pyrox.dev
nginx module: Enable http2
authored by
Franz Pletz
and committed by
Robin Gloster
de8008a1
e982aeae
+3
-3
nixos/modules/services/web-servers/nginx/default.nix
+3
-3
nixos/modules/services/web-servers/nginx/default.nix
···
35
35
ssl_session_timeout 23m;
36
36
37
37
ssl_ciphers ${cfg.sslCiphers};
38
-
ssl_ecdh_curve secp521r1;
38
+
ssl_ecdh_curve secp384r1;
39
39
ssl_prefer_server_ciphers on;
40
40
${optionalString (cfg.sslDhparam != null) "ssl_dhparam ${cfg.sslDhparam};"}
41
41
···
79
79
let
80
80
ssl = vhost.enableSSL || vhost.forceSSL;
81
81
port = if vhost.port != null then vhost.port else (if ssl then 443 else 80);
82
-
listenString = toString port + optionalString ssl " ssl spdy"
82
+
listenString = toString port + optionalString ssl " ssl http2"
83
83
+ optionalString vhost.default " default";
84
84
acmeLocation = optionalString vhost.enableACME ''
85
85
location /.well-known/acme-challenge {
···
221
221
222
222
sslCiphers = mkOption {
223
223
type = types.str;
224
-
default = "EDH+CHACHA20:EDH+AES:EECDHE+CHACHA20:ECDHE+AES:+AES128:-DSS";
224
+
default = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
225
225
description = "Ciphers to choose from when negotiating tls handshakes.";
226
226
};
227
227