From 14192dfb065f6d6ddc78be9f852c96865417af8c Mon Sep 17 00:00:00 2001
From: MinerYang <yminer@vmware.com>
Date: Mon, 29 May 2023 21:57:15 +0800
Subject: [PATCH] add strong_ssl_ciphers for nginx https jinja template
 (#18748)

Signed-off-by: yminer <yminer@vmware.com>
---
 make/photon/prepare/templates/nginx/nginx.https.conf.jinja | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/make/photon/prepare/templates/nginx/nginx.https.conf.jinja b/make/photon/prepare/templates/nginx/nginx.https.conf.jinja
index 57197d434..29a57b44c 100644
--- a/make/photon/prepare/templates/nginx/nginx.https.conf.jinja
+++ b/make/photon/prepare/templates/nginx/nginx.https.conf.jinja
@@ -59,7 +59,11 @@ http {
 
     # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
     ssl_protocols TLSv1.2 TLSv1.3;
+{% if internal_tls.strong_ssl_ciphers %}
+    ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128;
+{% else %}
     ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
+{% endif %}
     ssl_prefer_server_ciphers on;
     ssl_session_cache shared:SSL:10m;