Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve SSL settings in Nginx conf. #240

Merged
merged 1 commit into from
May 30, 2016
Merged

Improve SSL settings in Nginx conf. #240

merged 1 commit into from
May 30, 2016

Conversation

shaliko
Copy link
Contributor

@shaliko shaliko commented May 25, 2016
edited
Loading

Re-created from #236 but now from right fork.

Set up strong SSL security on the Nginx webserver. This way we have a strong and future proof ssl configuration and we get an A+ on the Qually Labs SSL Test.

Example: https://www.ssllabs.com/ssltest/analyze.html?d=nightly.umbrella.apinf.io (A+)

Example of api-umbrella.yml:

nginx:
  server_names_hash_bucket_size: 128
  dhparam: /etc/ssl/private/dhparams.pem
  ssl_session_cache: "shared:SSL:10m"
  ssl_ciphers: "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
  ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2"
hosts:
  - hostname: example.com
    default: true
    ssl_cert: /etc/keys/example.com/fullchain.pem
    ssl_cert_key: /etc/keys/example.com/privkey.pem
    http_strict_transport_security: "max-age=31536000; includeSubDomains; preload"

This request based on instructions and tutorials:

That changes related to #24, #234

/cc @brylie @GUI

@GUI
Copy link
Member

GUI commented May 26, 2016

Thanks you! I'll try to take a look at this later this week.

@GUI GUI merged commit 7298b91 into NREL:master May 30, 2016
@GUI
Copy link
Member

GUI commented May 30, 2016

🌟 Thanks again!

I've just made some small tweaks to how the default values get applied, so we don't need the conditionals in the template: dbefef9 Hope that makes sense.

@shaliko
Copy link
Contributor Author

shaliko commented May 31, 2016

@GUI The idea of default values in was keep it optional in "api-umbrella.yml" for few reasons:

  1. You always get "A" rating with default values when you upgrade api-umbrella on new version. Rating "A" with current config is not constant, as example tomorrow can be found some vulnerability in cipher "EECDH+AESGCM" and we will start get rating "B" with the same config. When we have defaults you just need get last version of api-umbrella and issue will be fixed. Of course you always have a way for override defaults. But if you have required settings in "api-umbrella.yml", you need care about keep up to date SSL config himself.
  2. Existing user no need do anything with "api-umbrella.yml" after upgrade on last version. But with new code dbefef9 they must have add new settings to "api-umbrella.yml".

I am OK with changes, just shared original ideas.

@GUI GUI added this to the v0.12 milestone Jun 26, 2016
@GUI GUI mentioned this pull request Jun 26, 2016
Closed
@GUI
Copy link
Member

GUI commented Jun 30, 2016

Quick heads up: v0.12.0 packages have been released, which includes this update.

@brylie brylie deleted the improve-ssl-settings branch July 1, 2016 07:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.12
Development

Successfully merging this pull request may close these issues.
2 participants
@shaliko @GUI