templates/web.ssl.template.yml

   1 run:
   2   - exec:
   3      cmd:
   4        # Generate strong Diffie-Hellman parameters
   5        - "mkdir -p /shared/ssl/"
   6   - replace:
   7      filename: "/etc/nginx/conf.d/discourse.conf"
   8      from: /server.+{/
   9      to: |
  10        server {
  11          listen 80;
  12          return 301 https://$$ENV_DISCOURSE_HOSTNAME$request_uri;
  13        }
  14        server {
  15   - replace:
  16      hook: ssl
  17      filename: "/etc/nginx/conf.d/discourse.conf"
  18      from: /listen 80;\s+gzip on;/m
  19      to: |
  20        listen 443 ssl http2;
  21        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  22        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA;
  23        ssl_prefer_server_ciphers on;
  24        ssl_ecdh_curve secp384r1:prime256v1;
  25
  26        ssl_certificate /shared/ssl/ssl.crt;
  27        ssl_certificate_key /shared/ssl/ssl.key;
  28
  29        ssl_session_tickets off;
  30        ssl_session_timeout 1d;
  31        ssl_session_cache shared:SSL:1m;
  32
  33        gzip on;
  34
  35        add_header Strict-Transport-Security 'max-age=31536000'; # remember the certificate for a year and automatically connect to HTTPS for this domain
  36
  37        if ($http_host != $$ENV_DISCOURSE_HOSTNAME) {
  38           rewrite (.*) https://$$ENV_DISCOURSE_HOSTNAME$1 permanent;
  39        }
  40   - replace:
  41      filename: "/etc/nginx/conf.d/discourse.conf"
  42      from: /add_header Referrer-Policy 'no-referrer-when-downgrade';/m
  43      to: |
  44        add_header Referrer-Policy 'no-referrer-when-downgrade';
  45        add_header Strict-Transport-Security 'max-age=31536000'; # remember the certificate for a year and automatically connect to HTTPS for this domain