Commit | Line | Data |
---|---|---|
858ff0c2 | 1 | run: |
421b9abe | 2 | - exec: |
3 | cmd: | |
4 | # Generate strong Diffie-Hellman parameters | |
5 | - "mkdir -p /shared/ssl/" | |
0b39910b | 6 | - "[ -e /shared/ssl/dhparams.pem ] || openssl dhparam -out /shared/ssl/dhparams.pem 2048" |
858ff0c2 S |
7 | - replace: |
8 | filename: "/etc/nginx/conf.d/discourse.conf" | |
9 | from: /server.+{/ | |
10 | to: | | |
11 | server { | |
12 | listen 80; | |
13 | rewrite ^ https://$$ENV_DISCOURSE_HOSTNAME$request_uri? permanent; | |
14 | } | |
15 | server { | |
16 | - replace: | |
17 | filename: "/etc/nginx/conf.d/discourse.conf" | |
18 | from: /listen 80;\s+gzip on;/m | |
19 | to: | | |
2d7d1501 S |
20 | listen 443 ssl spdy; |
21 | spdy_keepalive_timeout 300; # up from 180 secs default | |
858ff0c2 | 22 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; |
df55e084 | 23 | # courtesy of https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations |
3a92f59a | 24 | ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; |
858ff0c2 S |
25 | ssl_prefer_server_ciphers on; |
26 | ||
27 | ssl_certificate /shared/ssl/ssl.crt; | |
28 | ssl_certificate_key /shared/ssl/ssl.key; | |
421b9abe | 29 | ssl_dhparam /shared/ssl/dhparams.pem; |
858ff0c2 | 30 | |
2d7d1501 | 31 | ssl_session_tickets off; |
e563f70f | 32 | ssl_session_cache shared:SSL:1m; |
858ff0c2 | 33 | |
d266e976 RC |
34 | # enable SPDY header compression |
35 | # The server CAN enable it without any known security risk: | |
36 | # https://github.com/18F/tls-standards/issues/24 | |
37 | spdy_headers_comp 6; | |
858ff0c2 | 38 | |
fff04d37 DP |
39 | # remember the certificate for a year and automatically connect to HTTPS for this domain |
40 | add_header Strict-Transport-Security 'max-age=31536000'; | |
858ff0c2 S |
41 | |
42 | gzip on; | |
43 | ||
44 | if ($http_host != $$ENV_DISCOURSE_HOSTNAME) { | |
45 | rewrite (.*) https://$$ENV_DISCOURSE_HOSTNAME$1 permanent; | |
46 | } |