Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

nginx: Enable TLS 1.3 if supported. 

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
This commit is contained in:
Anders Kaseorg 2019-10-29 18:11:26 -07:00 committed by Tim Abbott
parent d577537304
commit 0ae2c5c96e
2 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
puppet/zulip/manifests/nginx.pp
View File

@ -65,7 +65,7 @@ class zulip::nginx {
group => 'root', group => 'root',
mode => '0644', mode => '0644',
notify => Service['nginx'], notify => Service['nginx'],
source => 'puppet:///modules/zulip/nginx/nginx.conf', content => template('zulip/nginx.conf.template.erb'),
} }
file { '/etc/nginx/uwsgi_params': file { '/etc/nginx/uwsgi_params':

4
puppet/zulip/files/nginx/nginx.conf → puppet/zulip/templates/nginx.conf.template.erb
View File

@ -53,7 +53,11 @@ http {
ssl_session_cache shared:SSL:50m; ssl_session_cache shared:SSL:50m;
ssl_session_tickets off; ssl_session_tickets off;
ssl_dhparam /etc/nginx/dhparam.pem; ssl_dhparam /etc/nginx/dhparam.pem;
<% if scope["zulip::base::release_name"] == "stretch" or scope["zulip::base::release_name"] == "xenial" -%>
ssl_protocols TLSv1.2; ssl_protocols TLSv1.2;
<% else -%>
ssl_protocols TLSv1.2 TLSv1.3;
<% end -%>
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off; ssl_prefer_server_ciphers off;
ssl_stapling on; ssl_stapling on;