stack updated and improved
linux var optim improved nginx conf improved wp security improved MariaDB 10.3 upgraded
This commit is contained in:
parent
7b89b1d98d
commit
40a7eb27d6
|
@ -135,15 +135,15 @@ pre_install() {
|
|||
mysql_client_install() {
|
||||
api-events_update im2
|
||||
local osname=$(check_osname)
|
||||
# Cases with MariaDB v10.2 support
|
||||
# Cases with MariaDB v10.3 support
|
||||
case "$osname" in
|
||||
"trusty")
|
||||
sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xcbcb082a1bb943db
|
||||
sudo add-apt-repository "deb [arch=amd64,i386,ppc64el] http://mirrors.syringanetworks.net/mariadb/repo/10.2/ubuntu $osname main"
|
||||
sudo add-apt-repository "deb [arch=amd64,i386,ppc64el] http://mirrors.syringanetworks.net/mariadb/repo/10.3/ubuntu $osname main"
|
||||
;;
|
||||
"xenial"|"zesty"|"artful"|"bionic")
|
||||
"xenial"|"artful"|"bionic"|"cosmic")
|
||||
sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8
|
||||
sudo add-apt-repository "deb [arch=amd64,i386,ppc64el] http://mirrors.syringanetworks.net/mariadb/repo/10.2/ubuntu $osname main"
|
||||
sudo add-apt-repository "deb [arch=amd64,i386,ppc64el] http://mirrors.syringanetworks.net/mariadb/repo/10.3/ubuntu $osname main"
|
||||
;;
|
||||
esac
|
||||
pre_install
|
||||
|
|
62
lib/install
62
lib/install
|
@ -3,11 +3,11 @@ source /opt/webinoly/lib/general
|
|||
|
||||
|
||||
app_version() {
|
||||
local app_ver="1.6.2"
|
||||
local app_ver="1.7.0-beta"
|
||||
echo $app_ver
|
||||
}
|
||||
svr_version() {
|
||||
local ser_ver="1.2"
|
||||
local ser_ver="1.3"
|
||||
echo $ser_ver
|
||||
}
|
||||
|
||||
|
@ -76,51 +76,6 @@ LimitNOFILE=$nginxfd" | tee -a /etc/systemd/system/nginx.service.d/nofile_limit.
|
|||
#echo "tmpfs /var/run/nginx-cache tmpfs size=${cacheram}M,mode=0744,uid=www-data,gid=www-data 0 0" | sudo tee -a /etc/fstab
|
||||
#sudo mount /var/run/nginx-cache
|
||||
|
||||
sudo echo "# WebinolyStart - Don't delete
|
||||
fs.file-max = $newfd
|
||||
fs.nr_open=12000000
|
||||
vm.min_free_kbytes=65536
|
||||
net.core.somaxconn = 65536
|
||||
net.core.wmem_max=16777216
|
||||
net.core.rmem_max=16777216
|
||||
net.core.netdev_max_backlog=8192
|
||||
net.core.optmem_max=8192
|
||||
net.ipv4.ip_local_port_range=1024 65535
|
||||
net.ipv4.icmp_echo_ignore_broadcasts = 1
|
||||
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
||||
net.ipv4.tcp_max_tw_buckets = 1440000
|
||||
net.ipv4.tcp_window_scaling = 1
|
||||
net.ipv4.tcp_max_syn_backlog = 3240000
|
||||
net.ipv4.tcp_rmem=8192 87380 16777216
|
||||
net.ipv4.tcp_wmem=8192 65536 16777216
|
||||
net.ipv4.tcp_fin_timeout=10
|
||||
net.ipv4.tcp_keepalive_intvl=30
|
||||
net.ipv4.tcp_keepalive_probes=3
|
||||
net.ipv4.tcp_keepalive_time=240
|
||||
net.ipv4.tcp_sack=1
|
||||
net.ipv4.tcp_syn_retries=3
|
||||
net.ipv4.tcp_synack_retries = 2
|
||||
net.ipv4.tcp_tw_recycle = 0
|
||||
net.ipv4.tcp_tw_reuse = 0
|
||||
net.ipv4.tcp_slow_start_after_idle=0
|
||||
net.ipv4.tcp_rfc1337=1
|
||||
net.ipv4.tcp_challenge_ack_limit = 999999999
|
||||
net.ipv4.tcp_mtu_probing = 1
|
||||
net.ipv4.tcp_base_mss = 1024
|
||||
net.ipv4.conf.all.accept_redirects = 0
|
||||
net.ipv4.conf.all.accept_source_route = 0
|
||||
net.ipv4.conf.all.log_martians = 1
|
||||
net.ipv4.conf.all.rp_filter = 1
|
||||
net.ipv4.conf.all.secure_redirects = 0
|
||||
net.ipv4.conf.all.send_redirects = 0
|
||||
net.ipv4.conf.default.accept_redirects = 0
|
||||
net.ipv4.conf.default.accept_source_route = 0
|
||||
net.ipv4.conf.default.log_martians = 1
|
||||
net.ipv4.conf.default.rp_filter = 1
|
||||
net.ipv4.conf.default.secure_redirects = 0
|
||||
net.ipv4.conf.default.send_redirects = 0
|
||||
# WebinolyEnd" | tee -a /etc/sysctl.conf
|
||||
|
||||
# https://www.cyberciti.biz/faq/linux-increase-the-maximum-number-of-open-files/
|
||||
# https://ospi.fi/blog/centos-7-raise-nofile-limit-for-nginx.html
|
||||
# https://www.masv.io/boost-nginx-connection-limits/
|
||||
|
@ -132,6 +87,15 @@ net.ipv4.conf.default.send_redirects = 0
|
|||
sudo sed -i '/End of file/i \* - nofile 4096' /etc/security/limits.conf
|
||||
sudo sed -i "/End of file/i \# WebinolyEnd" /etc/security/limits.conf
|
||||
|
||||
sudo cat /opt/webinoly/templates/general/sysctl >> /etc/sysctl.conf
|
||||
# BBR is only valid in kernel > v4.9, bionic is at least 4.15
|
||||
if [[ $(check_osname) == "bionic" ]]; then
|
||||
sudo modprobe tcp_bbr
|
||||
else
|
||||
sudo sed -i '/tcp_congestion_control/s/^/#/' /etc/sysctl.conf
|
||||
sudo sed -i '/tcp_notsent_lowat/s/^/#/' /etc/sysctl.conf
|
||||
fi
|
||||
|
||||
swap_create
|
||||
set_timezone
|
||||
|
||||
|
@ -506,7 +470,6 @@ swap_delete() {
|
|||
sudo swapoff -a -v > /dev/null
|
||||
sudo rm /swapfile
|
||||
sudo sed -i '/\/swapfile/d' /etc/fstab
|
||||
sudo sed -i '/vm.swappiness/d' /etc/sysctl.conf
|
||||
conf_delete swap-owner
|
||||
api-events_update pn10
|
||||
fi
|
||||
|
@ -566,9 +529,6 @@ swap_create() {
|
|||
|
||||
sudo sed -i "/LABEL.*/a \/swapfile none swap sw 0 0" /etc/fstab
|
||||
|
||||
echo 10 | sudo tee /proc/sys/vm/swappiness
|
||||
echo vm.swappiness = 10 | sudo tee -a /etc/sysctl.conf
|
||||
|
||||
# Swap created by Webinoly - so we should remove it in uninstall
|
||||
conf_write swap-owner webinoly
|
||||
|
||||
|
|
|
@ -298,7 +298,11 @@ elif [[ $opt == "-html" || $opt == "-nginx" ]]; then
|
|||
if [[ $(conf_read nginx) != "true" ]]; then
|
||||
nginx_install
|
||||
nginx_optim
|
||||
[[ $arg != "-notools" ]] && nginx_tool
|
||||
[[ $arg != "-notools" ]] && nginx_tool
|
||||
|
||||
# By default Yoast Plugin support is enabled
|
||||
webinoly -yoast-sitemap=on
|
||||
|
||||
echo ""
|
||||
echo "${gre}Nginx has been successfully Optimized by Webinoly! ${end}"
|
||||
echo ""
|
||||
|
|
|
@ -0,0 +1,268 @@
|
|||
|
||||
|
||||
# WebinolyStart - Don't delete
|
||||
# Based on Michiel Klaver kernel sysctl configuration file for Linux - http://klaver.it/linux/ (v1.13)
|
||||
|
||||
###
|
||||
### GENERAL SYSTEM SECURITY OPTIONS ###
|
||||
###
|
||||
|
||||
# Controls the System Request debugging functionality of the kernel
|
||||
kernel.sysrq = 0
|
||||
|
||||
# Controls whether core dumps will append the PID to the core filename.
|
||||
# Useful for debugging multi-threaded applications.
|
||||
kernel.core_uses_pid = 1
|
||||
|
||||
#Allow for more PIDs
|
||||
kernel.pid_max = 65535
|
||||
|
||||
# The contents of /proc/<pid>/maps and smaps files are only visible to
|
||||
# readers that are allowed to ptrace() the process
|
||||
#kernel.maps_protect = 1
|
||||
|
||||
#Enable ExecShield protection
|
||||
#kernel.exec-shield = 1
|
||||
kernel.randomize_va_space = 2
|
||||
|
||||
# Controls the maximum size of a message, in bytes
|
||||
kernel.msgmnb = 65535
|
||||
|
||||
# Controls the default maxmimum size of a mesage queue
|
||||
kernel.msgmax = 65535
|
||||
|
||||
# Restrict core dumps
|
||||
fs.suid_dumpable = 0
|
||||
|
||||
# Hide exposed kernel pointers
|
||||
kernel.kptr_restrict = 1
|
||||
|
||||
|
||||
|
||||
###
|
||||
### IMPROVE SYSTEM MEMORY MANAGEMENT ###
|
||||
###
|
||||
|
||||
# Increase size of file handles and inode cache
|
||||
fs.file-max = 147433
|
||||
|
||||
# Do less swapping
|
||||
vm.swappiness = 10
|
||||
vm.dirty_ratio = 10
|
||||
vm.dirty_background_ratio = 5
|
||||
|
||||
# specifies the minimum virtual address that a process is allowed to mmap
|
||||
vm.mmap_min_addr = 4096
|
||||
|
||||
# 50% overcommitment of available memory
|
||||
vm.overcommit_ratio = 50
|
||||
vm.overcommit_memory = 0
|
||||
|
||||
# Set maximum amount of memory allocated to shm to 256MB
|
||||
kernel.shmmax = 268435456
|
||||
kernel.shmall = 268435456
|
||||
|
||||
# Keep at least 64MB of free RAM space available
|
||||
vm.min_free_kbytes = 65535
|
||||
|
||||
|
||||
|
||||
###
|
||||
### GENERAL NETWORK SECURITY OPTIONS ###
|
||||
###
|
||||
|
||||
#Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached)
|
||||
net.ipv4.tcp_syncookies = 1
|
||||
net.ipv4.tcp_syn_retries = 2
|
||||
net.ipv4.tcp_synack_retries = 2
|
||||
net.ipv4.tcp_max_syn_backlog = 4096
|
||||
|
||||
# Disables packet forwarding
|
||||
net.ipv4.ip_forward = 0
|
||||
net.ipv4.conf.all.forwarding = 0
|
||||
net.ipv4.conf.default.forwarding = 0
|
||||
net.ipv6.conf.all.forwarding = 0
|
||||
net.ipv6.conf.default.forwarding = 0
|
||||
|
||||
# Disables IP source routing
|
||||
net.ipv4.conf.all.send_redirects = 0
|
||||
net.ipv4.conf.default.send_redirects = 0
|
||||
net.ipv4.conf.all.accept_source_route = 0
|
||||
net.ipv4.conf.default.accept_source_route = 0
|
||||
net.ipv6.conf.all.accept_source_route = 0
|
||||
net.ipv6.conf.default.accept_source_route = 0
|
||||
|
||||
# Enable IP spoofing protection, turn on source route verification
|
||||
net.ipv4.conf.all.rp_filter = 1
|
||||
net.ipv4.conf.default.rp_filter = 1
|
||||
|
||||
# Disable ICMP Redirect Acceptance
|
||||
net.ipv4.conf.all.accept_redirects = 0
|
||||
net.ipv4.conf.default.accept_redirects = 0
|
||||
net.ipv4.conf.all.secure_redirects = 0
|
||||
net.ipv4.conf.default.secure_redirects = 0
|
||||
net.ipv6.conf.all.accept_redirects = 0
|
||||
net.ipv6.conf.default.accept_redirects = 0
|
||||
|
||||
# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
|
||||
net.ipv4.conf.all.log_martians = 1
|
||||
net.ipv4.conf.default.log_martians = 1
|
||||
|
||||
# Decrease the time default value for tcp_fin_timeout connection
|
||||
net.ipv4.tcp_fin_timeout = 7
|
||||
|
||||
# Decrease the time default value for connections to keep alive
|
||||
net.ipv4.tcp_keepalive_time = 300
|
||||
net.ipv4.tcp_keepalive_probes = 5
|
||||
net.ipv4.tcp_keepalive_intvl = 15
|
||||
|
||||
# Don't relay bootp
|
||||
net.ipv4.conf.all.bootp_relay = 0
|
||||
|
||||
# Don't proxy arp for anyone
|
||||
net.ipv4.conf.all.proxy_arp = 0
|
||||
|
||||
# Turn on the tcp_timestamps, accurate timestamp make TCP congestion control algorithms work better
|
||||
net.ipv4.tcp_timestamps = 1
|
||||
|
||||
# Don't ignore directed pings
|
||||
net.ipv4.icmp_echo_ignore_all = 0
|
||||
|
||||
# Enable ignoring broadcasts request
|
||||
net.ipv4.icmp_echo_ignore_broadcasts = 1
|
||||
|
||||
# Enable bad error message Protection
|
||||
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
||||
|
||||
# Allowed local port range
|
||||
net.ipv4.ip_local_port_range = 16384 65535
|
||||
|
||||
# Enable a fix for RFC1337 - time-wait assassination hazards in TCP
|
||||
net.ipv4.tcp_rfc1337 = 1
|
||||
|
||||
# Do not auto-configure IPv6
|
||||
net.ipv6.conf.all.autoconf=0
|
||||
net.ipv6.conf.all.accept_ra=0
|
||||
net.ipv6.conf.default.autoconf=0
|
||||
net.ipv6.conf.default.accept_ra=0
|
||||
net.ipv6.conf.eth0.autoconf=0
|
||||
net.ipv6.conf.eth0.accept_ra=0
|
||||
|
||||
|
||||
|
||||
###
|
||||
### TUNING NETWORK PERFORMANCE ###
|
||||
###
|
||||
|
||||
# For high-bandwidth low-latency networks, use 'bbr' congestion control (kernel > 4.9)
|
||||
# Only enabled in bionic (at least v4.15)
|
||||
# Do a 'sudo modprobe tcp_bbr' first
|
||||
net.ipv4.tcp_congestion_control = bbr
|
||||
net.ipv4.tcp_notsent_lowat = 16384
|
||||
|
||||
# For servers with tcp-heavy workloads, enable 'fq' queue management scheduler (kernel > 3.12)
|
||||
net.core.default_qdisc = fq
|
||||
|
||||
# Turn on the tcp_window_scaling
|
||||
net.ipv4.tcp_window_scaling = 1
|
||||
|
||||
# Increase the read-buffer space allocatable
|
||||
net.ipv4.tcp_rmem = 8192 87380 16777216
|
||||
net.ipv4.udp_rmem_min = 16384
|
||||
net.core.rmem_default = 262144
|
||||
net.core.rmem_max = 16777216
|
||||
|
||||
# Increase the write-buffer-space allocatable
|
||||
net.ipv4.tcp_wmem = 8192 65536 16777216
|
||||
net.ipv4.udp_wmem_min = 16384
|
||||
net.core.wmem_default = 262144
|
||||
net.core.wmem_max = 16777216
|
||||
|
||||
# Increase number of incoming connections
|
||||
net.core.somaxconn = 32768
|
||||
|
||||
# Increase number of incoming connections backlog
|
||||
net.core.netdev_max_backlog = 16384
|
||||
net.core.dev_weight = 64
|
||||
|
||||
# Increase the maximum amount of option memory buffers
|
||||
net.core.optmem_max = 65535
|
||||
|
||||
# Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
|
||||
net.ipv4.tcp_max_tw_buckets = 1440000
|
||||
|
||||
# try to reuse time-wait connections, but don't recycle them (recycle can break clients behind NAT)
|
||||
#net.ipv4.tcp_tw_recycle = 0
|
||||
net.ipv4.tcp_tw_reuse = 1
|
||||
|
||||
# Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory
|
||||
net.ipv4.tcp_max_orphans = 16384
|
||||
net.ipv4.tcp_orphan_retries = 0
|
||||
|
||||
# Limit the maximum memory used to reassemble IP fragments (CVE-2018-5391)
|
||||
net.ipv4.ipfrag_low_thresh = 196608
|
||||
net.ipv6.ip6frag_low_thresh = 196608
|
||||
net.ipv4.ipfrag_high_thresh = 262144
|
||||
net.ipv6.ip6frag_high_thresh = 262144
|
||||
|
||||
|
||||
# don't cache ssthresh from previous connection
|
||||
net.ipv4.tcp_no_metrics_save = 1
|
||||
net.ipv4.tcp_moderate_rcvbuf = 1
|
||||
|
||||
# Increase size of RPC datagram queue length
|
||||
net.unix.max_dgram_qlen = 50
|
||||
|
||||
# Don't allow the arp table to become bigger than this
|
||||
net.ipv4.neigh.default.gc_thresh3 = 2048
|
||||
|
||||
# Tell the gc when to become aggressive with arp table cleaning.
|
||||
# Adjust this based on size of the LAN. 1024 is suitable for most /24 networks
|
||||
net.ipv4.neigh.default.gc_thresh2 = 1024
|
||||
|
||||
# Adjust where the gc will leave arp table alone - set to 32.
|
||||
net.ipv4.neigh.default.gc_thresh1 = 32
|
||||
|
||||
# Adjust to arp table gc to clean-up more often
|
||||
net.ipv4.neigh.default.gc_interval = 30
|
||||
|
||||
# Increase TCP queue length
|
||||
net.ipv4.neigh.default.proxy_qlen = 96
|
||||
net.ipv4.neigh.default.unres_qlen = 6
|
||||
|
||||
# Enable Explicit Congestion Notification (RFC 3168), disable it if it doesn't work for you
|
||||
net.ipv4.tcp_ecn = 1
|
||||
net.ipv4.tcp_reordering = 3
|
||||
|
||||
# How many times to retry killing an alive TCP connection
|
||||
net.ipv4.tcp_retries2 = 15
|
||||
net.ipv4.tcp_retries1 = 3
|
||||
|
||||
# Avoid falling back to slow start after a connection goes idle
|
||||
# keeps our cwnd large with the keep alive connections (kernel > 3.6)
|
||||
net.ipv4.tcp_slow_start_after_idle = 0
|
||||
|
||||
# Allow the TCP fastopen flag to be used, beware some firewalls do not like TFO! (kernel > 3.7)
|
||||
net.ipv4.tcp_fastopen = 3
|
||||
|
||||
# This will enusre that immediatly subsequent connections use the new values
|
||||
net.ipv4.route.flush = 1
|
||||
net.ipv6.route.flush = 1
|
||||
|
||||
|
||||
###
|
||||
### CUSTOM ###
|
||||
###
|
||||
|
||||
fs.nr_open=12000000
|
||||
net.ipv4.tcp_sack=1
|
||||
net.ipv4.tcp_mtu_probing = 1
|
||||
net.ipv4.tcp_base_mss = 1024
|
||||
net.ipv4.tcp_challenge_ack_limit = 999999999
|
||||
net.ipv6.conf.default.router_solicitations = 0
|
||||
net.ipv6.conf.default.accept_ra_rtr_pref = 0
|
||||
net.ipv6.conf.default.accept_ra_pinfo = 0
|
||||
net.ipv6.conf.default.accept_ra_defrtr = 0
|
||||
net.ipv6.conf.default.dad_transmits = 0
|
||||
net.ipv6.conf.default.max_addresses = 1
|
||||
# WebinolyEnd
|
|
@ -1,10 +1,10 @@
|
|||
# PHP NGINX CONFIGURATION
|
||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE Webinoly
|
||||
location / {
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
try_files $uri $uri/ /index.php?$args $uri =404;
|
||||
}
|
||||
location ~ \.php$ {
|
||||
try_files $uri =404;
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php;
|
||||
try_files $uri =404;
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php;
|
||||
}
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
# https://baraktawily.blogspot.com/2018/02/how-to-dos-29-of-world-wide-websites.html
|
||||
location /wp-admin {
|
||||
location ~ /wp-admin/admin-ajax.php$ {
|
||||
limit_req zone=wp burst=6 nodelay;
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php;
|
||||
}
|
||||
|
@ -34,21 +35,6 @@ location /wp-content/uploads/ {
|
|||
location ~ \.php$ {
|
||||
#Prevent Direct Access Of PHP Files From Web Browsers
|
||||
deny all;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# YoastSitemapStart - Yoast SEO Plugin
|
||||
location ~ ([^/]*)sitemap(.*)\.x(m|s)l$ {
|
||||
rewrite ^(.*)/sitemap\.xml$ $1/sitemap_index.xml permanent;
|
||||
rewrite ^.*/([a-z]+)?-?sitemap\.xsl$ /index.php?xsl=$1 last;
|
||||
# Rules for yoast sitemap with wp|wpsubdir|wpsubdomain
|
||||
rewrite ^.*/sitemap_index\.xml$ /index.php?sitemap=1 last;
|
||||
rewrite ^.*/([^/]+?)-sitemap([0-9]+)?\.xml$ /index.php?sitemap=$1&sitemap_n=$2 last;
|
||||
# Following lines are optional. Needed for Yoast Premium.
|
||||
rewrite ^.*/news_sitemap\.xml$ /index.php?sitemap=wpseo_news last;
|
||||
rewrite ^.*/locations\.kml$ /index.php?sitemap=wpseo_local_kml last;
|
||||
rewrite ^.*/geo_sitemap\.xml$ /index.php?sitemap=wpseo_local last;
|
||||
rewrite ^.*/video-sitemap\.xsl$ /index.php?xsl=video last;
|
||||
access_log off;
|
||||
}
|
||||
# YoastSitemapEnd
|
|
@ -16,7 +16,7 @@ if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|wp-.*.php|index.php|/feed/|.*sitema
|
|||
}
|
||||
|
||||
# Don't use the cache for logged in users or recent commenter or customer with items in cart
|
||||
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|[a-z0-9]+_items_in_cart") {
|
||||
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|[a-z0-9]+_items_in_cart|[a-z0-9]+_cart_hash") {
|
||||
set $skip_cache 1;
|
||||
}
|
||||
|
||||
|
|
|
@ -32,6 +32,7 @@ http {
|
|||
open_file_cache max=30000 inactive=1m;
|
||||
|
||||
types_hash_max_size 2048;
|
||||
server_names_hash_max_size 2048;
|
||||
# server_names_hash_bucket_size 64;
|
||||
# server_name_in_redirect off;
|
||||
|
||||
|
@ -48,12 +49,15 @@ http {
|
|||
##
|
||||
|
||||
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
|
||||
ssl_buffer_size 4k;
|
||||
ssl_session_tickets off;
|
||||
ssl_session_timeout 10m;
|
||||
ssl_session_cache shared:SSL:20m;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
ssl_dhparam /etc/ssl/dhparam.pem;
|
||||
ssl_ecdh_curve prime256v1:secp384r1:secp521r1;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT';
|
||||
|
||||
|
||||
##
|
||||
# Logging Settings
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
|
||||
# WebinolySSLstart
|
||||
ssl on;
|
||||
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
|
||||
ssl_stapling on;
|
||||
|
|
Loading…
Reference in New Issue