Unverified Commit e62971b0 authored by teutat3s's avatar teutat3s
Browse files

nixos/nginx: sync with Mozilla Intermediate TLS configuration 

- adds ssl_ecdh_curve, per https://github.com/mozilla/ssl-config-generator/issues/76
- removes ssl_stapling, after Let's Encrypt ended support for OCSP
  stapling https://letsencrypt.org/2024/12/05/ending-ocsp/, enabling ssl_stapling
  leads to warning log spam:
```
  ssl_stapling" ignored, no OCSP responder URL in the certificate "<cert-directory>
```
parent 3a7b11ad

nixos/modules/services/web-servers/nginx/default.nix

+1 −4
Original line number Diff line number Diff line
@@ -207,6 +207,7 @@ let 
            ${optionalString cfg.recommendedTlsSettings ''

              # Keep in sync with https://ssl-config.mozilla.org/#server=nginx&config=intermediate



              ssl_ecdh_curve X25519:prime256v1:secp384r1;

              ssl_session_timeout 1d;

              ssl_session_cache shared:SSL:10m;

              # Breaks forward secrecy: https://github.com/mozilla/server-side-tls/issues/135
@@ -214,10 +215,6 @@ let 
              # We don't enable insecure ciphers by default, so this allows

              # clients to pick the most performant, per https://github.com/mozilla/server-side-tls/issues/260

              ssl_prefer_server_ciphers off;



              # OCSP stapling

              ssl_stapling on;

              ssl_stapling_verify on;

            ''}



            ${optionalString cfg.recommendedBrotliSettings ''