Merge branch 'master' of grunfink-codeberg:grunfink/snac2

1 files changed, 25 insertions, 0 deletions

diff --git a/examples/nginx-alpine-ssl/default.conf b/examples/nginx-alpine-ssl/default.conf
index 22db0df..c3131f0 100644
--- a/examples/nginx-alpine-ssl/default.conf
+++ b/examples/nginx-alpine-ssl/default.conf
@@ -3,8 +3,33 @@ server {
     listen [::]:80 default_server;
     listen 443 ssl http2 default_server;
     listen [::]:443 ssl http2 default_server;
+
+    # SSL configuration
+    # SSL cert/key files
     ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
     ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
+    # For production regenerate this dhparam key by running:
+    # $> openssl dhparam -out dhparam.pem 4096
+    ssl_dhparam /etc/ssl/private/dhparam.pem;
+
+    # SSL ciphers/protocols
+    ssl_protocols TLSv1.3 TLSv1.2;
+    ssl_prefer_server_ciphers on;
+    ssl_ecdh_curve secp521r1:secp384r1;
+    ssl_ciphers EECDH+AESGCM:EECDH+AES256;
+
+    # SSL misc
+    ssl_session_cache shared:TLS:2m;
+    ssl_buffer_size 4k;
+
+    # OCSP stapling
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]; # Cloudflare
+
+    # Set HSTS to 365 days
+    # Note: Activate this on production usage
+    #add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
 
     location /.well-known/webfinger {
         proxy_http_version      1.1;