PrivSec-dev/privsec.dev
1
0
Fork 0
mirror of https://github.com/PrivSec-dev/privsec.dev synced 2024-09-28 13:34:42 -04:00
Code

Update Cipher configuration (#118)

Browse Source 
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
Tommy 2023-04-15 05:57:23 -04:00 committed by GitHub
parent 0a1bd622ee
commit a93e35a979
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
content/posts/linux/Slightly Improving Mailcow Security.md
View File

@ -32,12 +32,16 @@ These security configurations can be added/modified in `data/conf/nginx/includes
### SSL Ciphers
Consider only supporting ciphers matching that of TLSv1.3:
Consider only supporting strong ciphers:
```
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256";
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
```
And prioritize ChaCha ciphers:
```
ssl_conf_command Options PrioritizeChaCha;
```
### HSTS
Consider adding `includeSubDomains;` and `preload;` to the HSTS configuration if all of your services are using HTTPS: