Commit 42d0c5fe authored by Aral Balkan's avatar Aral Balkan
Browse files

Updated installation so that we now get a A+ on SSLLabs test.

parent 1c9d5f4a
......@@ -232,6 +232,10 @@ echo -e " * Carrying out site settings template substitutions…"
sudo sed -i "s/{SERVER_NAMES}/${serverNames}/g" /etc/nginx/sites-available/http.conf
sudo sed -i "s/{SERVER_NAMES}/${serverNames}/g" /etc/nginx/sites-available/https.conf
# Generate unique Diffie Hellman Group
sudo mkdir /etc/nginx/ssl
sudo openssl dhparam -out /etc/nginx/ssl/dhparams.pem 2048
#
# Configure TLS using Let’s Encrypt
#
......
......@@ -8,6 +8,23 @@ server {
ssl_certificate /etc/letsencrypt/certs/better.fyi/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/certs/better.fyi/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Add perfect forward secrecy
# Implement a unique Diffie Hellman Group
# (See https://weakdh.org/sysadmin.html for details on generating your own.)
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
ssl_ecdh_curve secp521r1;
# Implement HSTS
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
# --- End of SSL-specific setup ---
# Serve the site from the git repository.
root /home/git/site/;
index index.html index.htm;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment