From: Robert O'Connor <rob@oconnor.ninja>
Date: Tue, 6 Dec 2016 22:32:40 +0000 (-0500)
Subject: Some HTTPS improvements to achieve A+ on Qualsys SSL Labs
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=963a0b875a332414db6ab23069a22ecf06d0854d;p=discourse_docker.git

Some HTTPS improvements to achieve A+ on Qualsys SSL Labs

- Make HSTS max-age longer for A+ on qualsys SSL labs
- dhparams 4096 bits vs 2048
---

diff --git a/templates/web.letsencrypt.ssl.template.yml b/templates/web.letsencrypt.ssl.template.yml
index afd16d8..323d2a4 100644
--- a/templates/web.letsencrypt.ssl.template.yml
+++ b/templates/web.letsencrypt.ssl.template.yml
@@ -88,5 +88,4 @@ hooks:
        filename: "/etc/nginx/conf.d/discourse.conf"
        from: /add_header.+/
        to: |
-         # remember the certificate for 80 days and automatically connect to HTTPS for this domain
-         add_header Strict-Transport-Security 'max-age=6912000';
+         add_header Strict-Transport-Security 'max-age=63072000';
diff --git a/templates/web.ssl.template.yml b/templates/web.ssl.template.yml
index b1ce928..17cadad 100644
--- a/templates/web.ssl.template.yml
+++ b/templates/web.ssl.template.yml
@@ -3,7 +3,7 @@ run:
      cmd:
        # Generate strong Diffie-Hellman parameters
        - "mkdir -p /shared/ssl/"
-       - "[ -e /shared/ssl/dhparams.pem ] || openssl dhparam -out /shared/ssl/dhparams.pem 2048"
+       - "[ -e /shared/ssl/dhparams.pem ] || openssl dhparam -out /shared/ssl/dhparams.pem 4096"
   - replace:
      filename: "/etc/nginx/conf.d/discourse.conf"
      from: /server.+{/