Optimize SSL session
This commit is contained in:
parent
2606b41b16
commit
e9b878b9e9
@ -386,6 +386,34 @@ matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"
|
|||||||
matrix_ssl_pre_obtaining_required_service_name: ~
|
matrix_ssl_pre_obtaining_required_service_name: ~
|
||||||
matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60
|
matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60
|
||||||
|
|
||||||
|
# Nginx Optimize SSL Session
|
||||||
|
#
|
||||||
|
# ssl_session_cache:
|
||||||
|
# - Creating a cache of TLS connection parameters reduces the number of handshakes
|
||||||
|
# and thus can improve the performance of application.
|
||||||
|
# - Default session cache is not optimal as it can be used by only one worker process
|
||||||
|
# and can cause memory fragmentation. It is much better to use shared cache.
|
||||||
|
# - Learn More: https://nginx.org/en/docs/http/ngx_http_ssl_module.html
|
||||||
|
#
|
||||||
|
# ssl_session_timeout:
|
||||||
|
# - Nginx by default it is set to 5 minutes which is very low.
|
||||||
|
# should be like 4h or 1d but will require you to increase the size of cache.
|
||||||
|
# - Learn More:
|
||||||
|
# https://github.com/certbot/certbot/issues/6903
|
||||||
|
# https://github.com/mozilla/server-side-tls/issues/198
|
||||||
|
#
|
||||||
|
# ssl_session_tickets:
|
||||||
|
# - In case of session tickets, information about session is given to the client.
|
||||||
|
# Enabling this improve performance also make Perfect Forward Secrecy useless.
|
||||||
|
# - If you would instead like to use ssl_session_tickets by yourself, you can set
|
||||||
|
# matrix_nginx_proxy_ssl_session_tickets_off false.
|
||||||
|
# - Learn More: https://github.com/mozilla/server-side-tls/issues/135
|
||||||
|
#
|
||||||
|
# Presets are taken from Mozilla's Server Side TLS Recommended configurations
|
||||||
|
matrix_nginx_proxy_ssl_session_cache: "shared:MozSSL:10m"
|
||||||
|
matrix_nginx_proxy_ssl_session_timeout: "1d"
|
||||||
|
matrix_nginx_proxy_ssl_session_tickets_off: true
|
||||||
|
|
||||||
# OCSP Stapling eliminating the need for clients to contact the CA, with the aim of improving both security and performance.
|
# OCSP Stapling eliminating the need for clients to contact the CA, with the aim of improving both security and performance.
|
||||||
# OCSP stapling can provide a performance boost of up to 30%
|
# OCSP stapling can provide a performance boost of up to 30%
|
||||||
# nginx web server supports OCSP stapling since version 1.3.7.
|
# nginx web server supports OCSP stapling since version 1.3.7.
|
||||||
|
@ -76,6 +76,12 @@ server {
|
|||||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem;
|
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem;
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
|
||||||
|
ssl_session_tickets off;
|
||||||
|
{% endif %}
|
||||||
|
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
|
||||||
|
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
|
||||||
|
|
||||||
{{ render_vhost_directives() }}
|
{{ render_vhost_directives() }}
|
||||||
}
|
}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
@ -80,6 +80,12 @@ server {
|
|||||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/chain.pem;
|
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/chain.pem;
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
|
||||||
|
ssl_session_tickets off;
|
||||||
|
{% endif %}
|
||||||
|
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
|
||||||
|
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
|
||||||
|
|
||||||
{{ render_vhost_directives() }}
|
{{ render_vhost_directives() }}
|
||||||
}
|
}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
@ -85,6 +85,12 @@ server {
|
|||||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/chain.pem;
|
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/chain.pem;
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
|
||||||
|
ssl_session_tickets off;
|
||||||
|
{% endif %}
|
||||||
|
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
|
||||||
|
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
|
||||||
|
|
||||||
{{ render_vhost_directives() }}
|
{{ render_vhost_directives() }}
|
||||||
}
|
}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
@ -83,6 +83,12 @@ server {
|
|||||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/chain.pem;
|
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/chain.pem;
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
|
||||||
|
ssl_session_tickets off;
|
||||||
|
{% endif %}
|
||||||
|
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
|
||||||
|
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
|
||||||
|
|
||||||
{{ render_vhost_directives() }}
|
{{ render_vhost_directives() }}
|
||||||
}
|
}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
@ -208,6 +208,12 @@ server {
|
|||||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem;
|
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem;
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
|
||||||
|
ssl_session_tickets off;
|
||||||
|
{% endif %}
|
||||||
|
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
|
||||||
|
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
|
||||||
|
|
||||||
{{ render_vhost_directives() }}
|
{{ render_vhost_directives() }}
|
||||||
}
|
}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
@ -248,6 +254,12 @@ server {
|
|||||||
ssl_stapling_verify on;
|
ssl_stapling_verify on;
|
||||||
ssl_trusted_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate }};
|
ssl_trusted_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate }};
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
|
||||||
|
ssl_session_tickets off;
|
||||||
|
{% endif %}
|
||||||
|
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
|
||||||
|
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
|
@ -91,6 +91,12 @@ server {
|
|||||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_grafana_hostname }}/chain.pem;
|
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_grafana_hostname }}/chain.pem;
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
|
||||||
|
ssl_session_tickets off;
|
||||||
|
{% endif %}
|
||||||
|
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
|
||||||
|
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
|
||||||
|
|
||||||
{{ render_vhost_directives() }}
|
{{ render_vhost_directives() }}
|
||||||
}
|
}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
@ -125,6 +125,12 @@ server {
|
|||||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/chain.pem;
|
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/chain.pem;
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
|
||||||
|
ssl_session_tickets off;
|
||||||
|
{% endif %}
|
||||||
|
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
|
||||||
|
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
|
||||||
|
|
||||||
{{ render_vhost_directives() }}
|
{{ render_vhost_directives() }}
|
||||||
}
|
}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
@ -68,6 +68,12 @@ server {
|
|||||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/chain.pem;
|
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/chain.pem;
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
|
||||||
|
ssl_session_tickets off;
|
||||||
|
{% endif %}
|
||||||
|
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
|
||||||
|
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
|
||||||
|
|
||||||
{{ render_vhost_directives() }}
|
{{ render_vhost_directives() }}
|
||||||
}
|
}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
@ -82,6 +82,12 @@ server {
|
|||||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/chain.pem;
|
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/chain.pem;
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
|
||||||
|
ssl_session_tickets off;
|
||||||
|
{% endif %}
|
||||||
|
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
|
||||||
|
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
|
||||||
|
|
||||||
{{ render_vhost_directives() }}
|
{{ render_vhost_directives() }}
|
||||||
}
|
}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
Loading…
Reference in New Issue
Block a user