22 lines
792 B
Django/Jinja
22 lines
792 B
Django/Jinja
# Managed by Ansible
|
|
|
|
ssl_session_timeout 1d;
|
|
ssl_session_cache shared:SSL:50m;
|
|
ssl_session_tickets off;
|
|
ssl_protocols TLSv1.3 TLSv1.2;
|
|
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
|
|
ssl_ecdh_curve secp384r1;
|
|
|
|
# fetch OCSP records from URL in ssl_certificate and cache them
|
|
ssl_stapling on;
|
|
ssl_stapling_verify on;
|
|
|
|
ssl_dhparam {{ dhparam_path }};
|
|
|
|
# Security Headers
|
|
# Add secure header values if not set upstream
|
|
map $upstream_http_referrer_policy $referrerpolicy {'' no-referrer;}
|
|
map $upstream_http_strict_transport_security $sts {'' "max-age=63072000; includeSubDomains; preload"; }
|
|
map $upstream_http_x_content_type_options $xcontentoptions {'' nosniff;}
|
|
map $upstream_http_x_xss_protection $xxssprotection {'' "1; mode=block";}
|
|
map $upstream_http_x_frame_options $xframeoptions {'' SAMEORIGIN;}
|