Elgato_dark/bunkerweb
1
0
Fork 0
mirror of https://github.com/bunkerity/bunkerweb synced 2026-05-24 09:28:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: Update SSL cipher preference for TLSv1.3 + Also if the TLSv1.3 isn't part of the configured SSL_PROTOCOLS, then HTTP3 is disabled to avoid configuration errors

Browse source 
This commit updates the SSL cipher preference for TLSv1.3 in the default server HTTP configuration and the server HTTP and server stream SSL certificate Lua configurations. When TLSv1.3 is the only one used, the `ssl_prefer_server_ciphers` directive is set to "off" to disable the preference for server ciphers. This ensures compatibility with the latest TLSv1.3 standards.
This commit is contained in:
Théophile Diot 2024-08-08 21:09:09 +01:00
parent 3999383675
commit b48dcf11ae
No known key found for this signature in database
GPG key ID: FA995104A0BA376A
3 changed files with 14 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
src/common/confs/default-server-http.conf
View file

@ -19,7 +19,11 @@ server {
{% set os = import("os") %}
{% if os.path.isfile("/var/cache/bunkerweb/misc/default-server-cert.pem") +%}
ssl_protocols {{ SSL_PROTOCOLS }};
{% if SSL_PROTOCOLS == "TLSv1.3" %}
ssl_prefer_server_ciphers off;
{% else %}
ssl_prefer_server_ciphers on;
{% endif %}
ssl_session_tickets off;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
@ -37,7 +41,7 @@ server {
listen [::]:{{ HTTPS_PORT }} ssl default_server {% if USE_PROXY_PROTOCOL == "yes" %}proxy_protocol{% endif %};
{% endif %}
{% if HTTP3 == "yes" %}
{% if "TLSv1.3" in SSL_PROTOCOLS and HTTP3 == "yes" %}
http3 on;
listen 0.0.0.0:{{ HTTPS_PORT }} quic default_server {% if USE_PROXY_PROTOCOL == "yes" %}proxy_protocol{% endif %} reuseport;
{% if USE_IPV6 == "yes" +%}

6
src/common/confs/server-http/ssl-certificate-lua.conf
View file

@ -1,7 +1,11 @@
ssl_certificate /var/cache/bunkerweb/misc/default-server-cert.pem;
ssl_certificate_key /var/cache/bunkerweb/misc/default-server-cert.key;
ssl_protocols {{ SSL_PROTOCOLS }};
{% if SSL_PROTOCOLS == "TLSv1.3" %}
ssl_prefer_server_ciphers off;
{% else %}
ssl_prefer_server_ciphers on;
{% endif %}
ssl_session_tickets off;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
@ -18,7 +22,7 @@ listen 0.0.0.0:{{ HTTPS_PORT }} ssl {% if USE_PROXY_PROTOCOL == "yes" %}proxy_pr
listen [::]:{{ HTTPS_PORT }} ssl {% if USE_PROXY_PROTOCOL == "yes" %}proxy_protocol{% endif %};
{% endif %}
{% if HTTP3 == "yes" %}
{% if "TLSv1.3" in SSL_PROTOCOLS and HTTP3 == "yes" %}
http3 on;
listen 0.0.0.0:{{ HTTPS_PORT }} quic {% if USE_PROXY_PROTOCOL == "yes" %}proxy_protocol{% endif %};
{% if USE_IPV6 == "yes" +%}

4
src/common/confs/server-stream/ssl-certificate-stream-lua.conf
View file

@ -1,7 +1,11 @@
ssl_certificate /var/cache/bunkerweb/misc/default-server-cert.pem;
ssl_certificate_key /var/cache/bunkerweb/misc/default-server-cert.key;
ssl_protocols {{ SSL_PROTOCOLS }};
{% if SSL_PROTOCOLS == "TLSv1.3" %}
ssl_prefer_server_ciphers off;
{% else %}
ssl_prefer_server_ciphers on;
{% endif %}
ssl_session_tickets off;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSLStream:10m;