Feature request - add more options to select/configure when SSL is enabled for a Website (Nginx vhost file)
Recently, while using the ISPConfig interface I saw the need for an checkbox (or more) to select which SSL protocol version we want for each Website to support.
By default it is ssl_protocol
TLS v1.2?
Moreover, it would be nice to have it so we could also select for example TLS v1.3, that so we could configure at Nginx vhost file to have TLSv1.2 and TLSv1.3 for example.
As currently I see ISPConfig default template for vhost file when the SSL checkbox is checked, it adds the default ssl_protocol TLS v1.2
.
But, when I want TLS v1.3 also I have to add it manually.
The issue here is, each time when I change something at ISPconfig interface that reflects the Nginx vhost for that Website, it just re-writes me back to old one ssl_protocol TLS v1.2
and no more I do not have the value as I have had (manually editted) to "ssl_protocol TLS v1.2, TLS v1.3
".
As far as I use Cloudflare with Authenticated Origin Pulls which uses ssl_verfy
and ssl_client_certificate
, moreover, an field to enter the path location for ssl_client_certificate
and an checkbox or dropdown option to select ssl_verify
(on, off, optional) would be nice to have.
Currently, if I add that manually, each time when I change something at ISPconfig interface it just re-writes me back to old one at my nginx vhost file and then I have to add it back again to use it and have it enabled.
Regarding the SSL, I wonder is there a way to configure the parameters through the ISPConfig interface for a Website like?:
- ssl_session_timeout
- ssl_session_cache
- ssl_session_tickets
- ssl_dhparam path
- ssl_ciphers
- ssl_prefer_server_ciphers
Currently, each time If I add something more to Nginx vhost file field for my Website, I have to manually re-check and add again the needed values.
My vhost file looks like this:
server {
listen *:80;
listen [::]:80;
listen *:443 ssl http2;
ssl_protocols TLSv1.2 TLSv1.3;
listen [::]:443 ssl http2;
ssl_certificate /var/www/clients/client1/web45/ssl/mydomain.tld.crt;
ssl_certificate_key /var/www/clients/client1/web45/ssl/mydomain.tld.key;
# Cloudflare Authenticated Origin Pulls, I have manually added TLSv1.3 to ssl_protocols above
ssl_client_certificate /etc/origin-pull-ca.pem;
ssl_verify_client on;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam /etc/dhparam-mozilla.pem;
# intermediate configuration
#ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
... # the rest of the code here ...
Maybe that is already available, but I just could not find it on the ISPConfig interface when editting a Website.
Thank you very much! Appreciate!