2
0
mirror of https://github.com/frappe/bench.git synced 2024-11-11 15:51:03 +00:00

security(nginx): use only strong ciphers over ssl (#869)

* security(nginx): use only strong ciphers over ssl

* drop support for TLSv1 and TLSv1.1, and add support for TLSv1.3
* disable all ciphers else for EECDH+AESGCM and EDH+AESGCM
* disable session ticketing
* use secp384r1 as certificate curve
* enable strict transport security with preloading
* enable xss-protection

Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>

* chore: explicitly state ssl on listening socket

Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
This commit is contained in:
Chinmay Pai 2019-12-16 16:36:55 +05:30 committed by GitHub
parent 459432b195
commit d1ebb4c3b2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -12,7 +12,12 @@ map {{ from_variable }} {{ to_variable }} {
{%- macro server_block(bench_name, port, server_names, site_name, sites_path, ssl_certificate, ssl_certificate_key) %}
server {
{% if ssl_certificate and ssl_certificate_key %}
listen {{ port }} ssl;
{% else %}
listen {{ port }};
{% endif %}
server_name
{% for name in server_names -%}
{{ name }}
@ -30,12 +35,20 @@ server {
ssl_certificate {{ ssl_certificate }};
ssl_certificate_key {{ ssl_certificate_key }};
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
{% endif %}
add_header X-Frame-Options "SAMEORIGIN";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
location /assets {
try_files $uri =404;