add_header Strict-Transport-Security "<%= node[:ssl][:strict_transport_security] %>" always;
<% end -%>
+ # Requests sent within early data are subject to replay attacks.
+ # See: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data
+ ssl_early_data on;
+
root "/srv/<%= @name %>";
gzip on;
server_tokens off;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers <%= node[:ssl][:openssl_ciphers] -%>;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 30m;
+
ssl_stapling on;
# Validate the stapling response is signed by a trusted certificate
ssl_certificate /etc/ssl/certs/tile.openstreetmap.org.pem;
ssl_certificate_key /etc/ssl/private/tile.openstreetmap.org.key;
+ # Requests sent within early data are subject to replay attacks.
+ # See: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data
+ ssl_early_data on;
+
# Immediately 404 layers we do not support
<% for i in 20..99 do %>
location /<%= i %>/ {
projects / chef.git / commitdiff