1 files changed, 15 insertions, 3 deletions

diff --git a/nginx/conf/main.conf b/nginx/conf/main.conf
index 7c25877b27d8..3607aaf1bfba 100644
--- a/nginx/conf/main.conf
+++ b/nginx/conf/main.conf
@@ -23,7 +23,7 @@ http {
     ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
     ssl_prefer_server_ciphers on;
     ssl_session_timeout 1d;
-    ssl_session_cache shared:SSL:50m;
+    ssl_session_cache shared:HTTPS:50m;
     ssl_session_tickets off;
     ssl_dhparam /etc/nginx/ssl/dhparam/tls.dhparam;
 
@@ -38,8 +38,8 @@ http {
     access_log   /var/log/nginx/access.log  logstash;
 
     # Default tazj.in config (certs need to be overriden for other stuff, like oslo.pub)
-    ssl_certificate /etc/nginx/ssl/tazj.in/tls.key;
-    ssl_certificate_key /etc/nginx/ssl/tazj.in/tls.crt;
+    ssl_certificate /etc/nginx/ssl/tazj.in/tls.crt;
+    ssl_certificate_key /etc/nginx/ssl/tazj.in/tls.key;
 
     # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
     add_header Strict-Transport-Security max-age=15768000;
@@ -48,5 +48,17 @@ http {
 }
 
 stream {
+    ssl_protocols TLSv1.2;
+    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+    ssl_dhparam /etc/nginx/ssl/dhparam/tls.dhparam;
+    ssl_prefer_server_ciphers on;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:STREAM:50m;
+    ssl_session_tickets off;
+
+    # Default tazj.in certificate
+    ssl_certificate /etc/nginx/ssl/tazj.in/tls.crt;
+    ssl_certificate_key /etc/nginx/ssl/tazj.in/tls.key;
+
     include /etc/nginx/conf/stream.conf;
 }