From ec9e888ea2fa88df103ebf150cf2b481ed8204b1 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Tue, 8 Jun 2021 18:09:00 -0400 Subject: [PATCH 1/2] Optimizations for Nginx configs --- web-apache-mysql/alpine/conf/etc/zabbix/apache.conf | 8 ++++++++ .../alpine/conf/etc/zabbix/apache_ssl.conf | 10 ++++++++-- web-apache-mysql/centos/conf/etc/zabbix/apache.conf | 8 ++++++++ .../centos/conf/etc/zabbix/apache_ssl.conf | 10 ++++++++-- web-apache-mysql/ubuntu/conf/etc/zabbix/apache.conf | 8 ++++++++ .../ubuntu/conf/etc/zabbix/apache_ssl.conf | 10 ++++++++-- web-apache-pgsql/alpine/conf/etc/zabbix/apache.conf | 8 ++++++++ .../alpine/conf/etc/zabbix/apache_ssl.conf | 10 ++++++++-- web-apache-pgsql/centos/conf/etc/zabbix/apache.conf | 8 ++++++++ .../centos/conf/etc/zabbix/apache_ssl.conf | 10 ++++++++-- web-apache-pgsql/ubuntu/conf/etc/zabbix/apache.conf | 8 ++++++++ .../ubuntu/conf/etc/zabbix/apache_ssl.conf | 10 ++++++++-- web-nginx-mysql/alpine/conf/etc/zabbix/nginx.conf | 2 +- web-nginx-mysql/alpine/conf/etc/zabbix/nginx_ssl.conf | 2 +- web-nginx-mysql/centos/conf/etc/zabbix/nginx.conf | 2 +- web-nginx-mysql/centos/conf/etc/zabbix/nginx_ssl.conf | 2 +- web-nginx-mysql/ubuntu/conf/etc/zabbix/nginx.conf | 2 +- web-nginx-mysql/ubuntu/conf/etc/zabbix/nginx_ssl.conf | 2 +- web-nginx-pgsql/alpine/conf/etc/zabbix/nginx.conf | 2 +- web-nginx-pgsql/alpine/conf/etc/zabbix/nginx_ssl.conf | 2 +- web-nginx-pgsql/centos/conf/etc/zabbix/nginx.conf | 2 +- web-nginx-pgsql/centos/conf/etc/zabbix/nginx_ssl.conf | 2 +- web-nginx-pgsql/ubuntu/conf/etc/zabbix/nginx.conf | 2 +- web-nginx-pgsql/ubuntu/conf/etc/zabbix/nginx_ssl.conf | 2 +- 24 files changed, 108 insertions(+), 24 deletions(-) diff --git a/web-apache-mysql/alpine/conf/etc/zabbix/apache.conf b/web-apache-mysql/alpine/conf/etc/zabbix/apache.conf index 36def0c29..e979d2b86 100644 --- a/web-apache-mysql/alpine/conf/etc/zabbix/apache.conf +++ b/web-apache-mysql/alpine/conf/etc/zabbix/apache.conf @@ -42,4 +42,12 @@ Deny from all + + + Require all denied + + Order deny,allow + Deny from all + + diff --git a/web-apache-mysql/alpine/conf/etc/zabbix/apache_ssl.conf b/web-apache-mysql/alpine/conf/etc/zabbix/apache_ssl.conf index 63005b0e1..61fded021 100644 --- a/web-apache-mysql/alpine/conf/etc/zabbix/apache_ssl.conf +++ b/web-apache-mysql/alpine/conf/etc/zabbix/apache_ssl.conf @@ -5,8 +5,6 @@ Listen 8443 - SSLEngine on - DocumentRoot /usr/share/zabbix/ ServerName zabbix DirectoryIndex index.php @@ -65,5 +63,13 @@ Listen 8443 Deny from all + + + Require all denied + + Order deny,allow + Deny from all + + diff --git a/web-apache-mysql/centos/conf/etc/zabbix/apache.conf b/web-apache-mysql/centos/conf/etc/zabbix/apache.conf index 36def0c29..e979d2b86 100644 --- a/web-apache-mysql/centos/conf/etc/zabbix/apache.conf +++ b/web-apache-mysql/centos/conf/etc/zabbix/apache.conf @@ -42,4 +42,12 @@ Deny from all + + + Require all denied + + Order deny,allow + Deny from all + + diff --git a/web-apache-mysql/centos/conf/etc/zabbix/apache_ssl.conf b/web-apache-mysql/centos/conf/etc/zabbix/apache_ssl.conf index 20cfd2841..6e4ac45f5 100644 --- a/web-apache-mysql/centos/conf/etc/zabbix/apache_ssl.conf +++ b/web-apache-mysql/centos/conf/etc/zabbix/apache_ssl.conf @@ -4,8 +4,6 @@ LoadModule socache_shmcb_module modules/mod_socache_shmcb.so Listen 8443 - SSLEngine on - DocumentRoot /usr/share/zabbix/ ServerName zabbix DirectoryIndex index.php @@ -64,4 +62,12 @@ Listen 8443 Deny from all + + + Require all denied + + Order deny,allow + Deny from all + + diff --git a/web-apache-mysql/ubuntu/conf/etc/zabbix/apache.conf b/web-apache-mysql/ubuntu/conf/etc/zabbix/apache.conf index 36def0c29..e979d2b86 100644 --- a/web-apache-mysql/ubuntu/conf/etc/zabbix/apache.conf +++ b/web-apache-mysql/ubuntu/conf/etc/zabbix/apache.conf @@ -42,4 +42,12 @@ Deny from all + + + Require all denied + + Order deny,allow + Deny from all + + diff --git a/web-apache-mysql/ubuntu/conf/etc/zabbix/apache_ssl.conf b/web-apache-mysql/ubuntu/conf/etc/zabbix/apache_ssl.conf index d18d08fde..7124ce434 100644 --- a/web-apache-mysql/ubuntu/conf/etc/zabbix/apache_ssl.conf +++ b/web-apache-mysql/ubuntu/conf/etc/zabbix/apache_ssl.conf @@ -4,8 +4,6 @@ LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so - SSLEngine on - DocumentRoot /usr/share/zabbix/ ServerName zabbix DirectoryIndex index.php @@ -64,5 +62,13 @@ LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so Deny from all + + + Require all denied + + Order deny,allow + Deny from all + + diff --git a/web-apache-pgsql/alpine/conf/etc/zabbix/apache.conf b/web-apache-pgsql/alpine/conf/etc/zabbix/apache.conf index 36def0c29..e979d2b86 100644 --- a/web-apache-pgsql/alpine/conf/etc/zabbix/apache.conf +++ b/web-apache-pgsql/alpine/conf/etc/zabbix/apache.conf @@ -42,4 +42,12 @@ Deny from all + + + Require all denied + + Order deny,allow + Deny from all + + diff --git a/web-apache-pgsql/alpine/conf/etc/zabbix/apache_ssl.conf b/web-apache-pgsql/alpine/conf/etc/zabbix/apache_ssl.conf index 63005b0e1..61fded021 100644 --- a/web-apache-pgsql/alpine/conf/etc/zabbix/apache_ssl.conf +++ b/web-apache-pgsql/alpine/conf/etc/zabbix/apache_ssl.conf @@ -5,8 +5,6 @@ Listen 8443 - SSLEngine on - DocumentRoot /usr/share/zabbix/ ServerName zabbix DirectoryIndex index.php @@ -65,5 +63,13 @@ Listen 8443 Deny from all + + + Require all denied + + Order deny,allow + Deny from all + + diff --git a/web-apache-pgsql/centos/conf/etc/zabbix/apache.conf b/web-apache-pgsql/centos/conf/etc/zabbix/apache.conf index 36def0c29..e979d2b86 100644 --- a/web-apache-pgsql/centos/conf/etc/zabbix/apache.conf +++ b/web-apache-pgsql/centos/conf/etc/zabbix/apache.conf @@ -42,4 +42,12 @@ Deny from all + + + Require all denied + + Order deny,allow + Deny from all + + diff --git a/web-apache-pgsql/centos/conf/etc/zabbix/apache_ssl.conf b/web-apache-pgsql/centos/conf/etc/zabbix/apache_ssl.conf index 20cfd2841..6e4ac45f5 100644 --- a/web-apache-pgsql/centos/conf/etc/zabbix/apache_ssl.conf +++ b/web-apache-pgsql/centos/conf/etc/zabbix/apache_ssl.conf @@ -4,8 +4,6 @@ LoadModule socache_shmcb_module modules/mod_socache_shmcb.so Listen 8443 - SSLEngine on - DocumentRoot /usr/share/zabbix/ ServerName zabbix DirectoryIndex index.php @@ -64,4 +62,12 @@ Listen 8443 Deny from all + + + Require all denied + + Order deny,allow + Deny from all + + diff --git a/web-apache-pgsql/ubuntu/conf/etc/zabbix/apache.conf b/web-apache-pgsql/ubuntu/conf/etc/zabbix/apache.conf index 36def0c29..e979d2b86 100644 --- a/web-apache-pgsql/ubuntu/conf/etc/zabbix/apache.conf +++ b/web-apache-pgsql/ubuntu/conf/etc/zabbix/apache.conf @@ -42,4 +42,12 @@ Deny from all + + + Require all denied + + Order deny,allow + Deny from all + + diff --git a/web-apache-pgsql/ubuntu/conf/etc/zabbix/apache_ssl.conf b/web-apache-pgsql/ubuntu/conf/etc/zabbix/apache_ssl.conf index d18d08fde..7124ce434 100644 --- a/web-apache-pgsql/ubuntu/conf/etc/zabbix/apache_ssl.conf +++ b/web-apache-pgsql/ubuntu/conf/etc/zabbix/apache_ssl.conf @@ -4,8 +4,6 @@ LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so - SSLEngine on - DocumentRoot /usr/share/zabbix/ ServerName zabbix DirectoryIndex index.php @@ -64,5 +62,13 @@ LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so Deny from all + + + Require all denied + + Order deny,allow + Deny from all + + diff --git a/web-nginx-mysql/alpine/conf/etc/zabbix/nginx.conf b/web-nginx-mysql/alpine/conf/etc/zabbix/nginx.conf index 3f7cb9cd7..da6769355 100644 --- a/web-nginx-mysql/alpine/conf/etc/zabbix/nginx.conf +++ b/web-nginx-mysql/alpine/conf/etc/zabbix/nginx.conf @@ -41,7 +41,7 @@ server { expires 14d; } - location ~ /(app\/|conf[^\.]|include|locale) { + location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) { deny all; return 404; } diff --git a/web-nginx-mysql/alpine/conf/etc/zabbix/nginx_ssl.conf b/web-nginx-mysql/alpine/conf/etc/zabbix/nginx_ssl.conf index f0d4620db..69882ac20 100644 --- a/web-nginx-mysql/alpine/conf/etc/zabbix/nginx_ssl.conf +++ b/web-nginx-mysql/alpine/conf/etc/zabbix/nginx_ssl.conf @@ -63,7 +63,7 @@ server { expires 14d; } - location ~ /(app\/|conf[^\.]|include|locale) { + location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) { deny all; return 404; } diff --git a/web-nginx-mysql/centos/conf/etc/zabbix/nginx.conf b/web-nginx-mysql/centos/conf/etc/zabbix/nginx.conf index 3f7cb9cd7..da6769355 100644 --- a/web-nginx-mysql/centos/conf/etc/zabbix/nginx.conf +++ b/web-nginx-mysql/centos/conf/etc/zabbix/nginx.conf @@ -41,7 +41,7 @@ server { expires 14d; } - location ~ /(app\/|conf[^\.]|include|locale) { + location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) { deny all; return 404; } diff --git a/web-nginx-mysql/centos/conf/etc/zabbix/nginx_ssl.conf b/web-nginx-mysql/centos/conf/etc/zabbix/nginx_ssl.conf index f0d4620db..69882ac20 100644 --- a/web-nginx-mysql/centos/conf/etc/zabbix/nginx_ssl.conf +++ b/web-nginx-mysql/centos/conf/etc/zabbix/nginx_ssl.conf @@ -63,7 +63,7 @@ server { expires 14d; } - location ~ /(app\/|conf[^\.]|include|locale) { + location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) { deny all; return 404; } diff --git a/web-nginx-mysql/ubuntu/conf/etc/zabbix/nginx.conf b/web-nginx-mysql/ubuntu/conf/etc/zabbix/nginx.conf index 3f7cb9cd7..da6769355 100644 --- a/web-nginx-mysql/ubuntu/conf/etc/zabbix/nginx.conf +++ b/web-nginx-mysql/ubuntu/conf/etc/zabbix/nginx.conf @@ -41,7 +41,7 @@ server { expires 14d; } - location ~ /(app\/|conf[^\.]|include|locale) { + location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) { deny all; return 404; } diff --git a/web-nginx-mysql/ubuntu/conf/etc/zabbix/nginx_ssl.conf b/web-nginx-mysql/ubuntu/conf/etc/zabbix/nginx_ssl.conf index f0d4620db..69882ac20 100644 --- a/web-nginx-mysql/ubuntu/conf/etc/zabbix/nginx_ssl.conf +++ b/web-nginx-mysql/ubuntu/conf/etc/zabbix/nginx_ssl.conf @@ -63,7 +63,7 @@ server { expires 14d; } - location ~ /(app\/|conf[^\.]|include|locale) { + location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) { deny all; return 404; } diff --git a/web-nginx-pgsql/alpine/conf/etc/zabbix/nginx.conf b/web-nginx-pgsql/alpine/conf/etc/zabbix/nginx.conf index 3f7cb9cd7..da6769355 100644 --- a/web-nginx-pgsql/alpine/conf/etc/zabbix/nginx.conf +++ b/web-nginx-pgsql/alpine/conf/etc/zabbix/nginx.conf @@ -41,7 +41,7 @@ server { expires 14d; } - location ~ /(app\/|conf[^\.]|include|locale) { + location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) { deny all; return 404; } diff --git a/web-nginx-pgsql/alpine/conf/etc/zabbix/nginx_ssl.conf b/web-nginx-pgsql/alpine/conf/etc/zabbix/nginx_ssl.conf index f0d4620db..69882ac20 100644 --- a/web-nginx-pgsql/alpine/conf/etc/zabbix/nginx_ssl.conf +++ b/web-nginx-pgsql/alpine/conf/etc/zabbix/nginx_ssl.conf @@ -63,7 +63,7 @@ server { expires 14d; } - location ~ /(app\/|conf[^\.]|include|locale) { + location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) { deny all; return 404; } diff --git a/web-nginx-pgsql/centos/conf/etc/zabbix/nginx.conf b/web-nginx-pgsql/centos/conf/etc/zabbix/nginx.conf index 3f7cb9cd7..da6769355 100644 --- a/web-nginx-pgsql/centos/conf/etc/zabbix/nginx.conf +++ b/web-nginx-pgsql/centos/conf/etc/zabbix/nginx.conf @@ -41,7 +41,7 @@ server { expires 14d; } - location ~ /(app\/|conf[^\.]|include|locale) { + location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) { deny all; return 404; } diff --git a/web-nginx-pgsql/centos/conf/etc/zabbix/nginx_ssl.conf b/web-nginx-pgsql/centos/conf/etc/zabbix/nginx_ssl.conf index f0d4620db..69882ac20 100644 --- a/web-nginx-pgsql/centos/conf/etc/zabbix/nginx_ssl.conf +++ b/web-nginx-pgsql/centos/conf/etc/zabbix/nginx_ssl.conf @@ -63,7 +63,7 @@ server { expires 14d; } - location ~ /(app\/|conf[^\.]|include|locale) { + location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) { deny all; return 404; } diff --git a/web-nginx-pgsql/ubuntu/conf/etc/zabbix/nginx.conf b/web-nginx-pgsql/ubuntu/conf/etc/zabbix/nginx.conf index 3f7cb9cd7..da6769355 100644 --- a/web-nginx-pgsql/ubuntu/conf/etc/zabbix/nginx.conf +++ b/web-nginx-pgsql/ubuntu/conf/etc/zabbix/nginx.conf @@ -41,7 +41,7 @@ server { expires 14d; } - location ~ /(app\/|conf[^\.]|include|locale) { + location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) { deny all; return 404; } diff --git a/web-nginx-pgsql/ubuntu/conf/etc/zabbix/nginx_ssl.conf b/web-nginx-pgsql/ubuntu/conf/etc/zabbix/nginx_ssl.conf index f0d4620db..69882ac20 100644 --- a/web-nginx-pgsql/ubuntu/conf/etc/zabbix/nginx_ssl.conf +++ b/web-nginx-pgsql/ubuntu/conf/etc/zabbix/nginx_ssl.conf @@ -63,7 +63,7 @@ server { expires 14d; } - location ~ /(app\/|conf[^\.]|include|locale) { + location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) { deny all; return 404; } From d8eef085c7ad398115755f9a374c94ebee7df990 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Tue, 8 Jun 2021 19:10:03 -0400 Subject: [PATCH 2/2] Optimizations for Nginx/Apache configs --- .../alpine/conf/etc/zabbix/apache_ssl.conf | 15 ++++++++++----- .../centos/conf/etc/zabbix/apache_ssl.conf | 12 +++++++----- .../ubuntu/conf/etc/zabbix/apache_ssl.conf | 15 ++++++++++----- .../alpine/conf/etc/zabbix/apache_ssl.conf | 15 ++++++++++----- .../centos/conf/etc/zabbix/apache_ssl.conf | 12 +++++++----- .../ubuntu/conf/etc/zabbix/apache_ssl.conf | 15 ++++++++++----- .../alpine/conf/etc/zabbix/nginx_ssl.conf | 17 +++++++++++------ .../centos/conf/etc/zabbix/nginx_ssl.conf | 17 +++++++++++------ .../ubuntu/conf/etc/zabbix/nginx_ssl.conf | 17 +++++++++++------ .../alpine/conf/etc/zabbix/nginx_ssl.conf | 17 +++++++++++------ .../centos/conf/etc/zabbix/nginx_ssl.conf | 17 +++++++++++------ .../ubuntu/conf/etc/zabbix/nginx_ssl.conf | 17 +++++++++++------ 12 files changed, 120 insertions(+), 66 deletions(-) diff --git a/web-apache-mysql/alpine/conf/etc/zabbix/apache_ssl.conf b/web-apache-mysql/alpine/conf/etc/zabbix/apache_ssl.conf index 61fded021..3949e0657 100644 --- a/web-apache-mysql/alpine/conf/etc/zabbix/apache_ssl.conf +++ b/web-apache-mysql/alpine/conf/etc/zabbix/apache_ssl.conf @@ -15,16 +15,21 @@ Listen 8443 # Enable/Disable SSL for this virtual host. SSLEngine on - SSLProtocol all -SSLv2 -SSLv3 - SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS - SSLHonorCipherOrder on + # intermediate configuration + SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 + SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + SSLHonorCipherOrder off + SSLSessionTickets off SSLCertificateFile /etc/ssl/apache2/ssl.crt SSLCertificateKeyFile /etc/ssl/apache2/ssl.key # SSLCACertificatePath /etc/ssl/apache2/chain/ - # HSTS (mod_headers is required) (15768000 seconds = 6 months) - Header always set Strict-Transport-Security "max-age=15768000" + # enable HTTP/2, if available + Protocols h2 http/1.1 + + # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds) + Header always set Strict-Transport-Security "max-age=63072000" Options FollowSymLinks diff --git a/web-apache-mysql/centos/conf/etc/zabbix/apache_ssl.conf b/web-apache-mysql/centos/conf/etc/zabbix/apache_ssl.conf index 6e4ac45f5..f31b73e35 100644 --- a/web-apache-mysql/centos/conf/etc/zabbix/apache_ssl.conf +++ b/web-apache-mysql/centos/conf/etc/zabbix/apache_ssl.conf @@ -14,16 +14,18 @@ Listen 8443 # Enable/Disable SSL for this virtual host. SSLEngine on - SSLProtocol all -SSLv2 -SSLv3 - SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS - SSLHonorCipherOrder on + # intermediate configuration + SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 + SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + SSLHonorCipherOrder off + SSLSessionTickets off SSLCertificateFile /etc/ssl/apache2/ssl.crt SSLCertificateKeyFile /etc/ssl/apache2/ssl.key # SSLCACertificatePath /etc/ssl/apache2/chain/ - # HSTS (mod_headers is required) (15768000 seconds = 6 months) - Header always set Strict-Transport-Security "max-age=15768000" + # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds) + Header always set Strict-Transport-Security "max-age=63072000" Options FollowSymLinks diff --git a/web-apache-mysql/ubuntu/conf/etc/zabbix/apache_ssl.conf b/web-apache-mysql/ubuntu/conf/etc/zabbix/apache_ssl.conf index 7124ce434..8bdcf03ff 100644 --- a/web-apache-mysql/ubuntu/conf/etc/zabbix/apache_ssl.conf +++ b/web-apache-mysql/ubuntu/conf/etc/zabbix/apache_ssl.conf @@ -14,16 +14,21 @@ LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so # Enable/Disable SSL for this virtual host. SSLEngine on - SSLProtocol all -SSLv2 -SSLv3 - SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS - SSLHonorCipherOrder on + # intermediate configuration + SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 + SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + SSLHonorCipherOrder off + SSLSessionTickets off SSLCertificateFile /etc/ssl/apache2/ssl.crt SSLCertificateKeyFile /etc/ssl/apache2/ssl.key # SSLCACertificatePath /etc/ssl/apache2/chain/ - # HSTS (mod_headers is required) (15768000 seconds = 6 months) - Header always set Strict-Transport-Security "max-age=15768000" + # enable HTTP/2, if available + Protocols h2 http/1.1 + + # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds) + Header always set Strict-Transport-Security "max-age=63072000" Options FollowSymLinks diff --git a/web-apache-pgsql/alpine/conf/etc/zabbix/apache_ssl.conf b/web-apache-pgsql/alpine/conf/etc/zabbix/apache_ssl.conf index 61fded021..3949e0657 100644 --- a/web-apache-pgsql/alpine/conf/etc/zabbix/apache_ssl.conf +++ b/web-apache-pgsql/alpine/conf/etc/zabbix/apache_ssl.conf @@ -15,16 +15,21 @@ Listen 8443 # Enable/Disable SSL for this virtual host. SSLEngine on - SSLProtocol all -SSLv2 -SSLv3 - SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS - SSLHonorCipherOrder on + # intermediate configuration + SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 + SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + SSLHonorCipherOrder off + SSLSessionTickets off SSLCertificateFile /etc/ssl/apache2/ssl.crt SSLCertificateKeyFile /etc/ssl/apache2/ssl.key # SSLCACertificatePath /etc/ssl/apache2/chain/ - # HSTS (mod_headers is required) (15768000 seconds = 6 months) - Header always set Strict-Transport-Security "max-age=15768000" + # enable HTTP/2, if available + Protocols h2 http/1.1 + + # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds) + Header always set Strict-Transport-Security "max-age=63072000" Options FollowSymLinks diff --git a/web-apache-pgsql/centos/conf/etc/zabbix/apache_ssl.conf b/web-apache-pgsql/centos/conf/etc/zabbix/apache_ssl.conf index 6e4ac45f5..f31b73e35 100644 --- a/web-apache-pgsql/centos/conf/etc/zabbix/apache_ssl.conf +++ b/web-apache-pgsql/centos/conf/etc/zabbix/apache_ssl.conf @@ -14,16 +14,18 @@ Listen 8443 # Enable/Disable SSL for this virtual host. SSLEngine on - SSLProtocol all -SSLv2 -SSLv3 - SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS - SSLHonorCipherOrder on + # intermediate configuration + SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 + SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + SSLHonorCipherOrder off + SSLSessionTickets off SSLCertificateFile /etc/ssl/apache2/ssl.crt SSLCertificateKeyFile /etc/ssl/apache2/ssl.key # SSLCACertificatePath /etc/ssl/apache2/chain/ - # HSTS (mod_headers is required) (15768000 seconds = 6 months) - Header always set Strict-Transport-Security "max-age=15768000" + # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds) + Header always set Strict-Transport-Security "max-age=63072000" Options FollowSymLinks diff --git a/web-apache-pgsql/ubuntu/conf/etc/zabbix/apache_ssl.conf b/web-apache-pgsql/ubuntu/conf/etc/zabbix/apache_ssl.conf index 7124ce434..8bdcf03ff 100644 --- a/web-apache-pgsql/ubuntu/conf/etc/zabbix/apache_ssl.conf +++ b/web-apache-pgsql/ubuntu/conf/etc/zabbix/apache_ssl.conf @@ -14,16 +14,21 @@ LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so # Enable/Disable SSL for this virtual host. SSLEngine on - SSLProtocol all -SSLv2 -SSLv3 - SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS - SSLHonorCipherOrder on + # intermediate configuration + SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 + SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + SSLHonorCipherOrder off + SSLSessionTickets off SSLCertificateFile /etc/ssl/apache2/ssl.crt SSLCertificateKeyFile /etc/ssl/apache2/ssl.key # SSLCACertificatePath /etc/ssl/apache2/chain/ - # HSTS (mod_headers is required) (15768000 seconds = 6 months) - Header always set Strict-Transport-Security "max-age=15768000" + # enable HTTP/2, if available + Protocols h2 http/1.1 + + # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds) + Header always set Strict-Transport-Security "max-age=63072000" Options FollowSymLinks diff --git a/web-nginx-mysql/alpine/conf/etc/zabbix/nginx_ssl.conf b/web-nginx-mysql/alpine/conf/etc/zabbix/nginx_ssl.conf index 69882ac20..f3a6d6534 100644 --- a/web-nginx-mysql/alpine/conf/etc/zabbix/nginx_ssl.conf +++ b/web-nginx-mysql/alpine/conf/etc/zabbix/nginx_ssl.conf @@ -21,13 +21,18 @@ server { ssl_certificate_key /etc/ssl/nginx/ssl.key; ssl_dhparam /etc/ssl/nginx/dhparam.pem; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_verify_depth 3; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - ssl_prefer_server_ciphers on; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; + ssl_session_tickets off; + + # intermediate configuration + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; - add_header Strict-Transport-Security "max-age=31536000; preload"; add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report"; location =/nginx_status { diff --git a/web-nginx-mysql/centos/conf/etc/zabbix/nginx_ssl.conf b/web-nginx-mysql/centos/conf/etc/zabbix/nginx_ssl.conf index 69882ac20..f3a6d6534 100644 --- a/web-nginx-mysql/centos/conf/etc/zabbix/nginx_ssl.conf +++ b/web-nginx-mysql/centos/conf/etc/zabbix/nginx_ssl.conf @@ -21,13 +21,18 @@ server { ssl_certificate_key /etc/ssl/nginx/ssl.key; ssl_dhparam /etc/ssl/nginx/dhparam.pem; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_verify_depth 3; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - ssl_prefer_server_ciphers on; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; + ssl_session_tickets off; + + # intermediate configuration + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; - add_header Strict-Transport-Security "max-age=31536000; preload"; add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report"; location =/nginx_status { diff --git a/web-nginx-mysql/ubuntu/conf/etc/zabbix/nginx_ssl.conf b/web-nginx-mysql/ubuntu/conf/etc/zabbix/nginx_ssl.conf index 69882ac20..f3a6d6534 100644 --- a/web-nginx-mysql/ubuntu/conf/etc/zabbix/nginx_ssl.conf +++ b/web-nginx-mysql/ubuntu/conf/etc/zabbix/nginx_ssl.conf @@ -21,13 +21,18 @@ server { ssl_certificate_key /etc/ssl/nginx/ssl.key; ssl_dhparam /etc/ssl/nginx/dhparam.pem; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_verify_depth 3; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - ssl_prefer_server_ciphers on; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; + ssl_session_tickets off; + + # intermediate configuration + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; - add_header Strict-Transport-Security "max-age=31536000; preload"; add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report"; location =/nginx_status { diff --git a/web-nginx-pgsql/alpine/conf/etc/zabbix/nginx_ssl.conf b/web-nginx-pgsql/alpine/conf/etc/zabbix/nginx_ssl.conf index 69882ac20..f3a6d6534 100644 --- a/web-nginx-pgsql/alpine/conf/etc/zabbix/nginx_ssl.conf +++ b/web-nginx-pgsql/alpine/conf/etc/zabbix/nginx_ssl.conf @@ -21,13 +21,18 @@ server { ssl_certificate_key /etc/ssl/nginx/ssl.key; ssl_dhparam /etc/ssl/nginx/dhparam.pem; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_verify_depth 3; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - ssl_prefer_server_ciphers on; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; + ssl_session_tickets off; + + # intermediate configuration + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; - add_header Strict-Transport-Security "max-age=31536000; preload"; add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report"; location =/nginx_status { diff --git a/web-nginx-pgsql/centos/conf/etc/zabbix/nginx_ssl.conf b/web-nginx-pgsql/centos/conf/etc/zabbix/nginx_ssl.conf index 69882ac20..f3a6d6534 100644 --- a/web-nginx-pgsql/centos/conf/etc/zabbix/nginx_ssl.conf +++ b/web-nginx-pgsql/centos/conf/etc/zabbix/nginx_ssl.conf @@ -21,13 +21,18 @@ server { ssl_certificate_key /etc/ssl/nginx/ssl.key; ssl_dhparam /etc/ssl/nginx/dhparam.pem; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_verify_depth 3; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - ssl_prefer_server_ciphers on; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; + ssl_session_tickets off; + + # intermediate configuration + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; - add_header Strict-Transport-Security "max-age=31536000; preload"; add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report"; location =/nginx_status { diff --git a/web-nginx-pgsql/ubuntu/conf/etc/zabbix/nginx_ssl.conf b/web-nginx-pgsql/ubuntu/conf/etc/zabbix/nginx_ssl.conf index 69882ac20..f3a6d6534 100644 --- a/web-nginx-pgsql/ubuntu/conf/etc/zabbix/nginx_ssl.conf +++ b/web-nginx-pgsql/ubuntu/conf/etc/zabbix/nginx_ssl.conf @@ -21,13 +21,18 @@ server { ssl_certificate_key /etc/ssl/nginx/ssl.key; ssl_dhparam /etc/ssl/nginx/dhparam.pem; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_verify_depth 3; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - ssl_prefer_server_ciphers on; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; + ssl_session_tickets off; + + # intermediate configuration + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; - add_header Strict-Transport-Security "max-age=31536000; preload"; add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report"; location =/nginx_status {