From 55f1ab625adc911ed721058d93957f42034d530d Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Sat, 1 Oct 2016 17:46:27 +0200 Subject: [PATCH] nginx: some changes --- boring-nginx/Dockerfile | 2 +- boring-nginx/headers_params | 1 - boring-nginx/nginx.conf | 3 ++- boring-nginx/ssl_params | 6 ++++-- boring-nginx/vhost_https.conf | 2 +- nginx/ssl_params | 2 +- nginx/vhost_https.conf | 2 +- 7 files changed, 10 insertions(+), 8 deletions(-) diff --git a/boring-nginx/Dockerfile b/boring-nginx/Dockerfile index d330baa..d2e72d9 100644 --- a/boring-nginx/Dockerfile +++ b/boring-nginx/Dockerfile @@ -112,7 +112,7 @@ EXPOSE 8000 4430 VOLUME /sites-enabled /www /conf.d /passwds /certs /var/log/nginx LABEL description="Secure nginx built from source." \ - openssl="BoringSSL (date of the container)." \ + openssl="BoringSSL" \ nginx="nginx ${NGINX_VERSION}." CMD ["run.sh"] diff --git a/boring-nginx/headers_params b/boring-nginx/headers_params index 831747a..30e1890 100644 --- a/boring-nginx/headers_params +++ b/boring-nginx/headers_params @@ -1,4 +1,3 @@ -add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; diff --git a/boring-nginx/nginx.conf b/boring-nginx/nginx.conf index 24f1810..352cd59 100644 --- a/boring-nginx/nginx.conf +++ b/boring-nginx/nginx.conf @@ -14,6 +14,8 @@ http { limit_req_zone $binary_remote_addr zone=allips:10m rate=150r/s; limit_req zone=allips burst=150 nodelay; + more_set_headers 'Server: secret'; + include /etc/nginx/conf/mime.types; default_type application/octet-stream; @@ -37,7 +39,6 @@ http { tcp_nopush on; tcp_nodelay on; server_tokens off; - more_set_headers 'Server: secret'; gzip on; gzip_comp_level 5; diff --git a/boring-nginx/ssl_params b/boring-nginx/ssl_params index dea8c3e..46f1f20 100644 --- a/boring-nginx/ssl_params +++ b/boring-nginx/ssl_params @@ -1,8 +1,10 @@ -ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_protocols TLSv1.2; ssl_ecdh_curve secp384r1; -ssl_ciphers [ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-ECDSA-CHACHA20-POLY1305-D|ECDHE-RSA-CHACHA20-POLY1305-D|ECDHE-ECDSA-AES256-GCM-SHA384|ECDHE-RSA-AES256-GCM-SHA384]:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA; +ssl_ciphers [ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-ECDSA-CHACHA20-POLY1305-D|ECDHE-RSA-CHACHA20-POLY1305-D|ECDHE-ECDSA-AES256-GCM-SHA384|ECDHE-RSA-AES256-GCM-SHA384]:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:20m; ssl_session_timeout 15m; ssl_session_tickets off; + +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; diff --git a/boring-nginx/vhost_https.conf b/boring-nginx/vhost_https.conf index 947c106..cbf41bc 100644 --- a/boring-nginx/vhost_https.conf +++ b/boring-nginx/vhost_https.conf @@ -11,7 +11,7 @@ server { ssl_certificate ; ssl_certificate_key ; - include /conf.d/ssl_params.conf; + include /etc/nginx/conf/ssl_params; include /etc/nginx/conf/headers_params; #client_max_body_size M; diff --git a/nginx/ssl_params b/nginx/ssl_params index 6dac8aa..62ff6ed 100644 --- a/nginx/ssl_params +++ b/nginx/ssl_params @@ -1,6 +1,6 @@ ssl_protocols TLSv1.2; ssl_ecdh_curve secp384r1; -ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305-D:ECDHE-RSA-CHACHA20-POLY1305-D:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; +ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:20m; diff --git a/nginx/vhost_https.conf b/nginx/vhost_https.conf index 947c106..cbf41bc 100644 --- a/nginx/vhost_https.conf +++ b/nginx/vhost_https.conf @@ -11,7 +11,7 @@ server { ssl_certificate ; ssl_certificate_key ; - include /conf.d/ssl_params.conf; + include /etc/nginx/conf/ssl_params; include /etc/nginx/conf/headers_params; #client_max_body_size M;