Open conradwt opened 9 years ago
@berkes Is it possible to set these information with the NGINX config hooks you created a little while back?
@conradwt there are some placeholders for custom config. But I am not sure if they suite your case exactly.
server {
listen 443 ssl;
ssl_certificate /u/apps/example_com/shared/config/certificate.crt;
ssl_certificate_key /u/apps/example_com/shared/config/certificate.key;
server_name example.com;
root /u/apps/example_com/current/public;
location / {
try_files $uri @app;
}
location @app {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_pass http://explained;
<%= @custom_configuration["ssl_app"] %>
}
<%= @custom_configuration["ssl_main"] %>
}
The last may be or help to you. But I am not sure if that is too late in the config to define the settings. Could you try to set the following in your my_node_name.json
:
"nginx_custom": {
"ssl_main": "ssl_protocols TLSv1 TLSv1.1 TLSv1.2;\nssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;\nssl_session_cache shared:SSL:10m;\nssl_session_timeout 10m;",
...
That will insert the extra ssl-config at the bottom of your server { }
-block for the SSL server. It might work, provided the exact order and place of these settings does not matter to nginx.
OTOH, it sounds like these settings might actually be sane and secure defaults. Would it make sense to include these settings by default in the recipes?
@berkes Yeah I think adding these:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
as default would be good! Will you make a PR for that? Or do you want me to do it?
@jvanbaarsen I don't have time coming days, so please don't wait for me :)
@berkes Ok! I'll put it on the internal todo list :)
@berkes I received these settings from the following resource:
http://nginx.org/en/docs/http/ngx_http_ssl_module.html
I have read through the available documentation but how does one set the following Nginx attributes within the example.com.json:
Can this process be automated with the current software or is this a manual process?