mirror/infrastructure
1
1
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/infrastructure.git synced 2025-01-18 08:06:16 +01:00
Code Issues
mediators-2024
infrastructure/roles/nginx/templates/sslsettings.conf
Kristian Klausen 8dfa7e8c3e
nginx: Add plumbing for enabling HTTP/3 conditionally 
We want to roll out HTTP/3 slowly, so this adds the necessary plumbing
and makes it possible to enable it per host.

Instead of adding the conditional logic to each nginx template, the 443
listen config is moved out into a snippet which is managed by the nginx
role.

HTTP/3 uses QUIC which is built on UDP. UDP is connectionless and
therefore reuseport[1][2] must be used to ensure that UDP packets for
the same QUIC connection is directed to the same worker. reuseport can
only be enabled once, so a default_server is added to the
"inventory_hostname vhost" for SSL/QUIC (reuseport is only enabled for
the latter). ssl_reject_handshake[3] is enabled as that allows enabling
SSL/QUIC without specifying a certificate.

[1] https://nginx.org/en/docs/http/ngx_http_core_module.html#listen
[2] https://lwn.net/Articles/542629/
[3] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake

Ref #606
2024-08-17 21:53:32 +02:00

35 lines
1.3 KiB
Plaintext
Raw Permalink Blame History

# generated 2024-07-20, Mozilla Guideline v5.7, nginx 1.26.1, OpenSSL 3.3.1, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.26.1&config=intermediate&openssl=3.3.1&guideline=5.7
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_dhparam /etc/ssl/dhparams.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
# See headers.conf for the HSTS add_header line.
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
{% if nginx_enable_http3 %}
# Chrome, Firefox and curl only use the header from secure origins.
# https://issues.chromium.org/issues/40471032
# https://bugzilla.mozilla.org/show_bug.cgi?id=1730935
# https://everything.curl.dev/libcurl-http/alt-svc.html
# See headers.conf for the Alt-Svc add_header line.
map $scheme $alt_svc_header {
# Keep a low max-age for HTTP/3 while testing.
# Bump to 2592000 when we are done testing.
https 'h3=":443"; ma=3600';
}
{% endif %}
resolver 127.0.0.53;
View Git Blame Copy Permalink