Skip to content

Commit b7852af

Browse files
ScIT-RaphaelScIT-Raphael
committed
Enabling HTTPS Strict Transport Security (HSTS) support.
1 parent b98d84a commit b7852af

File tree

3 files changed

+54
-4
lines changed

3 files changed

+54
-4
lines changed

install/deb/nginx/nginx.conf

Lines changed: 16 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -103,14 +103,26 @@ http {
103103
#set_real_ip_from 2a06:98c0::/29;
104104
real_ip_header CF-Connecting-IP;
105105

106-
#openssl dhparam 4096 -out /etc/ssl/dhparam.pem
107-
#ssl_dhparam /etc/ssl/dhparam.pem;
106+
# SSL dhparam.pem
107+
ssl_dhparam /etc/ssl/dhparam.pem;
108108

109109
# SSL PCI Compliance
110110
ssl_session_cache shared:SSL:10m;
111111
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
112112
ssl_prefer_server_ciphers on;
113-
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
113+
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
114+
ssl_dhparam /etc/nginx/dhparams.pem;
115+
ssl_ecdh_curve secp384r1;
116+
ssl_session_cache shared:SSL:10m;
117+
ssl_session_tickets off;
118+
ssl_stapling on;
119+
ssl_stapling_verify on;
120+
ssl_buffer_size 1400;
121+
resolver 1.0.0.1 1.1.1.1 valid=300s;
122+
resolver_timeout 5s;
123+
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
124+
add_header X-Frame-Options SAMEORIGIN;
125+
add_header X-Content-Type-Options nosniff;
114126

115127
# Error pages
116128
error_page 403 /error/403.html;
@@ -124,7 +136,7 @@ http {
124136
proxy_ignore_headers Expires Cache-Control;
125137
proxy_cache_use_stale error timeout invalid_header http_502;
126138
proxy_cache_valid any 1d;
127-
139+
128140
# Cache bypass
129141
map $http_cookie $no_cache {
130142
default 0;

install/hst-install-debian.sh

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1099,6 +1099,25 @@ if [ "$nginx" = 'yes' ]; then
10991099
done
11001100
fi
11011101

1102+
# Generating dhparam.
1103+
echo "(*) Enabling HTTPS Strict Transport Security (HSTS) support, this will take some time. Please wait..."
1104+
openssl dhparam 4096 -out /etc/ssl/dhparam.pem > /dev/null 2>&1 &
1105+
BACK_PID=$!
1106+
1107+
# Check if package installation is done, print a spinner
1108+
spin_i=1
1109+
while kill -0 $BACK_PID > /dev/null 2>&1 ; do
1110+
printf "\b${spinner:spin_i++%${#spinner}:1}"
1111+
sleep 0.5
1112+
done
1113+
1114+
# Do a blank echo to get the \n back
1115+
echo
1116+
1117+
# Update dns servers in nginx.conf
1118+
dns_resolver=$(cat /etc/resolv.conf | grep -i '^nameserver' | cut -d ' ' -f2 | tr '\r\n' ' ' | xargs)
1119+
sed -i "s/1.0.0.1 1.1.1.1/$dns_resolver/g" /etc/nginx/nginx.conf
1120+
11021121
update-rc.d nginx defaults > /dev/null 2>&1
11031122
service nginx start >> $LOG
11041123
check_result $? "nginx start failed"

install/hst-install-ubuntu.sh

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1077,6 +1077,25 @@ if [ "$nginx" = 'yes' ]; then
10771077
done
10781078
fi
10791079

1080+
# Generating dhparam.
1081+
echo "(*) Enabling HTTPS Strict Transport Security (HSTS) support, this will take some time. Please wait..."
1082+
openssl dhparam 4096 -out /etc/ssl/dhparam.pem > /dev/null 2>&1 &
1083+
BACK_PID=$!
1084+
1085+
# Check if package installation is done, print a spinner
1086+
spin_i=1
1087+
while kill -0 $BACK_PID > /dev/null 2>&1 ; do
1088+
printf "\b${spinner:spin_i++%${#spinner}:1}"
1089+
sleep 0.5
1090+
done
1091+
1092+
# Do a blank echo to get the \n back
1093+
echo
1094+
1095+
# Update dns servers in nginx.conf
1096+
dns_resolver=$(cat /etc/resolv.conf | grep -i '^nameserver' | cut -d ' ' -f2 | tr '\r\n' ' ' | xargs)
1097+
sed -i "s/1.0.0.1 1.1.1.1/$dns_resolver/g" /etc/nginx/nginx.conf
1098+
10801099
update-rc.d nginx defaults > /dev/null 2>&1
10811100
service nginx start >> $LOG
10821101
check_result $? "nginx start failed"

0 commit comments

Comments
 (0)