From 8b7bfdc88930acfe9aeb918fa71996b50f92db06 Mon Sep 17 00:00:00 2001 From: Marco Kundt Date: Tue, 20 Apr 2021 19:27:53 +0200 Subject: [PATCH] introduce TLS 1.3's 0-RTT --- nginx/mattermost.conf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/nginx/mattermost.conf b/nginx/mattermost.conf index cb042cf..c6cf24f 100644 --- a/nginx/mattermost.conf +++ b/nginx/mattermost.conf @@ -54,6 +54,10 @@ server { ssl_certificate /cert.pem; ssl_certificate_key /key.pem; + # enable TLSv1.3's 0-RTT. Use $ssl_early_data when reverse proxying to prevent replay attacks. + # https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data + ssl_early_data on; + # OCSP stapling ssl_stapling on; ssl_stapling_verify on; @@ -94,6 +98,7 @@ server { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_set_header Early-Data $ssl_early_data; proxy_buffers 256 16k; proxy_buffer_size 16k; client_body_timeout 60; @@ -113,6 +118,7 @@ server { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_set_header Early-Data $ssl_early_data; proxy_buffers 256 16k; proxy_buffer_size 16k; proxy_read_timeout 600s;