mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2025-01-18 08:06:16 +01:00
73f6d6436e
This is required of OCSP stapling to work, or you get warnings when
NGINX starts up:
no resolver defined to resolve e6.o.lencr.org while requesting certificate status
Let NGINX use the local systemd-resolved as its resolver.
Fixes: https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/607
23 lines
874 B
Plaintext
23 lines
874 B
Plaintext
# generated 2024-07-20, Mozilla Guideline v5.7, nginx 1.26.1, OpenSSL 3.3.1, intermediate configuration
|
|
# https://ssl-config.mozilla.org/#server=nginx&version=1.26.1&config=intermediate&openssl=3.3.1&guideline=5.7
|
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
|
|
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_prefer_server_ciphers off;
|
|
ssl_dhparam /etc/ssl/dhparams.pem;
|
|
|
|
ssl_session_timeout 1d;
|
|
ssl_session_cache shared:SSL:10m;
|
|
ssl_session_tickets off;
|
|
|
|
ssl_stapling on;
|
|
ssl_stapling_verify on;
|
|
|
|
map $scheme $hsts_header {
|
|
https "max-age=31536000; includeSubdomains; preload";
|
|
}
|
|
|
|
add_header Strict-Transport-Security $hsts_header always;
|
|
|
|
resolver 127.0.0.53;
|