GLinet optimized and secured /etc/nginx/conf.d/gl.conf

gl.conf

# The default config still enables TLS 1.0 and 1.1
#
# This only allows TLS 1.2 as well as narrows the cipher options considerably

index gl_home.html;

lua_shared_dict shmem 12k;
lua_shared_dict nonces 16k;
lua_shared_dict sessions 16k;
lua_code_cache off;

init_by_lua_file /usr/share/gl-ngx/oui-init.lua;

server {
    listen 80;
    listen [::]:80;

    listen 443 ssl;
    listen [::]:443 ssl;

    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;
    #ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:DHE+AESGCM:DHE:!RSA!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!CAMELLIA:!SEED:!DHE:!CBC:!SHA1";
    ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:ECDHE-RSA-CHACHA20-POLY1305";
    ssl_session_tickets off;

    ssl_certificate /etc/nginx/nginx.cer;
    ssl_certificate_key /etc/nginx/nginx.key;

    resolver 127.0.0.1 ipv6=off;

    rewrite ^/index.html / permanent;

    location = /rpc {
        content_by_lua_file /usr/share/gl-ngx/oui-rpc.lua;
    }

    location = /upload {
        content_by_lua_file /usr/share/gl-ngx/oui-upload.lua;
    }

    location = /download {
        content_by_lua_file /usr/share/gl-ngx/oui-download.lua;
    }

    location /cgi-bin/ {
        include fastcgi_params;
        fastcgi_read_timeout 300;
        fastcgi_pass unix:/var/run/fcgiwrap.socket;
    }

    location ~.*\.(html|png|jpg|svg)$ {
        add_header Cache-Control "private, no-store, no-cache, must-revalidate, proxy-revalidate";
    }

    include /etc/nginx/gl-conf.d/*.conf;
}