Update Cipher configuration (#118)

Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
Tommy 2023-04-15 05:57:23 -04:00 committed by GitHub
parent 0a1bd622ee
commit a93e35a979
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -32,12 +32,16 @@ These security configurations can be added/modified in `data/conf/nginx/includes
### SSL Ciphers
Consider only supporting ciphers matching that of TLSv1.3:
Consider only supporting strong ciphers:
```
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256";
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
```
And prioritize ChaCha ciphers:
```
ssl_conf_command Options PrioritizeChaCha;
```
### HSTS
Consider adding `includeSubDomains;` and `preload;` to the HSTS configuration if all of your services are using HTTPS:
@ -93,4 +97,4 @@ If you do not use Gravatar with SOGo, you can also set COEP to require-corp sinc
```
add_header Cross-Origin-Embedder-Policy require-corp;
```
```