Bump nginx configs (tcp_nodelay, TLSv1.3)

lxc-apps/cts/lxc/etc/nginx/nginx.conf

@@ -15,6 +15,7 @@ http {
 	server_tokens off;
 	client_max_body_size 100m;
 	sendfile on;
+	tcp_nodelay on;
 	send_timeout 300;
 
 	server {

lxc-apps/decidim/lxc/etc/nginx/nginx.conf

@@ -15,6 +15,7 @@ http {
 	server_tokens off;
 	client_max_body_size 100m;
 	sendfile on;
+	tcp_nodelay on;
 	send_timeout 300;
 
 	passenger_root /usr/local/lib/ruby/gems/2.6.0/gems/passenger-6.0.4;

lxc-apps/ecogis/lxc/etc/nginx/nginx.conf

@@ -15,6 +15,8 @@ http {
 	server_tokens off;
 	client_max_body_size 100m;
 	sendfile on;
+	tcp_nodelay on;
+	send_timeout 300;
 
 	server {
 		listen 8080;

lxc-apps/kanboard/lxc/etc/nginx/nginx.conf

@@ -15,6 +15,8 @@ http {
 	server_tokens off;
 	client_max_body_size 100m;
 	sendfile on;
+	tcp_nodelay on;
+	send_timeout 300;
 
 	server {
 		listen 8080;

lxc-apps/pandora/lxc/etc/nginx/nginx.conf

@@ -15,6 +15,7 @@ http {
 	server_tokens off;
 	client_max_body_size 100m;
 	sendfile on;
+	tcp_nodelay on;
 	send_timeout 300;
 
 	server {

lxc-apps/seeddms/lxc/etc/nginx/nginx.conf

@@ -15,6 +15,8 @@ http {
 	server_tokens off;
 	client_max_body_size 100m;
 	sendfile on;
+	tcp_nodelay on;
+	send_timeout 300;
 
 	server {
 		listen 8080;

lxc-apps/ushahidi/lxc/etc/nginx/nginx.conf

@@ -15,6 +15,8 @@ http {
 	server_tokens off;
 	client_max_body_size 100m;
 	sendfile on;
+	tcp_nodelay on;
+	send_timeout 300;
 
 	server {
 		listen 8080;

vm.sh

@@ -88,7 +88,7 @@ chroot /mnt setup-timezone -z Europe/Prague
 apk --no-cache add apache2-utils gettext
 wget https://repo.spotter.cz/vm.tar -O - | tar xf - -C /mnt
 envsubst </mnt/boot/extlinux.conf.old >/mnt/boot/extlinux.conf
-chroot /mnt apk --no-cache add bridge ca-certificates curl e2fsprogs-extra gettext iptables kbd-misc libressl logrotate postfix nginx openssh-server openssh-sftp-server util-linux wireguard-virt wireguard-tools-wg acme-sh@vm spoc@vm vmmgr@vm
+chroot /mnt apk --no-cache add bridge ca-certificates curl e2fsprogs-extra gettext iptables kbd-misc logrotate postfix nginx openssh-server openssh-sftp-server util-linux wireguard-virt wireguard-tools-wg acme-sh@vm spoc@vm vmmgr@vm
 chroot /mnt newaliases
 for SERVICE in consolefont crond iptables networking nginx ntpd postfix spoc swap urandom vmmgr; do
     ln -s /etc/init.d/${SERVICE} /mnt/etc/runlevels/boot

vm/etc/iptables/rules-save

@@ -3,5 +3,5 @@
 :INPUT ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
-[0:0] -A POSTROUTING -o spocbr0 -j MASQUERADE
+[0:0] -A POSTROUTING -o eth0 -j MASQUERADE
 COMMIT

vm/etc/nginx/nginx.conf

@@ -15,15 +15,17 @@ http {
 	server_tokens off;
 	client_max_body_size 100m;
 	sendfile on;
+	tcp_nodelay on;
 	gzip_vary on;
 	charset utf-8;
 
-	ssl_protocols TLSv1.2;
-	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
-	ssl_prefer_server_ciphers on;
+	ssl_protocols TLSv1.3;
+	ssl_prefer_server_ciphers off;
 	ssl_certificate /etc/ssl/services.pem;
 	ssl_certificate_key /etc/ssl/services.key;
+	ssl_session_timeout 1d;
 	ssl_session_cache shared:SSL:1m;
+	ssl_session_tickets off;
 
 	log_format main '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
 	access_log /var/log/nginx/access.log main;