1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-20 04:31:52 +00:00

Merge pull request #81891 from emilazy/nginx-use-mozilla-tls-config

nixos/nginx: use Mozilla Intermediate TLS configuration
This commit is contained in:
Jörg Thalheim 2020-03-06 14:30:28 +00:00 committed by GitHub
commit 391b7b31d8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -87,10 +87,17 @@ let
${optionalString (cfg.sslDhparam != null) "ssl_dhparam ${cfg.sslDhparam};"} ${optionalString (cfg.sslDhparam != null) "ssl_dhparam ${cfg.sslDhparam};"}
${optionalString (cfg.recommendedTlsSettings) '' ${optionalString (cfg.recommendedTlsSettings) ''
ssl_session_cache shared:SSL:42m; # Keep in sync with https://ssl-config.mozilla.org/#server=nginx&config=intermediate
ssl_session_timeout 23m;
ssl_ecdh_curve secp384r1; ssl_session_timeout 1d;
ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m;
# Breaks forward secrecy: https://github.com/mozilla/server-side-tls/issues/135
ssl_session_tickets off;
# We don't enable insecure ciphers by default, so this allows
# clients to pick the most performant, per https://github.com/mozilla/server-side-tls/issues/260
ssl_prefer_server_ciphers off;
# OCSP stapling
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
''} ''}
@ -487,8 +494,9 @@ in
sslCiphers = mkOption { sslCiphers = mkOption {
type = types.str; type = types.str;
default = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL"; # Keep in sync with https://ssl-config.mozilla.org/#server=nginx&config=intermediate
description = "Ciphers to choose from when negotiating tls handshakes."; default = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
description = "Ciphers to choose from when negotiating TLS handshakes.";
}; };
sslProtocols = mkOption { sslProtocols = mkOption {