X-Git-Url: https://git.immae.eu/?p=perso%2FImmae%2FConfig%2FNix.git;a=blobdiff_plain;f=modules%2Fwebsites%2Fdefault.nix;h=767a7b2324a1bf45acec546b23c5544e974f76a5;hp=e69080e9dc2ae14c43f785796c8379468e5aeb9c;hb=29252c2355081fb692f0548da1009502b30f86dc;hpb=2b9e8e578718557772da727355f1d9a1d34b0e1c

diff --git a/modules/websites/default.nix b/modules/websites/default.nix
index e69080e..767a7b2 100644
--- a/modules/websites/default.nix
+++ b/modules/websites/default.nix
@@ -204,6 +204,14 @@ in
       stateDir = "/run/httpd_${name}";
       logPerVirtualHost = true;
       multiProcessingModule = "worker";
+      # https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.0.2t&guideline=5.4
+      sslProtocols = "all -SSLv3 -TLSv1 -TLSv1.1";
+      sslCiphers = builtins.concatStringsSep ":" [
+        "ECDHE-ECDSA-AES128-GCM-SHA256" "ECDHE-RSA-AES128-GCM-SHA256"
+        "ECDHE-ECDSA-AES256-GCM-SHA384" "ECDHE-RSA-AES256-GCM-SHA384"
+        "ECDHE-ECDSA-CHACHA20-POLY1305" "ECDHE-RSA-CHACHA20-POLY1305"
+        "DHE-RSA-AES128-GCM-SHA256" "DHE-RSA-AES256-GCM-SHA384"
+      ];
       inherit (icfg) adminAddr;
       logFormat = "combinedVhost";
       extraModules = lists.unique icfg.modules;