From a8194a669d1218492b20d3d1f014c4c10879024d Mon Sep 17 00:00:00 2001 From: Dmitry Voronin Date: Sun, 23 Jun 2024 21:03:54 +0300 Subject: [PATCH] Proxy : Add a guide to generate self-signed ssl keys. --- container/Proxy.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/container/Proxy.nix b/container/Proxy.nix index 9844137d..c37928bc 100644 --- a/container/Proxy.nix +++ b/container/Proxy.nix @@ -1,3 +1,14 @@ +# NOTE: To generate self-signed certs use: `openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./privkey.pem -out ./fullchain.pem` +# For dhparams: `openssl dhparam -out ./ssl-dhparam.pem 4096` +# Example for options-ssl-nginx.conf: +# ``` +# ssl_session_cache shared:le_nginx_SSL:10m; +# ssl_session_timeout 1440m; +# ssl_protocols TLSv1.2 TLSv1.3; +# ssl_prefer_server_ciphers off; +# ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; +# ``` +# For certbot to generate new keys: `certbot certonly --manual --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory -d "*.voronind.com" -d voronind.com` { domain, util, container, pkgs, ... } @args: let cfg = container.config.proxy; virtualHosts = util.catSet (util.ls ./proxy/host) args;