update ciphers and enable DH params

trimstray · trimstray · commit ae353264d46c · 2020-01-05T09:32:46.000+01:00
- signed-off-by: trimstray &lt;trimstray@gmail.com&gt;
diff --git a/lib/nginx/master/_listen/192.168.250.2/https.conf b/lib/nginx/master/_listen/192.168.250.2/https.conf
@@ -1,15 +1,15 @@
 listen                        192.168.250.2:443 ssl http2;
 
 ssl_session_cache             shared:SSL:10m;
-ssl_session_timeout           5m;
+ssl_session_timeout           4h;
 ssl_session_tickets           off;
 ssl_buffer_size               1400;
 
 ssl_protocols                 TLSv1.3 TLSv1.2;
-ssl_ciphers                   "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256";
+ssl_ciphers                   "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256";
 
 ssl_prefer_server_ciphers     on;
 
 ssl_ecdh_curve                X25519:secp521r1:secp384r1:prime256v1;
 
-# ssl_dhparam                 /etc/nginx/dhparam_4096-with-ds.pem;
+ssl_dhparam                   /etc/nginx/dhparam_4096-with-ds.pem;
diff --git a/lib/nginx/master/_listen/localhost/https.conf b/lib/nginx/master/_listen/localhost/https.conf
@@ -6,10 +6,10 @@ ssl_session_tickets           off;
 ssl_buffer_size               1400;
 
 ssl_protocols                 TLSv1.3 TLSv1.2;
-ssl_ciphers                   "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256";
+ssl_ciphers                   "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256";
 
 ssl_prefer_server_ciphers     on;
 
 ssl_ecdh_curve                X25519:secp521r1:secp384r1:prime256v1;
 
-# ssl_dhparam                 /etc/nginx/dhparam_4096-with-ds.pem;
+ssl_dhparam                   /etc/nginx/dhparam_4096-with-ds.pem;
