| ssl_session_timeout 1d;
|
| ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
| ssl_session_tickets off;
|
|
|
| # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /usr/local/etc/ssl/dhparam.pem
|
| ssl_dhparam /usr/local/etc/ssl/dhparam.pem;
|
|
|
| # intermediate configuration
|
| ssl_protocols TLSv1.2 TLSv1.3;
|
| ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
| ssl_prefer_server_ciphers off;
|
|
|
| # HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
| add_header Strict-Transport-Security "max-age=63072000" always;
|
|
|
| # OCSP stapling
|
| ssl_stapling on;
|
| ssl_stapling_verify on;
|
| curl -I -v --tlsv1.2 --tls-max 1.2 https://cloud.mydomain.com
|
| * Host cloud.mydomain.com:443 was resolved.
|
| * IPv6: (none)
|
| * IPv4: 192.168.30.200
|
| * Trying 192.168.30.200:443...
|
| * Connected to cloud.mydomain.com (192.168.30.200) port 443
|
| * ALPN: curl offers h2,http/1.1
|
| * TLSv1.2 (OUT), TLS handshake, Client hello (1):
|
| * CAfile: /etc/ssl/certs/ca-certificates.crt
|
| * CApath: none
|
| * TLSv1.2 (IN), TLS alert, protocol version (582):
|
| * OpenSSL/3.3.1: error:0A00042E:SSL routines::tlsv1 alert protocol version
|
| * Closing connection
|
| curl: (35) OpenSSL/3.3.1: error:0A00042E:SSL routines::tlsv1 alert protocol version
|
| server {
|
| listen 443 ssl http2;
|
|
|
| server_name cloud.mydomain.com;
|
| access_log /var/log/nginx/cloud.access.log;
|
| error_log /var/log/nginx/cloud.error.log;
|
|
|
| proxy_hide_header Strict-Transport-Security;
|
| include snippets/mydomain.com.cert.conf;
|
| include snippets/ssl-params-intermediate.conf;
|
|
|
| location / {
|
| include snippets/proxy-params.conf;
|
|
|
| proxy_connect_timeout 300;
|
| proxy_send_timeout 300;
|
| proxy_read_timeout 300;
|
| send_timeout 300;
|
| fastcgi_send_timeout 300;
|
| fastcgi_read_timeout 300;
|
|
|
| proxy_pass http://192.168.30.200:8085;
|
| }
|
|
|
| location /.well-known/carddav {
|
| return 301 $scheme://$host/remote.php/dav;
|
| }
|
| location /.well-known/caldav {
|
| return 301 $scheme://$host/remote.php/dav;
|
| }
|
| }
|