feat(ssl): only generate dhparam and ssl-params once per server

closes TryGhost#487 - put dhparam.pem and ssl-param.conf in nginx snippets directory
acburdine · Oct 21, 2017 · cb0990d · cb0990d
1 parent 430ed8a
commit cb0990d
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 13 deletions.
diff --git a/extensions/nginx/index.js b/extensions/nginx/index.js
@@ -86,7 +86,9 @@ class NginxExtension extends cli.Extension {
         }
 
         const rootPath = path.resolve(ctx.instance.dir, 'system', 'nginx-root');
-        const dhparamFile = path.join(ctx.instance.dir, 'system', 'files', 'dhparam.pem');
+        const dhparamFile = '/etc/nginx/snippets/dhparam.pem';
+        const sslParamsFile = '/etc/nginx/snippets/ssl-params.conf';
+        const sslParamsConf = template(fs.readFileSync(path.join(__dirname, 'templates', 'ssl-params.conf'), 'utf8'));
 
         return this.ui.listr([{
             title: 'Checking DNS resolution',
@@ -148,21 +150,22 @@ class NginxExtension extends cli.Extension {
             }
         }, {
             title: 'Generating Encryption Key (may take a few minutes)',
-            skip: (ctx) => ctx.dnsfail,
+            skip: (ctx) => ctx.dnsfail || fs.existsSync(dhparamFile),
             task: () => {
-                return execa.shell(`openssl dhparam -out ${dhparamFile} 2048`)
+                return this.ui.sudo(`openssl dhparam -out ${dhparamFile} 2048 > /dev/null`)
                     .catch((error) => Promise.reject(new cli.errors.ProcessError(error)));
             }
         }, {
             title: 'Generating SSL security headers',
-            skip: (ctx) => ctx.dnsfail,
-            task: (ctx) => {
-                const sslParamsConf = template(fs.readFileSync(path.join(__dirname, 'templates', 'ssl-params.conf'), 'utf8'));
-                return ctx.instance.template(
-                    sslParamsConf({dhparam: dhparamFile}),
-                    'ssl security parameters',
-                    'ssl-params.conf'
-                );
+            skip: (ctx) => ctx.dnsfail || fs.existsSync(sslParamsFile),
+            task: () => {
+                const tmpfile = path.join(os.tmpdir(), 'ssl-params.conf');
+
+                return fs.writeFile(tmpfile, sslParamsConf({dhparam: dhparamFile}), {encoding: 'utf8'}).then(() => {
+                    return this.ui.sudo(`mv ${tmpfile} ${sslParamsFile}`).catch(
+                        (error) => Promise.reject(new cli.errors.ProcessError(error))
+                    );
+                });
             }
         }, {
             title: 'Generating SSL configuration',
@@ -175,7 +178,7 @@ class NginxExtension extends cli.Extension {
                     webroot: rootPath,
                     fullchain: path.join(acmeFolder, 'fullchain.cer'),
                     privkey: path.join(acmeFolder, `${parsedUrl.hostname}.key`),
-                    sslparams: path.join(ctx.instance.dir, 'system', 'files', 'ssl-params.conf'),
+                    sslparams: sslParamsFile,
                     location: parsedUrl.pathname !== '/' ? `^~ ${parsedUrl.pathname}` : '/',
                     port: ctx.instance.config.get('server.port')
                 });

diff --git a/extensions/nginx/templates/ssl-params.conf b/extensions/nginx/templates/ssl-params.conf
@@ -8,7 +8,7 @@ ssl_stapling on; # Requires nginx >= 1.3.7
 ssl_stapling_verify on; # Requires nginx => 1.3.7
 resolver 8.8.8.8 8.8.4.4 valid=300s;
 resolver_timeout 5s;
-add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains; preload';
 add_header X-Frame-Options SAMEORIGIN;
 add_header X-Content-Type-Options nosniff;