From 274802988e5a04ca13e7f2a0512c1eef2d0c4c52 Mon Sep 17 00:00:00 2001 From: Du Peng Date: Mon, 9 Mar 2020 16:57:43 +0100 Subject: [PATCH] update nginx ssl config and version --- setup/docker-compose.yml | 2 +- setup/nginx_with_ssl.conf.example | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/setup/docker-compose.yml b/setup/docker-compose.yml index 9cb5fcf1c..cb9813fc8 100644 --- a/setup/docker-compose.yml +++ b/setup/docker-compose.yml @@ -48,7 +48,7 @@ services: restart: always nginx: - image: nginx:1.9 + image: nginx:latest ports: - "80:80" - "443:443" diff --git a/setup/nginx_with_ssl.conf.example b/setup/nginx_with_ssl.conf.example index 79be4cc2a..823e0282c 100644 --- a/setup/nginx_with_ssl.conf.example +++ b/setup/nginx_with_ssl.conf.example @@ -3,10 +3,10 @@ upstream puma { } server { - listen 443 ssl; + listen 443 ssl http2; + listen [::]:443 ssl http2; server_name MAIN_DOMAIN; root /usr/src/app/public; - ssl on; ## with your ssl certificate # ssl_certificate /etc/nginx/conf.d/ssl/MAIN_DOMAIN.crt; # ssl_certificate_key /etc/nginx/conf.d/ssl/MAIN_DOMAIN.deprotected.key; @@ -16,9 +16,9 @@ server { ssl_certificate /etc/letsencrypt/live/MAIN_DOMAIN/fullchain.pem; ssl_trusted_certificate /etc/letsencrypt/live/MAIN_DOMAIN/chain.pem; ## - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; + ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; - ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED'; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; ssl_session_timeout 1d;