Merge default server configs

TommyTran732 · Jan 3, 2025 · 275d68c · 275d68c
1 parent 1ade01c
commit 275d68c
Show file tree

Hide file tree

Showing 5 changed files with 38 additions and 38 deletions.
diff --git a/etc/nginx/conf.d/default.conf b/etc/nginx/conf.d/default.conf
@@ -1,3 +1,41 @@
+# Use http2
+http2 on;
+
+# Shared TLS configuration
+
+## Use strong ciphers
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
+ssl_prefer_server_ciphers on;
+ssl_conf_command Options PrioritizeChaCha;
+
+## Configure ssl session cache
+## Improves performance but we don't wanna keep this forever
+## Session ticket creation and rotation is handled by GrapheneOS's scripts:
+## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-create-session-ticket-keys
+## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-rotate-session-ticket-keys
+
+ssl_session_cache shared:SSL:10m; # About 40000 sessions
+ssl_session_timeout 1d;
+ssl_session_ticket_key session-ticket-keys/4.key;
+ssl_session_ticket_key session-ticket-keys/3.key;
+ssl_session_ticket_key session-ticket-keys/2.key;
+ssl_session_ticket_key session-ticket-keys/1.key;
+
+## Enable HSTS header
+
+proxy_hide_header Strict-Transport-Security;
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
+## The following settings need to be declared manually per vhost:
+# ssl_certificate
+# ssl_certificate_key
+# ssl_trusted_certificate
+# ssl_stapling_file
+
+# Disable server tokens
+server_tokens off;
+
 server {
     listen ipv4_1:80 default_server;
     listen [ipv6_1]:80 default_server;

diff --git a/etc/nginx/conf.d/http2.conf b/etc/nginx/conf.d/http2.conf
diff --git a/etc/nginx/conf.d/server_tokens.conf b/etc/nginx/conf.d/server_tokens.conf
diff --git a/etc/nginx/conf.d/tls.conf b/etc/nginx/conf.d/tls.conf
diff --git a/setup.sh b/setup.sh
@@ -122,10 +122,7 @@ sudo systemctl enable --now nginx-rotate-session-ticket-keys.timer
 
 # Download NGINX configs
 
-unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/http2.conf | sudo tee /etc/nginx/conf.d/http2.conf > /dev/null
-unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/server_tokens.conf | sudo tee /etc/nginx/conf.d/server_tokens.conf > /dev/null
 unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/default.conf | sudo tee /etc/nginx/conf.d/default.conf > /dev/null
-unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/tls.conf | sudo tee /etc/nginx/conf.d/tls.conf > /dev/null
 
 sudo mkdir -p /etc/nginx/snippets
 unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/proxy.conf | sudo tee /etc/nginx/snippets/proxy.conf > /dev/null