This is configured in:
- /etc/nginx/sites-available/peertube
- /etc/nginx/sites-available/mastodon
At the time of writing, I went for the following cyphers:
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
For Peertube, I also copied the following configuration over from Mastodon:
add_header Strict-Transport-Security "max-age=31536000" always;
Make sure to add this in wherever there are
add_header directives.
Also, set
ssl_prefer_server_ciphers on;
There's a Mozilla tool to help you with configuration at
SSL Configuration Generator. You will need your OpenSSL and Nginx versions. You can get those calling:
openssl version
nginx -v
Double-check your configuration by scanning with both
Mozilla Observatory and
CryptCheck. Mozilla allows new scans every 5 minutes, CryptCheck every hour.
For PeerTube, also add some headers to your nginx configuration. Mastodon handles these per software.
add_header Content-Security-Policy "default-src 'self';" always;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
Do this wherever you added
Strict-Transport-Security, but skip
Content-Security-Policy in the main
server section (only add it to
location sections). If you add this to the main section, the site will break. If you find a working value for this, please
let me know! See also
nginx Content-Security-Policy examples.