| 1 | run: |
| 2 | - exec: |
| 3 | cmd: |
| 4 | # Generate strong Diffie-Hellman parameters |
| 5 | - "mkdir -p /shared/ssl/" |
| 6 | - replace: |
| 7 | filename: "/etc/nginx/conf.d/discourse.conf" |
| 8 | from: /server.+{/ |
| 9 | to: | |
| 10 | server { |
| 11 | listen 80; |
| 12 | return 301 https://$$ENV_DISCOURSE_HOSTNAME$request_uri; |
| 13 | } |
| 14 | server { |
| 15 | - replace: |
| 16 | hook: ssl |
| 17 | filename: "/etc/nginx/conf.d/discourse.conf" |
| 18 | from: /listen 80;\s+gzip on;/m |
| 19 | to: | |
| 20 | listen 443 ssl http2; |
| 21 | ssl_protocols TLSv1.2; |
| 22 | ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA; |
| 23 | ssl_prefer_server_ciphers on; |
| 24 | ssl_ecdh_curve secp384r1:prime256v1; |
| 25 | |
| 26 | ssl_certificate /shared/ssl/ssl.crt; |
| 27 | ssl_certificate_key /shared/ssl/ssl.key; |
| 28 | |
| 29 | ssl_session_tickets off; |
| 30 | ssl_session_timeout 1d; |
| 31 | ssl_session_cache shared:SSL:1m; |
| 32 | |
| 33 | gzip on; |
| 34 | |
| 35 | add_header Strict-Transport-Security 'max-age=31536000'; # remember the certificate for a year and automatically connect to HTTPS for this domain |
| 36 | |
| 37 | if ($http_host != $$ENV_DISCOURSE_HOSTNAME) { |
| 38 | rewrite (.*) https://$$ENV_DISCOURSE_HOSTNAME$1 permanent; |
| 39 | } |
| 40 | - replace: |
| 41 | filename: "/etc/nginx/conf.d/discourse.conf" |
| 42 | from: /add_header Referrer-Policy 'no-referrer-when-downgrade';/m |
| 43 | to: | |
| 44 | add_header Referrer-Policy 'no-referrer-when-downgrade'; |
| 45 | add_header Strict-Transport-Security 'max-age=31536000'; # remember the certificate for a year and automatically connect to HTTPS for this domain |