
	ssl_stapling_verify on; # Requires nginx => 1.3.7
	#resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
	resolver_timeout 5s;

	add_header Strict-Transport-Security "max-age=63072000" always;
	#add_header Strict-Transport-Security "max-age=108000; includeSubdomains; preload";

	add_header X-Frame-Options SAMEORIGIN;
	add_header X-Content-Type-Options nosniff;