Reorganize how default nginx ssl config settings are applied.

- Shift the defaults into the `config/default.yml`. Using this approach,
  the template no longer needs conditionals, since the values in
  `config/default.yml` will be inherited if the admin doesn't override
  them in the `/etc/api-umbrella/api-umbrella.yml` file.
- Make a few last ssl settings configurable via settings (these others
  seem less likely to be changed, but we'll make them configurable in
  any case).

Author: GUI

config/default.yml

@@ -19,6 +19,14 @@ nginx:
   proxy_read_timeout: 60
   proxy_send_timeout: 60
   keepalive_timeout: 75
+  ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2"
+  ssl_ciphers: "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
+  ssl_session_cache: "shared:ssl_sessions:50m"
+  ssl_session_timeout: 24h
+  ssl_session_tickets: "off"
+  ssl_buffer_size: 1400
+  ssl_prefer_server_ciphers: "on"
+  ssl_ecdh_curve: secp384r1
   dyups:
     host: 127.0.0.1
     port: 14005

templates/etc/nginx/router.conf.mustache

@@ -115,37 +115,14 @@ http {
   gzip_types application/atom+xml application/javascript application/json application/rss+xml application/x-javascript application/xml text/css text/csv text/javascript text/plain text/xml;
   gzip_vary on;
 
-  {{#nginx.ssl_protocols}}
   ssl_protocols {{nginx.ssl_protocols}};
-  {{/nginx.ssl_protocols}}
-  {{^nginx.ssl_protocols}}
-  # Disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-  {{/ssl_protocols}}
-
-  {{#nginx.ssl_ciphers}}
   ssl_ciphers {{nginx.ssl_ciphers}};
-  {{/nginx.ssl_ciphers}}
-  {{^nginx.ssl_ciphers}}
-  # Ciphers chosen for forward secrecy and compatibility
-  # https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
-  ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
-  {{/nginx.ssl_ciphers}}
-
-  # Enable session resumption to improve https performance
-  {{#nginx.ssl_session_cache}}
   ssl_session_cache {{nginx.ssl_session_cache}};
-  {{/nginx.ssl_session_cache}}
-  {{^nginx.ssl_session_cache}}
-  ssl_session_cache shared:SSL:50m;
-  {{/nginx.ssl_session_cache}}
-  ssl_session_timeout 24h;
-  ssl_session_tickets off;
-  ssl_buffer_size 1400;
-
-  # Enable server-side protection from BEAST attacks
-  ssl_prefer_server_ciphers on;
-  ssl_ecdh_curve secp384r1;
+  ssl_session_timeout {{nginx.ssl_session_timeout}};
+  ssl_session_tickets {{nginx.ssl_session_tickets}};
+  ssl_buffer_size {{nginx.ssl_buffer_size}};
+  ssl_prefer_server_ciphers {{nginx.ssl_prefer_server_ciphers}};
+  ssl_ecdh_curve {{nginx.ssl_ecdh_curve}};
 
   {{#nginx.dhparam}}
   # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
@@ -302,4 +279,4 @@ http {
   {{#_test_env?}}
     include ./test_backends.conf;
   {{/_test_env?}}
-}
+}