web-proxy: add common TLS configuration

Add TLS configuration snippet shared between all web-proxies.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>

1 files changed, 10 insertions, 0 deletions

diff --git a/pillar/role/web-proxy.sls b/pillar/role/web-proxy.sls
index 5913fa6..1b7497c 100644
--- a/pillar/role/web-proxy.sls
+++ b/pillar/role/web-proxy.sls
@@ -5,6 +5,16 @@ nginx:
     robots:
       - location /robots.txt:
         - root: /srv/www/htdocs
+    tls:
+      - ssl_session_timeout: 1d
+      - ssl_session_cache: shared:Lysergic:10m
+      - ssl_session_tickets: 'off'
+      - ssl_protocols: TLSv1.3
+      - ssl_prefer_server_ciphers: 'off'
+      - add_header: Strict-Transport-Security "max-age=63072000" always
+      - ssl_stapling: 'on'
+      - ssl_stapling_verify: 'on'
+      - ssl_trusted_certificate: /etc/ssl/ca-bundle.pem
     php-fastcgi:
       - 'location ~* \.php$':
         - fastcgi_index: index.php