search

GeoNode / geonode-docker

Django base images for GeoNode
Other
9 stars 33 forks source link

Hardening of nginx default setup #28

Open gannebamm opened 10 months ago

gannebamm commented 10 months ago

The current (https://github.com/GeoNode/geonode-docker/blob/8f71ab7404e4384333f6c00b7543b6b2b3aff9bb/docker/nginx/nginx.https.available.conf.envsubst) nginx https conf file is a good start but lacks higher security standards.

This leads to subpar ratings in services like ssllabs. See https://www.ssllabs.com/ssltest/analyze.html?d=stable.demo.geonode.org

With some tweaks, the service can get an 'A' rating. I would propose the following changes:

diff --git a/docker/nginx/nginx.https.available.conf.envsubst b/docker/nginx/nginx.https.available.conf.envsubst
index b9baaf8aa501c52773d4a1cd7cb5fba8173c4713..f2da30df31b8d45c863d5072121148aa830ec7f3 100644
--- a/docker/nginx/nginx.https.available.conf.envsubst
+++ b/docker/nginx/nginx.https.available.conf.envsubst
@@ -2,19 +2,23 @@
 # not to be mistaken for nginx variables (also starting with $, but usually lowercase)

 # This file is to be included in the main nginx.conf configuration if HTTPS_HOST is set
-ssl_session_cache   shared:SSL:10m;
-ssl_session_timeout 10m;
+ssl_session_cache shared:SSL:50m;
+ssl_session_timeout 5m;

 # this is the actual HTTPS host
 server {
     listen              $HTTPS_PORT ssl;
     server_name         $HTTPS_HOST;
+    server_tokens off;
+    add_header Strict-Transport-Security "max-age=63072000" always;
     keepalive_timeout   70;

     ssl_certificate     /certificate_symlink/fullchain.pem;
     ssl_certificate_key /certificate_symlink/privkey.pem;
-    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers         HIGH:!aNULL:!MD5;
+    ssl_protocols       TLSv1.2;
+    ssl_ciphers         ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_stapling on;
+    ssl_stapling_verify on;

     include sites-enabled/*.conf;
 }
@@ -23,6 +27,7 @@ server {
 server {
     listen 80;
     server_name $HTTPS_HOST $HTTP_HOST; # TODO : once geoserver supports relative urls, we should allow access though both HTTP and HTTPS at the same time and hence remove HTTP_HOST from this line
+    server_tokens off;

     # Except for let's encrypt challenge
     location /.well-known {
giohappy commented 7 months ago

@gannebamm nothing against your changes but from a test I did a few minutes ago I received A rating from sslabs

image