diff options
| author | EuAndreh <eu@euandre.org> | 2023-09-19 05:48:19 -0300 |
|---|---|---|
| committer | EuAndreh <eu@euandre.org> | 2023-09-19 05:48:19 -0300 |
| commit | 4ba7866b3ff3cda05a7bebedc052b647b75c91bc (patch) | |
| tree | 21d01bc3e4ecc38a6dc835985da4cbb82a2e6ed1 | |
| parent | system.scm: Add CAA record config to knot (diff) | |
| download | toph-4ba7866b3ff3cda05a7bebedc052b647b75c91bc.tar.gz toph-4ba7866b3ff3cda05a7bebedc052b647b75c91bc.tar.xz | |
system.scm: Enforce forward-secrecy cyphers on nginx
Notes
See CI logs with:
git notes --ref=refs/notes/ci-logs show 4ba7866b3ff3cda05a7bebedc052b647b75c91bc
git notes --ref=refs/notes/ci-data show 4ba7866b3ff3cda05a7bebedc052b647b75c91bc
Exit status: 0
Duration: 18
| -rw-r--r-- | src/infrastructure/guix/system.scm | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/infrastructure/guix/system.scm b/src/infrastructure/guix/system.scm index 3c77f89..7e1e04b 100644 --- a/src/infrastructure/guix/system.scm +++ b/src/infrastructure/guix/system.scm @@ -417,6 +417,8 @@ # BearSSL still doesn't TLSv1.3, so we deem TLSv1.2 as # acceptable ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH; + ssl_prefer_server_ciphers on; gzip off; # Disable compression altogether due to BREACH include /opt/secrets/nginx.conf.txt; charset utf-8; |