From 531d317f6219396e7cbe189ea2a6faea7c7a14c5 Mon Sep 17 00:00:00 2001
From: jinquanni <ni.jinquan@zte.com.cn>
Date: Tue, 22 Mar 2022 19:36:42 +0800
Subject: [PATCH] [MSB]Support TLSv1.3 Nginx should user server ciphers for
 security Nginx requests per keepalive connection is too small Issue-ID:
 MSB-661

Signed-off-by: jinquanni <ni.jinquan@zte.com.cn>
Change-Id: Iec6f3d61e12a4a79e9a9d3301e694cdcf4a73d44
---
 openresty-ext/src/assembly/resources/openresty/nginx/conf/nginx.conf    | 2 +-
 .../src/assembly/resources/openresty/nginx/msb-enabled/msb.conf         | 2 +-
 .../src/assembly/resources/openresty/nginx/msb-enabled/msbhttps.conf    | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/openresty-ext/src/assembly/resources/openresty/nginx/conf/nginx.conf b/openresty-ext/src/assembly/resources/openresty/nginx/conf/nginx.conf
index a340aa8..45bd850 100644
--- a/openresty-ext/src/assembly/resources/openresty/nginx/conf/nginx.conf
+++ b/openresty-ext/src/assembly/resources/openresty/nginx/conf/nginx.conf
@@ -50,7 +50,7 @@ http {
 	server_tokens off;
 	
 	keepalive_timeout 120s;
-    keepalive_requests 200;
+    keepalive_requests 2000;
     types_hash_max_size 2048;
 	
 	#open_file_cache max=200000 inactive=300s;
diff --git a/openresty-ext/src/assembly/resources/openresty/nginx/msb-enabled/msb.conf b/openresty-ext/src/assembly/resources/openresty/nginx/msb-enabled/msb.conf
index 8ed1077..0395fc6 100644
--- a/openresty-ext/src/assembly/resources/openresty/nginx/msb-enabled/msb.conf
+++ b/openresty-ext/src/assembly/resources/openresty/nginx/msb-enabled/msb.conf
@@ -17,7 +17,7 @@
 #the maximum allowed size of the client request body,current 10G
 client_max_body_size 10240m;
 client_body_buffer_size 128k;
-
+ssl_prefer_server_ciphers on;
 #set conf for proxy pass
 proxy_connect_timeout 5s;
 proxy_read_timeout 1200s;
diff --git a/openresty-ext/src/assembly/resources/openresty/nginx/msb-enabled/msbhttps.conf b/openresty-ext/src/assembly/resources/openresty/nginx/msb-enabled/msbhttps.conf
index 6ca846c..d474cbe 100644
--- a/openresty-ext/src/assembly/resources/openresty/nginx/msb-enabled/msbhttps.conf
+++ b/openresty-ext/src/assembly/resources/openresty/nginx/msb-enabled/msbhttps.conf
@@ -17,7 +17,7 @@ server {
 	listen 443 ssl;
 	ssl_certificate ../ssl/cert/cert.crt;
 	ssl_certificate_key ../ssl/cert/cert.key;
-	ssl_protocols TLSv1.1 TLSv1.2;
+	ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
 	ssl_dhparam ../ssl/dh-pubkey/dhparams.pem;
 	include ../msb-enabled/location-default/msblocations.conf;
         # Add below settings for making SDC to work
-- 
2.16.6