Voici la configuration nécessaire pour avoir une bonne sécurité au niveau du https. Le fichier “ssl.conf” sera placé dans le répertoire “/etc/nginx/conf.d/” :
# We track the Mozilla compatibility TLS recommendations.
# Note that these settings are repeated in the SMTP and IMAP configuration.
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-ES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
# enables server-side if protection from BEAST attacks
ssl_prefer_server_ciphers off;
# openssl dhparam -out /etc/nginx/ssl/dh4096.pem 4096
ssl_dhparam /etc/nginx/ssl/dh4096.pem;
ssl_ecdh_curve secp384r1;
# http://nginx.org/en/docs/http/configuring_https_servers.html
ssl_session_tickets off;
ssl_session_cache shared:SSL:20m; # around 70000 sessions
ssl_session_timeout 1d;
# Buffer size of 1400 bytes fits in one MTU.
# nginx 1.5.9+ ONLY
ssl_buffer_size 1400;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
# with use of ca-certificates Gnu/Linux Debian package
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/certs/ISRG_Root_X1.pem;
# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS
ssl_protocols TLSv1.2 TLSv1.3;
