SSL advanced configuration for nginx-storage

golemfactory · Mar 9, 2018 · e07bff7 · e07bff7
1 parent 4d99481
commit e07bff7
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 3 deletions.
diff --git a/concent-builder/install-repositories.yml b/concent-builder/install-repositories.yml
@@ -46,6 +46,7 @@
             - nginx-proxy-dhparam.pem
             - nginx-storage-ssl.crt
             - nginx-storage-ssl.key
+            - nginx-storage-dhparam.pem
 
     - become:      yes
       become_user: "{{ shared_user }}"

diff --git a/kubernetes/Makefile b/kubernetes/Makefile
@@ -25,6 +25,7 @@ CLUSTER_SCRIPTS :=                                          \
     build/concent-secrets/nginx-storage-ssl.crt             \
     build/concent-secrets/nginx-storage-ssl.key             \
     build/concent-secrets/nginx-proxy-dhparam.pem           \
+    build/concent-secrets/nginx-storage-dhparam.pem         \
     build/secrets/db-secrets.yml                            \
     build/secrets/django-admin-fixture.yaml                 \
     build/jobs/create-database.yml                          \

diff --git a/kubernetes/config-maps/nginx-storage/ssl.conf b/kubernetes/config-maps/nginx-storage/ssl.conf
@@ -1,2 +1,32 @@
 ssl_certificate     /etc/ssl/secrets/nginx-storage-ssl.crt;
 ssl_certificate_key /etc/ssl/secrets/nginx-storage-ssl.key;
+
+# Disable SSLv3
+ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
+
+# Enable server-side protection
+ssl_prefer_server_ciphers  on;
+ssl_ciphers                "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+
+# Specify curve P-384
+ssl_ecdh_curve             secp384r1;
+
+# Improve ssl performence
+ssl_session_cache          shared:SSL:10m;
+ssl_session_timeout        5m;
+
+# Enable OCSP stapling
+ssl_stapling               on;
+ssl_stapling_verify        on;
+
+# Enable HSTS
+add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
+
+# Advanced settings
+server_tokens off;
+add_header X-XSS-Protection "1; mode=block";
+add_header X-Frame-Options DENY;
+add_header X-Content-Type-Options nosniff;
+
+# Add Diffie-Helman group
+ssl_dhparam /etc/ssl/secrets/nginx-storage-dhparam.pem;
diff --git a/kubernetes/create-config-maps.sh.j2 b/kubernetes/create-config-maps.sh.j2
@@ -5,9 +5,10 @@ kubectl create configmap nginx-config-snippets                          \
     --from-file=error-pages.conf=config-maps/nginx/error-pages.conf
 
 {% if nginx_storage_ssl %}
-kubectl create secret generic nginx-storage-secrets                              \
-    --from-file=nginx-storage-ssl.crt=concent-secrets/nginx-storage-ssl.crt      \
-    --from-file=nginx-storage-ssl.key=concent-secrets/nginx-storage-ssl.key
+kubectl create secret generic nginx-storage-secrets                                 \
+    --from-file=nginx-storage-ssl.crt=concent-secrets/nginx-storage-ssl.crt         \
+    --from-file=nginx-storage-ssl.key=concent-secrets/nginx-storage-ssl.key         \
+    --from-file=nginx-storage-dhparam.pem=concent-secrets/nginx-storage-dhparam.pem
 {% endif %}
 
 kubectl create configmap nginx-storage-configs                          \