reverse: update ssl_params

reverse/README.md

@@ -40,4 +40,8 @@ It is required to chown your certs files with the right uid/pid and change the `
 #### How to use it?
 https://github.com/hardware/mailserver/wiki/Reverse-proxy-configuration
 
-Some configuration files located in `/conf.d` are already provided, you can use them with the `include` directive. `ssl_params_d.conf` and `headers_params_d.conf` provide strong security, please check before or make your own configuration files...
+Some configuration files located in `/etc/nginx/conf` are already provided, you can use them with the `include` directive.
+
+- `ssl_params` : TLS (1.0, 1.1, 1.2), CHACHA20, AES 256/128. Nice balance between compatibility and security.
+- `headers_params` : HSTS (+ preload), XSS protection...
+- `proxy_params` : useful with `proxy_pass`.

reverse/ssl_params

@@ -1,8 +1,8 @@
-ssl_protocols TLSv1.2;
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305-D:ECDHE-RSA-CHACHA20-POLY1305-D:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256”;
-ssl_prefer_server_ciphers on;
 ssl_ecdh_curve brainpoolP512r1:sect571r1:secp521r1:secp384r1;
+ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305-D:ECDHE-RSA-CHACHA20-POLY1305-D:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA256';
+ssl_prefer_server_ciphers on;
 
-ssl_session_cache shared:SSL:10m;
+ssl_session_cache shared:SSL:20m;
-ssl_session_timeout 5m;
+ssl_session_timeout 15m;
 ssl_session_tickets off;