26cc4ce79a
In order to meet compliance requirements, this adds the EXPORT option to NGINX's ssl_cipher config. Extended discussion here: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
25 lines
1019 B
YAML
25 lines
1019 B
YAML
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: nginx-snippets
|
|
namespace: atat
|
|
data:
|
|
ssl.conf: |-
|
|
# Guard against HTTPS -> HTTP downgrade
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always";
|
|
# Set SSL protocols, ciphers, and related options
|
|
ssl_protocols TLSv1.3 TLSv1.2;
|
|
ssl_ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:!EXPORT;
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_ecdh_curve X25519:prime256v1:secp384r1;
|
|
ssl_dhparam /etc/ssl/dhparam.pem;
|
|
# SSL session options
|
|
ssl_session_timeout 4h;
|
|
ssl_session_cache shared:SSL:10m; # 1mb = ~4000 sessions
|
|
ssl_session_tickets off;
|
|
# OCSP Stapling
|
|
ssl_stapling on;
|
|
ssl_stapling_verify on;
|
|
resolver 8.8.8.8 8.8.4.4;
|