| Prochaine révision | Révision précédente |
| linux:nginx:ssl [2021/06/13 18:42] – créée root | linux:nginx:ssl [2021/06/20 09:40] (Version actuelle) – modification externe 127.0.0.1 |
|---|
| ssl_dhparam /etc/ssl/dh.pem; | ssl_dhparam /etc/ssl/dh.pem; |
| |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ssl_protocols TLSv1.3 TLSv1.2; |
| ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-EC$ | ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; |
| ssl_prefer_server_ciphers on; | ssl_prefer_server_ciphers on; |
| |
| #ssl_stapling on; | ssl_stapling on; |
| #ssl_stapling_verify on; | ssl_stapling_verify on; |
| #ssl_trusted_certificate /etc/ssl/certs/gandi-standardssl-2.chain.pem; | ssl_trusted_certificate /etc/ssl/certs/gandi-standardssl-2.chain.pem; |
| resolver 127.0.0.1;</code> | resolver 127.0.0.1;</code> |
| - Faire un fichier | - Faire un fichier stapling <code bash>cd /etc/ssl/certs/ \ |
| | && echo -n '' > gandi-standardssl-2.chain.pem \ |
| | && wget -q -O - https://www.gandi.net/static/CAs/GandiStandardSSLCA2.pem | tee -a gandi-standardssl-2.chain.pem> /dev/null \ |
| | && cat USERTrust_RSA_Certification_Authority.pem | tee -a gandi-standardssl-2.chain.pem</code> |
| | - Ajouter ces deux lignes dans chaque site-enabled de NGINX <code> include /etc/nginx/wildcard_example_com.ssl.conf; |
| | add_header Strict-Transport-Security max-age=31536000;</code> |
| | - Redémarrer nginx <code bash>service nginx restart</code> |
| | - Vérifier sur https://www.ssllabs.com/ssltest/ |
| |
| ====== Sources ====== | ====== Sources ====== |
| * https://jlecour.github.io/ssl-gandi-nginx-debian/ | * https://jlecour.github.io/ssl-gandi-nginx-debian/ |
| * https://angristan.fr/configurer-https-nginx/ | * https://angristan.fr/configurer-https-nginx/ |
