Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve SSL settings in Nginx conf. #240

Merged
merged 1 commit into from
May 30, 2016
Merged

Improve SSL settings in Nginx conf. #240

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 44 additions & 1 deletion templates/etc/nginx/router.conf.mustache
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,43 @@ http {
gzip_types application/atom+xml application/javascript application/json application/rss+xml application/x-javascript application/xml text/css text/csv text/javascript text/plain text/xml;
gzip_vary on;

{{#nginx.ssl_protocols}}
ssl_protocols {{nginx.ssl_protocols}};
{{/nginx.ssl_protocols}}
{{^nginx.ssl_protocols}}
# Disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
{{/ssl_protocols}}

{{#nginx.ssl_ciphers}}
ssl_ciphers {{nginx.ssl_ciphers}};
{{/nginx.ssl_ciphers}}
{{^nginx.ssl_ciphers}}
# Ciphers chosen for forward secrecy and compatibility
# https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
{{/nginx.ssl_ciphers}}

# Enable session resumption to improve https performance
{{#nginx.ssl_session_cache}}
ssl_session_cache {{nginx.ssl_session_cache}};
{{/nginx.ssl_session_cache}}
{{^nginx.ssl_session_cache}}
ssl_session_cache shared:SSL:50m;
{{/nginx.ssl_session_cache}}
ssl_session_timeout 24h;
ssl_session_tickets off;
ssl_buffer_size 1400;

# Enable server-side protection from BEAST attacks
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;

{{#nginx.dhparam}}
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam {{nginx.dhparam}};
{{/nginx.dhparam}}

{{#nginx.server_names_hash_bucket_size}}
server_names_hash_bucket_size {{nginx.server_names_hash_bucket_size}};
{{/nginx.server_names_hash_bucket_size}}
Expand Down Expand Up @@ -174,6 +211,12 @@ http {

include ./frontend_defaults.conf;

{{#http_strict_transport_security}}
# Enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
add_header Strict-Transport-Security "{{http_strict_transport_security}}" always;
{{/http_strict_transport_security}}

{{#rewrites}}
rewrite {{.}};
{{/rewrites}}
Expand Down Expand Up @@ -259,4 +302,4 @@ http {
{{#_test_env?}}
include ./test_backends.conf;
{{/_test_env?}}
}
}