[MSB]Support TLSv1.3

Nginx should user server ciphers for security
Nginx requests per keepalive connection is too small
Issue-ID: MSB-661

Signed-off-by: jinquanni <ni.jinquan@zte.com.cn>
Change-Id: Iec6f3d61e12a4a79e9a9d3301e694cdcf4a73d44

diff --git a/openresty-ext/src/assembly/resources/openresty/nginx/conf/nginx.conf b/openresty-ext/src/assembly/resources/openresty/nginx/conf/nginx.conf
index a340aa8..45bd850 100644 (file)
--- a/openresty-ext/src/assembly/resources/openresty/nginx/conf/nginx.conf
+++ b/openresty-ext/src/assembly/resources/openresty/nginx/conf/nginx.conf
@@ -50,7 +50,7 @@ http {
        server_tokens off;
        
        keepalive_timeout 120s;
-    keepalive_requests 200;
+    keepalive_requests 2000;
     types_hash_max_size 2048;
        
        #open_file_cache max=200000 inactive=300s;

diff --git a/openresty-ext/src/assembly/resources/openresty/nginx/msb-enabled/msb.conf b/openresty-ext/src/assembly/resources/openresty/nginx/msb-enabled/msb.conf
index 8ed1077..0395fc6 100644 (file)
--- a/openresty-ext/src/assembly/resources/openresty/nginx/msb-enabled/msb.conf
+++ b/openresty-ext/src/assembly/resources/openresty/nginx/msb-enabled/msb.conf
@@ -17,7 +17,7 @@
 #the maximum allowed size of the client request body,current 10G
 client_max_body_size 10240m;
 client_body_buffer_size 128k;
-
+ssl_prefer_server_ciphers on;
 #set conf for proxy pass
 proxy_connect_timeout 5s;
 proxy_read_timeout 1200s;

diff --git a/openresty-ext/src/assembly/resources/openresty/nginx/msb-enabled/msbhttps.conf b/openresty-ext/src/assembly/resources/openresty/nginx/msb-enabled/msbhttps.conf
index 6ca846c..d474cbe 100644 (file)
--- a/openresty-ext/src/assembly/resources/openresty/nginx/msb-enabled/msbhttps.conf
+++ b/openresty-ext/src/assembly/resources/openresty/nginx/msb-enabled/msbhttps.conf
@@ -17,7 +17,7 @@ server {
        listen 443 ssl;
        ssl_certificate ../ssl/cert/cert.crt;
        ssl_certificate_key ../ssl/cert/cert.key;
-       ssl_protocols TLSv1.1 TLSv1.2;
+       ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_dhparam ../ssl/dh-pubkey/dhparams.pem;
        include ../msb-enabled/location-default/msblocations.conf;
         # Add below settings for making SDC to work