SSL improvements (default ciphers & caching), server_tokens option, and proxy_set_headers for vhosts #48
Conversation
more secure
Added SSL caching to speed up SSL requests
Add server_tokens to the global config so this can be turned on|off
between dev and prod
Add proxy_set_header to vhost as different vhosts may require different
headers and the global setting is not ideal
Minor space formatting so that the generated files are fractionally
more readable
… revocation list if the certificate includes the intermediate layer to identify the trusted source
SSL improvements (default ciphers & caching), server_tokens option, and proxy_set_headers for vhosts
|
❤️ Thanks for the code! |
|
Woah, I changed a few defaults in later commits that you probably do not want to have as default. Probably my fault, I thought the pull request was just for the first commit rather than the latter ones. The code is fine, it's just the defaults should be more cautious than what I'm using (to spare you support headaches). To fix, in params.pp you would want: Those are the safe defaults. Reasons:
My apologies for the trouble. The rest is good though. Defaults should just be cautious. |
|
No worries. Thanks for the heads up. I've gone ahead and modified |
|
I would like to enable spdy, but can't find a way to set nx_spdy = on, because I can't pass the value into the nginx-class. Could you give me any hint how I can enable it? |
|
@nlsrchtr Right now, the only way to do this is to set the bit in |
This is a backwards compatible set of changes.
Changed the default ciphers for SSL to be more secure (the ones in use were vulnerable to the BEAST attack)
Added SSL caching to speed up SSL requests
Add server_tokens to the global config so this can be turned on|off between dev and prod
Add proxy_set_header to vhost as different vhosts may require different headers and the global setting is not ideal
Minor space formatting so that the generated files are fractionally more readable