coolneng/zion
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Generate dhparams for SSL

Browse Source
This commit is contained in:
coolneng
2019-11-14 00:31:39 +01:00
parent 630e32cc9d
commit 9d0c9e5bdf
2 changed files with 8 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
modules/webstack.nix
View File

@@ -6,6 +6,7 @@
nginx
php
postgresql_11
libressl
];
services.nginx = {
@@ -16,7 +17,7 @@
recommendedOptimisation = true;
sslCiphers = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
sslProtocols = "TLSv1.2 TLSv1.3";
#sslDhparam = "/var/lib/dhparams";
sslDhparam = "/var/lib/dhparams/nginx.pem";
commonHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
@@ -72,6 +73,9 @@
};
};
security.dhparams.enable = true;
security.dhparams = {
enable = true;
params = { nginx.bits = 2048; };
};
}