diff --git a/deploy/azure/atst-nginx-configmap.yml b/deploy/azure/atst-nginx-configmap.yml index 77de51f9..b7959845 100644 --- a/deploy/azure/atst-nginx-configmap.yml +++ b/deploy/azure/atst-nginx-configmap.yml @@ -42,7 +42,7 @@ data: ssl_certificate /etc/ssl/atat.crt; ssl_certificate_key /etc/ssl/atat.crt; # additional SSL/TLS settings - include /etc/nginx/snippets/ssl.conf + include /etc/nginx/snippets/ssl.conf; location /login-redirect { return 301 https://auth-azure.atat.code.mil$request_uri; @@ -79,7 +79,7 @@ data: ssl_verify_depth 10; ssl_client_certificate /etc/ssl/client-ca-bundle.pem; # additional SSL/TLS settings - include /etc/nginx/snippets/ssl.conf + include /etc/nginx/snippets/ssl.conf; location / { return 301 https://azure.atat.code.mil$request_uri; diff --git a/deploy/azure/nginx-snippets.yml b/deploy/azure/nginx-snippets.yml index fc38751f..916d9524 100644 --- a/deploy/azure/nginx-snippets.yml +++ b/deploy/azure/nginx-snippets.yml @@ -10,7 +10,7 @@ data: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always"; # Set SSL protocols, ciphers, and related options ssl_protocols TLSv1.3 TLSv1.2; - ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384' + ssl_ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers on; ssl_ecdh_curve X25519:prime256v1:secp384r1; ssl_dhparam /etc/ssl/dhparam.pem;