[ˈrantnotiːts]

Upgrade TLS (nginx & certbot)

Sonntag, 14. Mai 2023

Ich habe heute meine TLS Konfiguration aktualisiert.

Im Folgenden der Request für Let´s Encrypt

certbot --agree-tos --register-unsafely-without-email \
  --work-dir .certbot/ --logs-dir .certbot/ --config-dir .certbot/ \
  --manual --preferred-challenges dns certonly \
  --key-type ecdsa --elliptic-curve=secp384r1 \
  --domain example.com --domain *.example.com

und Nginx

  server {
    listen  [::]:443 ssl default_server;
    listen  443 ssl default_server;
    http2   on;

  location ~ /\.git {
    deny all;
  }

    if ($request_method !~ ^(GET|HEAD)$ ) {
      return 405;
    }
    error_page 405 @error405;
      location @error405 {
  	    add_header Allow "GET, HEAD" always;
      }

    root /var/www/html/;

    ssl_certificate     /etc/ssl/example.com/fullchain.pem;
    ssl_certificate_key /etc/ssl/example.com/privkey.pem;

    ssl_session_timeout 1d;
    ssl_session_cache   shared:MozSSL:10m;
    ssl_buffer_size 4k;
    ssl_session_tickets off;

    ssl_protocols TLSv1.3 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ecdh_curve secp521r1:secp384r1;
    ssl_ciphers ECDH+CHACHA20:ECDH+AESGCM+AES256;

    ssl_conf_command Options PrioritizeChaCha;
    ssl_conf_command Ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;

    ssl_stapling        on;
    ssl_stapling_verify on;

    ssl_trusted_certificate /etc/ssl/certs/ISRG_Root_X1.pem;
    ssl_dhparam             /etc/ssl/dhe_groups/ffdhe4096.pem;
  }
Fragen oder Anregungen? Gern per E-Mail. Mein PGP-Key (4096) / (2048). Über diese Internetseite Git