Generate dhparams for SSL

This commit is contained in:
coolneng 2019-11-14 00:31:39 +01:00
parent 630e32cc9d
commit 9d0c9e5bdf
2 changed files with 8 additions and 5 deletions

View File

@ -42,18 +42,17 @@
*** IN-PROGRESS Nginx [2/5] [40%] *** IN-PROGRESS Nginx [2/5] [40%]
- [X] Radicale reverse proxy - [X] Radicale reverse proxy
- [X] Syncthing reverse proxy - [X] Syncthing reverse proxy
- [ ] Wallabag vhost
- [ ] Gitea vhost - [ ] Gitea vhost
- [ ] Miniflux vhost - [ ] Miniflux vhost
*** TODO PHP [0/1] [0%] *** TODO PHP [0/1] [0%]
- [ ] Php-fpm - [ ] Php-fpm
*** TODO PostgreSQL [0/1] [0%] *** TODO PostgreSQL [0/1] [0%]
- [ ] Restore DBs - [ ] Restore DBs
*** DONE ACME [2/3] [66%] *** DONE ACME [3/3] [100%]
CLOSED: [2019-11-10 Sun 21:47] CLOSED: [2019-11-10 Sun 21:47]
- [X] Obtain certs - [X] Obtain certs
- [X] Automatic renewal - [X] Automatic renewal
- [ ] Generate dhparam - [X] Generate dhparam
*** TODO Wallabag *** TODO Wallabag
*** TODO Miniflux *** TODO Miniflux
*** TODO Hugo [0/2] [0%] *** TODO Hugo [0/2] [0%]

View File

@ -6,6 +6,7 @@
nginx nginx
php php
postgresql_11 postgresql_11
libressl
]; ];
services.nginx = { services.nginx = {
@ -16,7 +17,7 @@
recommendedOptimisation = true; recommendedOptimisation = true;
sslCiphers = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128"; sslCiphers = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
sslProtocols = "TLSv1.2 TLSv1.3"; sslProtocols = "TLSv1.2 TLSv1.3";
#sslDhparam = "/var/lib/dhparams"; sslDhparam = "/var/lib/dhparams/nginx.pem";
commonHttpConfig = '' commonHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests. # Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged # Adding this header to HTTP requests is discouraged
@ -72,6 +73,9 @@
}; };
}; };
security.dhparams.enable = true; security.dhparams = {
enable = true;
params = { nginx.bits = 2048; };
};
} }