From 95ebff1ef19fa63b04e44c10fc4b47336bb75909 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 8 Jan 2021 21:30:13 +0200 Subject: [PATCH] Announce nginx SSL configuration presets --- CHANGELOG.md | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 854156e8f..bb60561ee 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,17 +1,25 @@ -# XXXX-XX-XX +# 2021-01-08 -## New SSL Configuration +## (Breaking Change) New SSL configuration -A new variable `matrix_nginx_proxy_ssl_preset`, bringing some breaking changes. The default configuration is set to `"intermediate"`. -This changes `ssl_prefer_server_ciphers` to `off` by default instead of `on`. It also add some more ciphers to the list, this should -give a little better performance for mobile devices and removes weak ciphers. More information in the [documentation](docs/configuring-playbook-nginx.md). -To revert to the old behaviour just set the following variables: +SSL configuration (protocols, ciphers) can now be more easily controlled thanks to us making use of configuration presets. + +We define a few presets (old, intermediate, modern), following the [Mozilla SSL Configuration Generator](https://ssl-config.mozilla.org/#server=nginx). + +A new variable `matrix_nginx_proxy_ssl_preset` controls which preset is used (defaults to `"intermediate"`). + +Compared to before, this changes nginx's `ssl_prefer_server_ciphers` to `off` (used to default to `on`). It also add some more ciphers to the list, giving better performance on mobile devices, and removes some weak ciphers. More information in the [documentation](docs/configuring-playbook-nginx.md). + +To revert to the old behaviour, set the following variables: ```yaml matrix_nginx_proxy_ssl_ciphers: "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" matrix_nginx_proxy_ssl_prefer_server_ciphers: "on" ``` +Just like before, you can still use your own custom protocols by specifying them in `matrix_nginx_proxy_ssl_protocols`. Doing so overrides the values coming from the preset. + + # 2021-01-03 ## Signal bridging support via mautrix-signal