From 80372628b75f277d3b62ba87f710395395c5d63b Mon Sep 17 00:00:00 2001
From: Wonderfall <wonderfall@schrodinger.io>
Date: Fri, 27 May 2016 18:10:08 +0200
Subject: [PATCH] reverse: fix conf files

---
 reverse/Dockerfile     | 7 +++----
 reverse/headers_params | 4 ++++
 reverse/proxy_params   | 6 ++++++
 reverse/ssl_params     | 8 ++++++++
 4 files changed, 21 insertions(+), 4 deletions(-)
 create mode 100644 reverse/headers_params
 create mode 100644 reverse/proxy_params
 create mode 100644 reverse/ssl_params

diff --git a/reverse/Dockerfile b/reverse/Dockerfile
index 7668066..d530a0f 100644
--- a/reverse/Dockerfile
+++ b/reverse/Dockerfile
@@ -110,6 +110,9 @@ RUN echo "@commuedge http://nl.alpinelinux.org/alpine/edge/community" >> /etc/ap
 COPY nginx.conf /etc/nginx/conf/nginx.conf
 COPY run.sh /usr/local/bin/run.sh
 COPY ngxpasswd /usr/local/bin/ngxpasswd
+COPY ssl_params /etc/nginx/conf/ssl_params
+COPY headers_params /etc/nginx/conf/headers_params
+COPY proxy_params /etc/nginx/conf/proxy_params
 
 RUN chmod +x /usr/local/bin/*
 
@@ -117,10 +120,6 @@ EXPOSE 8000 4430
 
 VOLUME /sites-enabled /conf.d /passwds /certs /var/log/nginx
 
-COPY ssl_params_d.conf /conf.d/ssl_params_d.conf
-COPY headers_params_d.conf /conf.d/headers_params_d.conf
-COPY proxy_params_d.conf /conf.d/proxy_params_d.conf
-
 LABEL description="Secure reverse proxy using nginx" \
       openssl="OpenSSL v${OPENSSL_VERSION}" \
       nginx="nginx v${NGINX_VERSION}"
diff --git a/reverse/headers_params b/reverse/headers_params
new file mode 100644
index 0000000..1f3c409
--- /dev/null
+++ b/reverse/headers_params
@@ -0,0 +1,4 @@
+add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
+add_header X-Frame-Options SAMEORIGIN;
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";
diff --git a/reverse/proxy_params b/reverse/proxy_params
new file mode 100644
index 0000000..6f9827e
--- /dev/null
+++ b/reverse/proxy_params
@@ -0,0 +1,6 @@
+proxy_set_header        Host                 $host;
+proxy_set_header        X-Real-IP            $remote_addr;
+proxy_set_header        X-Forwarded-For      $proxy_add_x_forwarded_for;
+proxy_set_header        X-Remote-Port        $remote_port;
+proxy_set_header        X-Forwarded-Proto    $scheme;
+proxy_redirect          off;
diff --git a/reverse/ssl_params b/reverse/ssl_params
new file mode 100644
index 0000000..d6bc9c2
--- /dev/null
+++ b/reverse/ssl_params
@@ -0,0 +1,8 @@
+ssl_protocols TLSv1.2;
+ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305-D:ECDHE-RSA-CHACHA20-POLY1305-D:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256”;
+ssl_prefer_server_ciphers on;
+ssl_ecdh_curve brainpoolP512r1:sect571r1:secp521r1:secp384r1;
+
+ssl_session_cache shared:SSL:10m;
+ssl_session_timeout 5m;
+ssl_session_tickets off;