summaryrefslogtreecommitdiff
path: root/examples/nginx-alpine-ssl/default.conf
diff options
context:
space:
mode:
Diffstat (limited to 'examples/nginx-alpine-ssl/default.conf')
-rw-r--r--examples/nginx-alpine-ssl/default.conf25
1 files changed, 25 insertions, 0 deletions
diff --git a/examples/nginx-alpine-ssl/default.conf b/examples/nginx-alpine-ssl/default.conf
index 22db0df..c3131f0 100644
--- a/examples/nginx-alpine-ssl/default.conf
+++ b/examples/nginx-alpine-ssl/default.conf
@@ -3,8 +3,33 @@ server {
listen [::]:80 default_server;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
+
+ # SSL configuration
+ # SSL cert/key files
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
+ # For production regenerate this dhparam key by running:
+ # $> openssl dhparam -out dhparam.pem 4096
+ ssl_dhparam /etc/ssl/private/dhparam.pem;
+
+ # SSL ciphers/protocols
+ ssl_protocols TLSv1.3 TLSv1.2;
+ ssl_prefer_server_ciphers on;
+ ssl_ecdh_curve secp521r1:secp384r1;
+ ssl_ciphers EECDH+AESGCM:EECDH+AES256;
+
+ # SSL misc
+ ssl_session_cache shared:TLS:2m;
+ ssl_buffer_size 4k;
+
+ # OCSP stapling
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]; # Cloudflare
+
+ # Set HSTS to 365 days
+ # Note: Activate this on production usage
+ #add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
location /.well-known/webfinger {
proxy_http_version 1.1;
generated by cgit v1.2.3 (git 2.39.1) at 2025-06-06 17:51:49 +0000