Merge branch 'fix_ssl_ciphers' of 'https://github.com/zhquan/bap-deployment-toolkit'

sduenas · web-flow · commit 7a1930860c86 · 2025-04-10T18:50:15.000+02:00
Merges #118 Closes #118
diff --git a/ansible/roles/nginx/templates/vhost.j2 b/ansible/roles/nginx/templates/vhost.j2
@@ -19,8 +19,9 @@ server {
     ssl_certificate_key /etc/ssl/certbot_certs/live/{{ instance.nginx.fqdn }}/privkey.pem;
 {% endif %}
     ssl_protocols TLSv1.3 TLSv1.2;
-    ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
-    ssl_prefer_server_ciphers on;
+    ssl_ecdh_curve X25519:prime256v1:secp384r1;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
+    ssl_prefer_server_ciphers off;
     ssl_stapling on;
     ssl_stapling_verify on;
     ssl_session_cache shared:SSL:10m;
