From e07bff786de968a557c7f91499bf5f42a988cf27 Mon Sep 17 00:00:00 2001
From: bartoszbetka <bartoszbetka94@gmail.com>
Date: Fri, 9 Feb 2018 16:59:14 +0100
Subject: [PATCH] SSL advanced configuration for nginx-storage

---
 concent-builder/install-repositories.yml      |  1 +
 kubernetes/Makefile                           |  1 +
 kubernetes/config-maps/nginx-storage/ssl.conf | 30 +++++++++++++++++++
 kubernetes/create-config-maps.sh.j2           |  7 +++--
 4 files changed, 36 insertions(+), 3 deletions(-)

diff --git a/concent-builder/install-repositories.yml b/concent-builder/install-repositories.yml
index 59118866..774a1d10 100644
--- a/concent-builder/install-repositories.yml
+++ b/concent-builder/install-repositories.yml
@@ -46,6 +46,7 @@
             - nginx-proxy-dhparam.pem
             - nginx-storage-ssl.crt
             - nginx-storage-ssl.key
+            - nginx-storage-dhparam.pem
 
     - become:      yes
       become_user: "{{ shared_user }}"
diff --git a/kubernetes/Makefile b/kubernetes/Makefile
index e1b2798c..9616b819 100644
--- a/kubernetes/Makefile
+++ b/kubernetes/Makefile
@@ -25,6 +25,7 @@ CLUSTER_SCRIPTS :=                                          \
     build/concent-secrets/nginx-storage-ssl.crt             \
     build/concent-secrets/nginx-storage-ssl.key             \
     build/concent-secrets/nginx-proxy-dhparam.pem           \
+    build/concent-secrets/nginx-storage-dhparam.pem         \
     build/secrets/db-secrets.yml                            \
     build/secrets/django-admin-fixture.yaml                 \
     build/jobs/create-database.yml                          \
diff --git a/kubernetes/config-maps/nginx-storage/ssl.conf b/kubernetes/config-maps/nginx-storage/ssl.conf
index edf14ec5..16a0ec79 100644
--- a/kubernetes/config-maps/nginx-storage/ssl.conf
+++ b/kubernetes/config-maps/nginx-storage/ssl.conf
@@ -1,2 +1,32 @@
 ssl_certificate     /etc/ssl/secrets/nginx-storage-ssl.crt;
 ssl_certificate_key /etc/ssl/secrets/nginx-storage-ssl.key;
+
+# Disable SSLv3
+ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
+
+# Enable server-side protection
+ssl_prefer_server_ciphers  on;
+ssl_ciphers                "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+
+# Specify curve P-384
+ssl_ecdh_curve             secp384r1;
+
+# Improve ssl performence
+ssl_session_cache          shared:SSL:10m;
+ssl_session_timeout        5m;
+
+# Enable OCSP stapling
+ssl_stapling               on;
+ssl_stapling_verify        on;
+
+# Enable HSTS
+add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
+
+# Advanced settings
+server_tokens off;
+add_header X-XSS-Protection "1; mode=block";
+add_header X-Frame-Options DENY;
+add_header X-Content-Type-Options nosniff;
+
+# Add Diffie-Helman group
+ssl_dhparam /etc/ssl/secrets/nginx-storage-dhparam.pem;
diff --git a/kubernetes/create-config-maps.sh.j2 b/kubernetes/create-config-maps.sh.j2
index c6bfae3f..ce480071 100755
--- a/kubernetes/create-config-maps.sh.j2
+++ b/kubernetes/create-config-maps.sh.j2
@@ -5,9 +5,10 @@ kubectl create configmap nginx-config-snippets                          \
     --from-file=error-pages.conf=config-maps/nginx/error-pages.conf
 
 {% if nginx_storage_ssl %}
-kubectl create secret generic nginx-storage-secrets                              \
-    --from-file=nginx-storage-ssl.crt=concent-secrets/nginx-storage-ssl.crt      \
-    --from-file=nginx-storage-ssl.key=concent-secrets/nginx-storage-ssl.key
+kubectl create secret generic nginx-storage-secrets                                 \
+    --from-file=nginx-storage-ssl.crt=concent-secrets/nginx-storage-ssl.crt         \
+    --from-file=nginx-storage-ssl.key=concent-secrets/nginx-storage-ssl.key         \
+    --from-file=nginx-storage-dhparam.pem=concent-secrets/nginx-storage-dhparam.pem
 {% endif %}
 
 kubectl create configmap nginx-storage-configs                          \