From 963a0b875a332414db6ab23069a22ecf06d0854d Mon Sep 17 00:00:00 2001
From: Robert O'Connor <rob@oconnor.ninja>
Date: Tue, 6 Dec 2016 17:32:40 -0500
Subject: [PATCH] Some HTTPS improvements to achieve A+ on Qualsys SSL Labs

- Make HSTS max-age longer for A+ on qualsys SSL labs
- dhparams 4096 bits vs 2048
---
 templates/web.letsencrypt.ssl.template.yml | 3 +--
 templates/web.ssl.template.yml             | 2 +-
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/templates/web.letsencrypt.ssl.template.yml b/templates/web.letsencrypt.ssl.template.yml
index afd16d8..323d2a4 100644
--- a/templates/web.letsencrypt.ssl.template.yml
+++ b/templates/web.letsencrypt.ssl.template.yml
@@ -88,5 +88,4 @@ hooks:
        filename: "/etc/nginx/conf.d/discourse.conf"
        from: /add_header.+/
        to: |
-         # remember the certificate for 80 days and automatically connect to HTTPS for this domain
-         add_header Strict-Transport-Security 'max-age=6912000';
+         add_header Strict-Transport-Security 'max-age=63072000';
diff --git a/templates/web.ssl.template.yml b/templates/web.ssl.template.yml
index b1ce928..17cadad 100644
--- a/templates/web.ssl.template.yml
+++ b/templates/web.ssl.template.yml
@@ -3,7 +3,7 @@ run:
      cmd:
        # Generate strong Diffie-Hellman parameters
        - "mkdir -p /shared/ssl/"
-       - "[ -e /shared/ssl/dhparams.pem ] || openssl dhparam -out /shared/ssl/dhparams.pem 2048"
+       - "[ -e /shared/ssl/dhparams.pem ] || openssl dhparam -out /shared/ssl/dhparams.pem 4096"
   - replace:
      filename: "/etc/nginx/conf.d/discourse.conf"
      from: /server.+{/
-- 
2.25.1