32 lines
1.2 KiB
Bash
Executable File
32 lines
1.2 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
set -e
|
|
|
|
apt-get -y install nginx-light libnginx-mod-http-headers-more-filter
|
|
printf 'access_log off;\ncharset utf-8;\nlog_not_found off;\nmore_clear_headers server;\nserver_tokens off;\n' > /etc/nginx/conf.d/base.conf
|
|
openssl dhparam -out /etc/ssl/dh4096.pem 4096
|
|
chown root:ssl-cert /etc/ssl/dh4096.pem
|
|
chmod 440 /etc/ssl/dh4096.pem
|
|
printf \
|
|
'# Created with Mozilla SSL Configuration Generator https://ssl-config.mozilla.org/
|
|
|
|
ssl_session_timeout 1d;
|
|
ssl_session_cache shared:SSL:10m; # about 40000 sessions
|
|
ssl_session_tickets off;
|
|
|
|
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
|
|
ssl_dhparam /etc/ssl/dh4096.pem;
|
|
|
|
# intermediate configuration
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
ssl_prefer_server_ciphers off;
|
|
|
|
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
|
#add_header Strict-Transport-Security "max-age=63072000" always;
|
|
|
|
# OCSP stapling
|
|
ssl_stapling on;
|
|
ssl_stapling_verify on;' > /etc/nginx/snippets/ssl.conf
|
|
systemctl reload nginx
|