about summary refs log tree commit diff
path: root/deploy/conf/common-ssl.conf
diff options
context:
space:
mode:
Diffstat (limited to 'deploy/conf/common-ssl.conf')
-rw-r--r--deploy/conf/common-ssl.conf28
1 files changed, 28 insertions, 0 deletions
diff --git a/deploy/conf/common-ssl.conf b/deploy/conf/common-ssl.conf
new file mode 100644
index 0000000..e30b7b8
--- /dev/null
+++ b/deploy/conf/common-ssl.conf
@@ -0,0 +1,28 @@
+server_tokens off;
+
+ssl_certificate /srv/plural.cafe/.acme.sh/plural.cafe/fullchain.cer;
+ssl_certificate_key /srv/plural.cafe/.acme.sh/plural.cafe/plural.cafe.key;
+ssl_trusted_certificate /srv/plural.cafe/.acme.sh/plural.cafe/plural.cafe.cer;
+
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
+ssl_ecdh_curve X25519:secp384r1:prime256v1;
+ssl_prefer_server_ciphers on;
+ssl_session_cache shared:TLS:2m;
+ssl_session_timeout 10m;
+ssl_session_tickets off;
+ssl_stapling on;
+ssl_stapling_verify on;
+
+keepalive_timeout 70;
+sendfile on;
+client_max_body_size 0;
+
+add_header X-Frame-Options DENY;
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";
+add_header Referrer-Policy "same-origin";
+add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+
+resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s;
+resolver_timeout 5s;
generated by cgit-pink (git 2.37.1) at 2024-05-29 11:10:15 +0000