nginx: some changes

boring-nginx/Dockerfile

@@ -112,7 +112,7 @@ EXPOSE 8000 4430
 VOLUME /sites-enabled /www /conf.d /passwds /certs /var/log/nginx
 
 LABEL description="Secure nginx built from source." \
-      openssl="BoringSSL (date of the container)." \
+      openssl="BoringSSL" \
       nginx="nginx ${NGINX_VERSION}."
 
 CMD ["run.sh"]

boring-nginx/headers_params

@@ -1,4 +1,3 @@
-add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
 add_header X-Frame-Options SAMEORIGIN;
 add_header X-Content-Type-Options nosniff;
 add_header X-XSS-Protection "1; mode=block";

boring-nginx/nginx.conf

@@ -14,6 +14,8 @@ http {
     limit_req_zone $binary_remote_addr zone=allips:10m rate=150r/s;
     limit_req zone=allips burst=150 nodelay;
 
+    more_set_headers 'Server: secret';
+
     include /etc/nginx/conf/mime.types;
     default_type application/octet-stream;
 
@@ -37,7 +39,6 @@ http {
     tcp_nopush on;
     tcp_nodelay on;
     server_tokens off;
-    more_set_headers 'Server: secret';
 
     gzip on;
     gzip_comp_level 5;

boring-nginx/ssl_params

@@ -1,8 +1,10 @@
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_protocols TLSv1.2;
 ssl_ecdh_curve secp384r1;
-ssl_ciphers [ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-ECDSA-CHACHA20-POLY1305-D|ECDHE-RSA-CHACHA20-POLY1305-D|ECDHE-ECDSA-AES256-GCM-SHA384|ECDHE-RSA-AES256-GCM-SHA384]:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA;
+ssl_ciphers [ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-ECDSA-CHACHA20-POLY1305-D|ECDHE-RSA-CHACHA20-POLY1305-D|ECDHE-ECDSA-AES256-GCM-SHA384|ECDHE-RSA-AES256-GCM-SHA384]:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
 ssl_prefer_server_ciphers on;
 
 ssl_session_cache shared:SSL:20m;
 ssl_session_timeout 15m;
 ssl_session_tickets off;
+
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

boring-nginx/vhost_https.conf

@@ -11,7 +11,7 @@ server {
   ssl_certificate <CERTIFICATE_PATH>;
   ssl_certificate_key <KEY_PATH>;
 
-  include /conf.d/ssl_params.conf;
+  include /etc/nginx/conf/ssl_params;
   include /etc/nginx/conf/headers_params;
 
   #client_max_body_size <MAX_BODY_SIZE>M;

nginx/ssl_params

@@ -1,6 +1,6 @@
 ssl_protocols TLSv1.2;
 ssl_ecdh_curve secp384r1;
-ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305-D:ECDHE-RSA-CHACHA20-POLY1305-D:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
+ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
 ssl_prefer_server_ciphers on;
 
 ssl_session_cache shared:SSL:20m;

nginx/vhost_https.conf

@@ -11,7 +11,7 @@ server {
   ssl_certificate <CERTIFICATE_PATH>;
   ssl_certificate_key <KEY_PATH>;
 
-  include /conf.d/ssl_params.conf;
+  include /etc/nginx/conf/ssl_params;
   include /etc/nginx/conf/headers_params;
 
   #client_max_body_size <MAX_BODY_SIZE>M;