nginx: do some tls hardening

3 files changed, 10 insertions, 2 deletions

diff --git a/roles/nginx/base/files/snippets/hsts.conf b/roles/nginx/base/files/snippets/hsts.conf
index 4ca8396e..e0723502 100644
--- a/roles/nginx/base/files/snippets/hsts.conf
+++ b/roles/nginx/base/files/snippets/hsts.conf
@@ -1 +1 @@
-add_header Strict-Transport-Security max-age=15768000;
+add_header Strict-Transport-Security max-age=15768000 always;
diff --git a/roles/nginx/base/files/snippets/ssl.conf b/roles/nginx/base/files/snippets/tls-legacy.conf
index d187a7c0..3dc4caf3 100644
--- a/roles/nginx/base/files/snippets/ssl.conf
+++ b/roles/nginx/base/files/snippets/tls-legacy.conf
@@ -2,7 +2,6 @@ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AES:!ADH:!AECDH:!MD5;
 ssl_prefer_server_ciphers on;
 
-# openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048
 ssl_dhparam /etc/ssl/dhparams.pem;
 
 ssl_session_cache shared:SSL:10m;
diff --git a/roles/nginx/base/files/snippets/tls.conf b/roles/nginx/base/files/snippets/tls.conf
new file mode 100644
index 00000000..46d43ecb
--- /dev/null
+++ b/roles/nginx/base/files/snippets/tls.conf
@@ -0,0 +1,9 @@
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES128:!RSA:!ADH:!AECDH:!MD5;
+ssl_prefer_server_ciphers on;
+
+ssl_dhparam /etc/ssl/dhparams.pem;
+
+ssl_session_cache shared:SSL:10m;
+ssl_session_timeout 10m;
+ssl_session_tickets off;