-
-
Notifications
You must be signed in to change notification settings - Fork 879
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL improvements (default ciphers & caching), server_tokens option, and proxy_set_headers for vhosts #48
Conversation
more secure Added SSL caching to speed up SSL requests Add server_tokens to the global config so this can be turned on|off between dev and prod Add proxy_set_header to vhost as different vhosts may require different headers and the global setting is not ideal Minor space formatting so that the generated files are fractionally more readable
… revocation list if the certificate includes the intermediate layer to identify the trusted source
SSL improvements (default ciphers & caching), server_tokens option, and proxy_set_headers for vhosts
❤️ Thanks for the code! |
Woah, I changed a few defaults in later commits that you probably do not want to have as default. Probably my fault, I thought the pull request was just for the first commit rather than the latter ones. The code is fine, it's just the defaults should be more cautious than what I'm using (to spare you support headaches). To fix, in params.pp you would want: Those are the safe defaults. Reasons:
My apologies for the trouble. The rest is good though. Defaults should just be cautious. |
No worries. Thanks for the heads up. I've gone ahead and modified |
I would like to enable spdy, but can't find a way to set nx_spdy = on, because I can't pass the value into the nginx-class. Could you give me any hint how I can enable it? |
@nlsrchtr Right now, the only way to do this is to set the bit in |
This is a backwards compatible set of changes.
Changed the default ciphers for SSL to be more secure (the ones in use were vulnerable to the BEAST attack)
Added SSL caching to speed up SSL requests
Add server_tokens to the global config so this can be turned on|off between dev and prod
Add proxy_set_header to vhost as different vhosts may require different headers and the global setting is not ideal
Minor space formatting so that the generated files are fractionally more readable