首頁 探索 說明
登入
rootless
/
dockerbunker
1
0
複刻 0
檔案 問題管理 0 合併請求 0 Wiki
目錄樹: d6d34822a3
分支列表 標籤列表
dockerbunker
/
data
/
services
/
nginx
/
includes
/
ssl.conf

ssl.conf 1.1 KB
文件歷史 原始文件

1234567891011121314151617181920 
  1. server_tokens off
    2. 

  2. ssl_session_cache shared:SSL:10m;
    3. 

  3. ssl_session_timeout 10m;
    4. 

  4. ssl_buffer_size 8k;
    5. 

  5. ssl_session_tickets off;
    6. 

  6. ssl_protocols TLSv1.2 TLSv1.3;
    7. 

  7. ssl_prefer_server_ciphers on;
    8. 

  8. ssl_ciphers ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-CCM:DHE-RSA-AES128-CCM8:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256;
    9. 

  9. ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    10. 

  10. ssl_ecdh_curve secp384r1;
    11. 

  11. # Security headers
    12. 

  12. ## X-Content-Type-Options: avoid MIME type sniffing
    13. 

  13. add_header X-Content-Type-Options nosniff;
    14. 

  14. ## Content-Security-Policy (CSP): Yes
    15. 

  15. ## No 'script-src' directive, you need to test it yourself
    16. 

  16. add_header Content-Security-Policy "object-src 'none'; base-uri 'none'; require-trusted-types-for 'script'; frame-ancestors 'self';";
    17. 

  17. ## The safest CSP, only block your website to be inside an inframe
    18. 

  18. # add_header Content-Security-Policy "frame-ancestors 'self';";
    19. 

  19. ## Strict Transport Security (HSTS): Yes
    20. 

  20. add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
    21.