Update Nginx

Author: bianjp

base/nginx.md

@@ -11,10 +11,12 @@ EPEL 源中版本过旧，使用 Nginx 官方源
 ```
 sudo tee /etc/yum.repos.d/nginx.repo <<-'EOF'
 [nginx]
-name=nginx repo
-baseurl=http://nginx.org/packages/centos/7/$basearch/
-gpgcheck=0
+name=nginx stable repo
+baseurl=https://nginx.org/packages/centos/$releasever/$basearch/
+gpgcheck=1
 enabled=1
+gpgkey=https://nginx.org/keys/nginx_signing.key
+module_hotfixes=true
 EOF
 
 sudo yum makecache
@@ -119,16 +121,17 @@ sudo tee /etc/nginx/includes/https.conf <<-'EOF'
 #ssl_trusted_certificate /path/to/chain.pem;
 
 ssl_session_timeout 1d;
-ssl_session_cache shared:SSL:50m;
+ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
 ssl_session_tickets off;
 
 # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
 ssl_dhparam /etc/ssl/dhparam.pem;
 
-# modern configuration. tweak to your needs.
-ssl_protocols TLSv1.2;
-ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
-ssl_prefer_server_ciphers on;
+# intermediate configuration
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_prefer_server_ciphers off;
+
 
 # OCSP Stapling ---
 # fetch OCSP records from URL in ssl_certificate and cache them
@@ -145,8 +148,7 @@ sudo tee /etc/nginx/includes/https-hsts.conf <<-'EOF'
 include /etc/nginx/includes/https.conf;
 
 # HSTS
-# 15768000 seconds = 6 months
-add_header Strict-Transport-Security max-age=15768000;
+add_header Strict-Transport-Security "max-age=63072000" always;
 EOF
 ```