From e03dc3956f8c7c20914775ca1aca19decf61b616 Mon Sep 17 00:00:00 2001 From: Peter Dave Hello Date: Fri, 20 Aug 2021 15:15:07 +0800 Subject: [PATCH] Disable nginx ssl_session_tickets for better security (#16632) It's default turned on, but it's better to turn it off for security reason. Reference: - https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets - https://github.com/mozilla/server-side-tls/issues/135 --- dist/nginx.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/dist/nginx.conf b/dist/nginx.conf index a0429d2aa4..2b260f33c8 100644 --- a/dist/nginx.conf +++ b/dist/nginx.conf @@ -31,6 +31,7 @@ server { ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; # Uncomment these lines once you acquire a certificate: # ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;