public_git
/
nexus-vagrant
mirror of https://github.com/rgl/nexus-vagrant.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

upgrade the nginx tls configuration based on the mozilla intermediate configuration recommendation

This commit is contained in:
Rui Lopes 2025-08-25 22:23:23 +00:00
parent 8c46c08622
commit a829135921
1 changed files with 22 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
provision/provision-base.sh
View File

@ -99,13 +99,30 @@ popd
# install and configure nginx to proxy to nexus. # install and configure nginx to proxy to nexus.
# see https://help.sonatype.com/repomanager3/planning-your-implementation/run-behind-a-reverse-proxy # see https://help.sonatype.com/repomanager3/planning-your-implementation/run-behind-a-reverse-proxy
apt-get install -y --no-install-recommends nginx apt-get install -y --no-install-recommends nginx
rm -f /etc/nginx/sites-enabled/default wget -qO /etc/ssl/certs/dhparam.pem https://ssl-config.mozilla.org/ffdhe2048.txt
cat >/etc/nginx/sites-available/$config_fqdn.conf <<EOF sed -i -E 's/^(\s*)((ssl_protocols|ssl_ciphers|ssl_prefer_server_ciphers)\s)/\1# \2/' /etc/nginx/nginx.conf
ssl_session_cache shared:SSL:4m; cat >/etc/nginx/conf.d/local.conf <<EOF
ssl_session_timeout 6h; # NB this is based on the mozilla intermediate configuration.
# see https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=intermediate&openssl=3.0.2&guideline=5.7
# see https://packages.ubuntu.com/jammy/nginx
# see https://packages.ubuntu.com/jammy/openssl
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ecdh_curve X25519:prime256v1:secp384r1;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m; # about 40000 sessions.
ssl_session_timeout 1d;
ssl_session_tickets on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# NB our example ca does not support stapling, so this is commented.
#ssl_stapling on; #ssl_stapling on;
#ssl_stapling_verify on; #ssl_stapling_verify on;
#ssl_trusted_certificate /etc/ssl/certs/jenkins-ca.pem;
#resolver 127.0.0.53 valid=30s;
#resolver_timeout 5s;
EOF
rm -f /etc/nginx/sites-enabled/default
cat >/etc/nginx/sites-available/$config_fqdn.conf <<EOF
server { server {
listen 80; listen 80;
server_name _; server_name _;
@ -119,11 +136,6 @@ server {
ssl_certificate /etc/ssl/private/$config_fqdn-crt.pem; ssl_certificate /etc/ssl/private/$config_fqdn-crt.pem;
ssl_certificate_key /etc/ssl/private/$config_fqdn-keypair.pem; ssl_certificate_key /etc/ssl/private/$config_fqdn-keypair.pem;
ssl_protocols TLSv1.2 TLSv1.3;
# see https://github.com/cloudflare/sslconfig/blob/master/conf
# see https://blog.cloudflare.com/it-takes-two-to-chacha-poly/
# see https://blog.cloudflare.com/do-the-chacha-better-mobile-performance-with-cryptography/
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!aNULL:!MD5;
tcp_nodelay on; tcp_nodelay on;
client_max_body_size 1G; client_max_body_size 1G;
@ -159,11 +171,6 @@ server {
ssl_certificate /etc/ssl/private/$config_fqdn-crt.pem; ssl_certificate /etc/ssl/private/$config_fqdn-crt.pem;
ssl_certificate_key /etc/ssl/private/$config_fqdn-keypair.pem; ssl_certificate_key /etc/ssl/private/$config_fqdn-keypair.pem;
ssl_protocols TLSv1.2 TLSv1.3;
# see https://github.com/cloudflare/sslconfig/blob/master/conf
# see https://blog.cloudflare.com/it-takes-two-to-chacha-poly/
# see https://blog.cloudflare.com/do-the-chacha-better-mobile-performance-with-cryptography/
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!aNULL:!MD5;
tcp_nodelay on; tcp_nodelay on;
client_max_body_size 10G; client_max_body_size 10G;
@ -188,11 +195,6 @@ server {
ssl_certificate /etc/ssl/private/$config_fqdn-crt.pem; ssl_certificate /etc/ssl/private/$config_fqdn-crt.pem;
ssl_certificate_key /etc/ssl/private/$config_fqdn-keypair.pem; ssl_certificate_key /etc/ssl/private/$config_fqdn-keypair.pem;
ssl_protocols TLSv1.2 TLSv1.3;
# see https://github.com/cloudflare/sslconfig/blob/master/conf
# see https://blog.cloudflare.com/it-takes-two-to-chacha-poly/
# see https://blog.cloudflare.com/do-the-chacha-better-mobile-performance-with-cryptography/
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!aNULL:!MD5;
tcp_nodelay on; tcp_nodelay on;
client_max_body_size 10G; client_max_body_size 10G;
@ -217,11 +219,6 @@ server {
ssl_certificate /etc/ssl/private/$config_fqdn-crt.pem; ssl_certificate /etc/ssl/private/$config_fqdn-crt.pem;
ssl_certificate_key /etc/ssl/private/$config_fqdn-keypair.pem; ssl_certificate_key /etc/ssl/private/$config_fqdn-keypair.pem;
ssl_protocols TLSv1.2 TLSv1.3;
# see https://github.com/cloudflare/sslconfig/blob/master/conf
# see https://blog.cloudflare.com/it-takes-two-to-chacha-poly/
# see https://blog.cloudflare.com/do-the-chacha-better-mobile-performance-with-cryptography/
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!aNULL:!MD5;
tcp_nodelay on; tcp_nodelay on;
client_max_body_size 10G; client_max_body_size 10G;