better tls config

author: Gregor Kleen <gkleen@yggdrasil.li> 2016-01-24 14:13:18 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2016-01-24 14:13:18 +0100
commit: ad3aa5365577c3f25ccc81ae5a0fd94c0d68e71f (patch)
tree: d34ed8b23c7bb48b3b835039e0ea644d0af5352f
parent: 60fd55bbeea060640fde6834f7488544a58a6f27 (diff)
download: nixos-ad3aa5365577c3f25ccc81ae5a0fd94c0d68e71f.tar
nixos-ad3aa5365577c3f25ccc81ae5a0fd94c0d68e71f.tar.gz
nixos-ad3aa5365577c3f25ccc81ae5a0fd94c0d68e71f.tar.bz2
nixos-ad3aa5365577c3f25ccc81ae5a0fd94c0d68e71f.tar.xz
nixos-ad3aa5365577c3f25ccc81ae5a0fd94c0d68e71f.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/custom/ymir-nginx.nix b/custom/ymir-nginx.nix
index 9c98d2ab..fd7d7e94 100644
--- a/custom/ymir-nginx.nix
+++ b/custom/ymir-nginx.nix
@@ -68,6 +68,12 @@ in {
      access_log stderr;
      error_log stderr;
+      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+      ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+      ssl_prefer_server_ciphers on;
+      ssl_session_cache shared:SSL:10m;
+      ssl_dhparam /etc/ssl/dhparam.pem;
      server {
        listen *:80;
        listen [::]:80;
author	Gregor Kleen <gkleen@yggdrasil.li>	2016-01-24 14:13:18 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2016-01-24 14:13:18 +0100
commit	ad3aa5365577c3f25ccc81ae5a0fd94c0d68e71f (patch)
tree	d34ed8b23c7bb48b3b835039e0ea644d0af5352f
parent	60fd55bbeea060640fde6834f7488544a58a6f27 (diff)
download	nixos-ad3aa5365577c3f25ccc81ae5a0fd94c0d68e71f.tar nixos-ad3aa5365577c3f25ccc81ae5a0fd94c0d68e71f.tar.gz nixos-ad3aa5365577c3f25ccc81ae5a0fd94c0d68e71f.tar.bz2 nixos-ad3aa5365577c3f25ccc81ae5a0fd94c0d68e71f.tar.xz nixos-ad3aa5365577c3f25ccc81ae5a0fd94c0d68e71f.zip