implemented SSL profiles (with HSTS)

based on Mozilla SSL Configuration Generator and hstspreload.org

public/templates/conf/_ssl.conf.html

@@ -1,18 +1,21 @@
-# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.1.0g&hsts=yes&profile=intermediate
 ssl_session_timeout 1d;
 ssl_session_cache shared:SSL:50m;
-ssl_session_tickets off;
+ssl_session_tickets off;<!--
+
+✘ SSLProfileModern --><span ng-if="!isSSLProfileModern()">
 
 # Diffie-Hellman parameter for DHE ciphersuites
-ssl_dhparam /etc/nginx/dhparam.pem;
+ssl_dhparam /etc/nginx/dhparam.pem;</span>
 
-# intermediate configuration
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
-ssl_prefer_server_ciphers on;
+# {{ data.ssl_profile }} configuration
+ssl_protocols {{ sslProfiles[ data.ssl_profile ].protocols }};
+ssl_ciphers {{ sslProfiles[ data.ssl_profile ].ciphers }};
+ssl_prefer_server_ciphers on;<!--
 
-# HSTS
-add_header Strict-Transport-Security "max-age=15768000" always;
+✔ HSTS--><span ng-if="isHSTS()">
+
+# HSTS (1 year, preload)
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;</span>
 
 # OCSP Stapling
 ssl_stapling on;