Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## Version 2020/10/29 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ssl.conf
- ### Mozilla Recommendations
- # generated 2020-06-17, Mozilla Guideline v5.4, nginx 1.18.0-r0, OpenSSL 1.1.1g-r0, intermediate configuration
- # https://ssl-config.mozilla.org/#server=nginx&version=1.18.0-r0&config=intermediate&openssl=1.1.1g-r0&guideline=5.4
- ssl_session_timeout 1d;
- ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
- ssl_session_tickets off;
- # intermediate configuration
- ssl_protocols TLSv1.3;
- ssl_ciphers EECDH+AESGCM:EECDH+AES256;
- ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
- ssl_prefer_server_ciphers off;
- # OCSP stapling
- ssl_stapling on;
- ssl_stapling_verify on;
- ### Linuxserver.io Defaults
- # Certificates
- ssl_certificate /config/keys/letsencrypt/fullchain.pem;
- ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
- # verify chain of trust of OCSP response using Root CA and Intermediate certs
- ssl_trusted_certificate /config/keys/letsencrypt/fullchain.pem;
- # Diffie-Hellman Parameters
- ssl_dhparam /config/nginx/dhparams.pem;
- # Resolver
- resolver 127.0.0.11 valid=30s; # Docker DNS Server
- # Enable TLS 1.3 early data
- ssl_early_data on;
- # HSTS, remove # from the line below to enable HSTS
- add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
- # Optional additional headers
- #add_header Cache-Control "no-transform" always;
- add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'";
- add_header Referrer-Policy "strict-origin-when-cross-origin";
- add_header X-Content-Type-Options "nosniff" always;
- add_header X-Frame-Options "SAMEORIGIN" always;
- add_header X-XSS-Protection "1; mode=block" always;
- add_header X-Robots-Tag none; #SET THIS TO index IF YOU WANT GOOGLE TO INDEX YOU SITE!
- #FEATURE POLICY: READ MORE HERE: https://scotthelme.co.uk/a-new-security-header-feature-policy/
- #add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;speaker self;vibrate none;fullscreen self;payment none;";
- add_header Permissions-Policy "geolocation=();midi=();notifications=();push=();sync-xhr=();microphone=();camera=();magnetometer=();gyroscope=();speaker=(self);vibrate=();fullscreen=(self);payment=();";
- proxy_cookie_path / "/; HTTPOnly; Secure"; ##NOTE: This may cause issues with unifi. Remove HTTPOnly; or create another ssl config for unifi.
- more_set_headers "Server: Classified";
- more_clear_headers 'X-Powered-By';
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement