From 2549a6fe6153ecef9ae935685691a288d6d299fc Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Wed, 31 Mar 2021 22:15:20 +0200 Subject: nginx... --- custom/ymir-nginx.nix | 30 +++++++++++------------------- 1 file changed, 11 insertions(+), 19 deletions(-) (limited to 'custom') diff --git a/custom/ymir-nginx.nix b/custom/ymir-nginx.nix index 81b253fe..f1fd1a6d 100644 --- a/custom/ymir-nginx.nix +++ b/custom/ymir-nginx.nix @@ -86,9 +86,16 @@ in { services.nginx = { enable = true; - httpConfig = '' - default_type application/octet-stream; + recommendedOptimisation = true; + sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; + sslDhparam = config.security.dhparams.params.nginx.path; + recommendedTlsSettings = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + + + commonHttpConfig = '' log_format main '$remote_addr "$remote_user" ' '"$host" "$request" $status $bytes_sent ' @@ -104,34 +111,19 @@ in { large_client_header_buffers 4 2k; request_pool_size 4k; - gzip on; - gzip_min_length 1100; - gzip_buffers 4 8k; - gzip_types text/plain; - output_buffers 1 32k; postpone_output 1460; - sendfile on; - tcp_nopush on; - tcp_nodelay on; - - keepalive_timeout 75 20; - ignore_invalid_headers on; access_log syslog:server=unix:/dev/log main; error_log syslog:server=unix:/dev/log info; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_dhparam ${config.security.dhparams.params.nginx.path}; - ssl_certificate /var/lib/acme/yggdrasil.li/fullchain.pem; ssl_certificate_key /var/lib/acme/yggdrasil.li/key.pem; + ''; + appendHttpConfig = ''; server { listen *:443 ssl; listen [::]:443 ssl; -- cgit v1.2.3