summaryrefslogtreecommitdiff
path: root/data/templates
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2024-01-05 22:35:59 +0100
committerChristian Breunig <christian@breunig.cc>2024-01-08 21:11:13 +0100
commit1b85e7a9442aa71e2137df44747bd184c4a8b6de (patch)
tree1b2f52cb56b102262aa8279c2fc66d1b2e9da61a /data/templates
parent69b8c448c7c8fe32bb607dbc4465e4b56df39bfa (diff)
downloadvyos-1x-1b85e7a9442aa71e2137df44747bd184c4a8b6de.tar.gz
vyos-1x-1b85e7a9442aa71e2137df44747bd184c4a8b6de.zip
https: T5886: migrate https certbot to new "pki certificate" CLI tree
(cherry picked from commit 9ab6665c80c30bf446d94620fc9d85b052d48072)
Diffstat (limited to 'data/templates')
-rw-r--r--data/templates/https/nginx.default.j212
1 files changed, 6 insertions, 6 deletions
diff --git a/data/templates/https/nginx.default.j2 b/data/templates/https/nginx.default.j2
index 80239ea56..a530c14ba 100644
--- a/data/templates/https/nginx.default.j2
+++ b/data/templates/https/nginx.default.j2
@@ -18,12 +18,7 @@ server {
root /srv/localui;
-{% if server.certbot %}
- ssl_certificate {{ server.certbot_dir }}/live/{{ server.certbot_domain_dir }}/fullchain.pem;
- ssl_certificate_key {{ server.certbot_dir }}/live/{{ server.certbot_domain_dir }}/privkey.pem;
- include {{ server.certbot_dir }}/options-ssl-nginx.conf;
- ssl_dhparam {{ server.certbot_dir }}/ssl-dhparams.pem;
-{% elif server.vyos_cert %}
+{% if server.vyos_cert %}
ssl_certificate {{ server.vyos_cert.crt }};
ssl_certificate_key {{ server.vyos_cert.key }};
{% else %}
@@ -33,7 +28,12 @@ server {
#
include snippets/snakeoil.conf;
{% endif %}
+ ssl_session_cache shared:le_nginx_SSL:10m;
+ ssl_session_timeout 1440m;
+ ssl_session_tickets off;
+
ssl_protocols TLSv1.2 TLSv1.3;
+ ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
# proxy settings for HTTP API, if enabled; 503, if not
location ~ ^/(retrieve|configure|config-file|image|container-image|generate|show|reboot|reset|poweroff|docs|openapi.json|redoc|graphql) {