SSL legacy support.

Up to now I supported older browsers by supporting older versions of TLS and cipher suites. I still think it makes sense for my blog, etc. but not for Nextcloud or GitLab. So here's the first step, make the previous default SSL configuration be ssl-legacy (split out the common parts to ssl-common) and next is ssl-modern.

SSL legacy support.
f810bd6b · nimrod · 28413e0e · f810bd6b · f810bd6b · f810bd6b
Commit f810bd6b authored 2 years ago by nimrod
--- a/conf.d/default.conf
+++ b/conf.d/default.conf
@@ -8,6 +8,6 @@ server {
 server {
    listen      443 ssl http2 default_server;
    listen      [::]:443 ssl http2 default_server;
-    include     snippets/ssl.conf;
+    include     snippets/ssl-legacy.conf;
    location    / { return 301 https://www.shore.co.il$request_uri; }
 }
--- a/snippets/ssl.conf
+++ b/snippets/ssl.conf
@@ -4,8 +4,6 @@ include                     snippets/common-headers.conf;
 ssl_certificate             /var/ssl/site.crt;
 ssl_certificate_key         /var/ssl/site.key;
 ssl_dhparam                 /var/ssl/dhparams;
-ssl_protocols               TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
-ssl_ciphers                 !AESCCM:!kRSA:!3DES:!RC4:!DES:!MD5:!aNULL:!NULL:AESGCM+ECDH:ECDH+CHACHA20:AES256+ECDH:AES128:CHACHA20:+SHA1;
 ssl_prefer_server_ciphers   on;
 ssl_session_cache           shared:SSL:50m;
 ssl_session_timeout         5m;

--- a/snippets/ssl-legacy.conf
+++ b/snippets/ssl-legacy.conf
+include                     snippets/ssl-common.conf;
+ssl_protocols               TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+ssl_ciphers                 !AESCCM:!kRSA:!3DES:!RC4:!DES:!MD5:!aNULL:!NULL:AESGCM+ECDH:ECDH+CHACHA20:AES256+ECDH:AES128:CHACHA20:+SHA1;