.pt + TLSv1.3

2019-11-04 20:52:15 +01:00
parent acefb9083f
commit b740e1a7f1
2 changed files with 5 additions and 4 deletions
--- a/roles/nginx/templates/nginx.ssl.conf.j2
+++ b/roles/nginx/templates/nginx.ssl.conf.j2
@@ -10,12 +10,12 @@
 	ssl_dhparam /etc/nginx/dhparam.pem;

 	# intermediate configuration. tweak to your needs.
-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
-	ssl_prefer_server_ciphers on;
+	ssl_protocols TLSv1.2 TLSv1.3;
+	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+	ssl_prefer_server_ciphers off;

 	# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
-	add_header Strict-Transport-Security max-age=15768000;
+	add_header Strict-Transport-Security "max-age=15768000" always;

 	# OCSP Stapling ---
 	# fetch OCSP records from URL in ssl_certificate and cache them
--- a/roles/spamassassin/files/local.cf
+++ b/roles/spamassassin/files/local.cf
@@ -67,6 +67,7 @@ score		LOCAL_BITCOIN	10.0
 whitelist_from *@chichiclothing.com

 # Blacklist manuel
+blacklist_from *@innov-xxi.pt
 blacklist_from *@bbh-mitglied.de
 blacklist_from *@bitersat.de
 blacklist_from *@massmarte.eu