Skip to content

Commit e8db6b7

Browse files
bradtbradt
committed
SSL improvements
1 parent b5f439c commit e8db6b7

File tree

5 files changed

+21
-12
lines changed

5 files changed

+21
-12
lines changed

dhparam

+8
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
-----BEGIN DH PARAMETERS-----
2+
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
3+
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
4+
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
5+
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
6+
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
7+
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
8+
-----END DH PARAMETERS-----

global/server/ssl.conf

+5-4
Original file line numberDiff line numberDiff line change
@@ -2,12 +2,13 @@
22
# and recommend further improvements.
33

44
# Don't use outdated SSLv3 protocol. Protects against BEAST and POODLE attacks.
5-
ssl_protocols TLSv1.2;
5+
ssl_protocols TLSv1.2 TLSv1.3;
66

77
# Use secure ciphers
8-
ssl_ciphers EECDH+CHACHA20:EECDH+AES;
9-
ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
10-
ssl_prefer_server_ciphers on;
8+
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
9+
ssl_dhparam /etc/nginx/dhparam;
10+
ssl_prefer_server_ciphers off;
11+
ssl_session_tickets off;
1112

1213
# Define the size of the SSL session cache in MBs.
1314
ssl_session_cache shared:SSL:10m;

nginx.conf

+2-2
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
1-
# The user account used by the worker processes. If following along with Hosting WordPress Yourself,
1+
# The user account used by the worker processes. If following along with our guide,
22
# it's recommened to set this to your username, but only when running a single user access server.
3-
# https://deliciousbrains.com/hosting-wordpress-yourself-nginx-php-mysql/
3+
# https://spinupwp.com/hosting-wordpress-yourself-nginx-php-mysql/
44
user www-data;
55

66
# Set to number of CPU cores, auto will try to autodetect.

sites-available/single-site-with-caching.com

+3-3
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
fastcgi_cache_path /sites/single-site-with-caching.com/cache levels=1:2 keys_zone=single-site-with-caching.com:100m inactive=60m;
55

66
server {
7-
# Ports to listen on, uncomment one.
7+
# Ports to listen on
88
listen 443 ssl http2;
99
listen [::]:443 ssl http2;
1010

@@ -69,8 +69,8 @@ server {
6969

7070
# Redirect www to non-www
7171
server {
72-
listen 443;
73-
listen [::]:443;
72+
listen 443 ssl http2;
73+
listen [::]:443 ssl http2;
7474
server_name www.single-site-with-caching.com;
7575

7676
return 301 https://single-site-with-caching.com$request_uri;

sites-available/single-site.com

+3-3
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
server {
2-
# Ports to listen on, uncomment one.
2+
# Ports to listen on
33
listen 443 ssl http2;
44
listen [::]:443 ssl http2;
55

@@ -51,8 +51,8 @@ server {
5151

5252
# Redirect www to non-www
5353
server {
54-
listen 443;
55-
listen [::]:443;
54+
listen 443 ssl http2;
55+
listen [::]:443 ssl http2;
5656
server_name www.single-site.com;
5757

5858
return 301 https://single-site.com$request_uri;

0 commit comments

Comments
 (0)