From e8dbcceb428195be06b0c4794b0aff3c47d27127 Mon Sep 17 00:00:00 2001
From: Wonderfall <wonderfall@schrodinger.io>
Date: Fri, 27 May 2016 21:59:12 +0200
Subject: [PATCH] reverse: update ssl_params

---
 reverse/README.md  |  6 +++++-
 reverse/ssl_params | 10 +++++-----
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/reverse/README.md b/reverse/README.md
index b14a4ae..ab9aaf7 100644
--- a/reverse/README.md
+++ b/reverse/README.md
@@ -40,4 +40,8 @@ It is required to chown your certs files with the right uid/pid and change the `
 #### How to use it?
 https://github.com/hardware/mailserver/wiki/Reverse-proxy-configuration
 
-Some configuration files located in `/conf.d` are already provided, you can use them with the `include` directive. `ssl_params_d.conf` and `headers_params_d.conf` provide strong security, please check before or make your own configuration files...
+Some configuration files located in `/etc/nginx/conf` are already provided, you can use them with the `include` directive.
+
+- `ssl_params` : TLS (1.0, 1.1, 1.2), CHACHA20, AES 256/128. Nice balance between compatibility and security.
+- `headers_params` : HSTS (+ preload), XSS protection...
+- `proxy_params` : useful with `proxy_pass`.
diff --git a/reverse/ssl_params b/reverse/ssl_params
index d6bc9c2..7d516de 100644
--- a/reverse/ssl_params
+++ b/reverse/ssl_params
@@ -1,8 +1,8 @@
-ssl_protocols TLSv1.2;
-ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305-D:ECDHE-RSA-CHACHA20-POLY1305-D:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256”;
-ssl_prefer_server_ciphers on;
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_ecdh_curve brainpoolP512r1:sect571r1:secp521r1:secp384r1;
+ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305-D:ECDHE-RSA-CHACHA20-POLY1305-D:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA256';
+ssl_prefer_server_ciphers on;
 
-ssl_session_cache shared:SSL:10m;
-ssl_session_timeout 5m;
+ssl_session_cache shared:SSL:20m;
+ssl_session_timeout 15m;
 ssl_session_tickets off;