web-proxy: add common TLS configuration

Add TLS configuration snippet shared between all web-proxies. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-05 10:05:20 +01:00 · 2023-02-05 10:05:20 +01:00 · 98ea861c13
commit 98ea861c13
parent 4581bd4a6a
1 changed files with 10 additions and 0 deletions
--- a/pillar/role/web-proxy.sls
+++ b/pillar/role/web-proxy.sls
@ -5,6 +5,16 @@ nginx:
    robots:
      - location /robots.txt:
        - root: /srv/www/htdocs
+    tls:
+      - ssl_session_timeout: 1d
+      - ssl_session_cache: shared:Lysergic:10m
+      - ssl_session_tickets: 'off'
+      - ssl_protocols: TLSv1.3
+      - ssl_prefer_server_ciphers: 'off'
+      - add_header: Strict-Transport-Security "max-age=63072000" always
+      - ssl_stapling: 'on'
+      - ssl_stapling_verify: 'on'
+      - ssl_trusted_certificate: /etc/ssl/ca-bundle.pem
    php-fastcgi:
      - 'location ~* \.php$':
        - fastcgi_index: index.php