7x31/nginxconfig.io
1
0
Fork 0
mirror of https://github.com/digitalocean/nginxconfig.io.git synced 2025-11-04 18:28:17 +08:00
Code Issues Packages Projects Releases Wiki Activity

implemented SSL profiles (with HSTS)

Browse Source 
based on Mozilla SSL Configuration Generator and hstspreload.org
This commit is contained in:
Szekeres Bálint
2018-03-10 13:39:05 +01:00
parent 3396047a5c
commit 9e0eb0095c
5 changed files with 90 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
README.md
View File

@@ -3,12 +3,16 @@
Online nginx configuration generator.
## Features
* HTTPS (with [Let's Encrypt](https://letsencrypt.org) or custom certificate, [Mozilla SSL Configuration Generator](https://mozilla.github.io/server-side-tls/ssl-config-generator/))
* HTTPS (with [Let's Encrypt](https://letsencrypt.org) or custom certificate)
* HTTP2
* [SSL profiles](https://mozilla.github.io/server-side-tls/ssl-config-generator/)
* [HSTS](https://hstspreload.org)
* force HTTPS
* CDN
* www / non-www
* redirect subdomains
* IPv4, IPv6
* PHP (TCP, 5.x FPM, 7.0 FPM, 7.1 FPM, 7.2 FPM)
* PHP (TCP, 5.x FPM, 7.0 FPM, 7.1 FPM, 7.2 FPM, 7.3 FPM)
* WordPress security essentials (*including [CVE-2018-6389](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389)*)
* pass requests to index.php
* *[Laravel](https://laravel.com/docs/master/deployment#nginx)*
@@ -62,3 +66,5 @@ Online nginx configuration generator.
* [NGINX Tuning For Best Performance](https://gist.github.com/denji/8359866)
* [Hardening Your HTTP Security Headers](https://www.keycdn.com/blog/http-security-headers/)
* [h5bp/server-configs-nginx](https://github.com/h5bp/server-configs-nginx)
* [Diffie-Hellman DSA-like parameters](https://security.stackexchange.com/questions/95178/diffie-hellman-parameters-still-calculating-after-24-hours/95184#95184)
* [hstspreload.org](https://hstspreload.org)

33
public/assets/js/app.js
View File

@@ -39,6 +39,8 @@
force_https: true,
cert_type: 'letsencrypt',
ssl_profile: 'intermediate',
hsts: true,
email: '',
ssl_certificate: '',
ssl_certificate_key:'',
@@ -100,6 +102,21 @@
$scope.gzipTypes = 'text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml';
$scope.sslProfiles = {
modern: {
protocols: 'TLSv1.2',
ciphers: 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256',
},
intermediate: {
protocols: 'TLSv1 TLSv1.1 TLSv1.2',
ciphers: 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS',
},
old: {
protocols: 'SSLv3 TLSv1 TLSv1.1 TLSv1.2',
ciphers: 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP',
},
};
$scope.clipboardCopy = undefined;
@@ -293,6 +310,22 @@
return $scope.isHTTPS() && $scope.data.cert_type === 'custom';
};
$scope.isSSLProfileModern = function() {
return $scope.isHTTPS() && $scope.data.ssl_profile === 'modern';
};
$scope.isSSLProfileIntermediate = function() {
return $scope.isHTTPS() && $scope.data.ssl_profile === 'intermediate';
};
$scope.isSSLProfileOld = function() {
return $scope.isHTTPS() && $scope.data.ssl_profile === 'old';
};
$scope.isHSTS = function() {
return $scope.isHTTPS() && $scope.data.hsts;
};
$scope.isNonWWW = function() {
return $scope.data.non_www;
};

31
public/index.html
View File

@@ -135,6 +135,35 @@
</div>
</div>
</div>
<div class="form-subgroup pt-2" ng-if="isHTTPS()" ng-cloak>
SSL profile:
<div class="form-subgroup">
<div class="form-check">
<input class="form-check-input" type="radio" id="modern" ng-model="data.ssl_profile" value="modern">
<label class="form-check-label" for="modern">
<span tooltips tooltip-template="Oldest compatible clients: Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8">modern</span>
</label>
</div>
<div class="form-check">
<input class="form-check-input" type="radio" id="intermediate" ng-model="data.ssl_profile" value="intermediate">
<label class="form-check-label" for="intermediate">
<span tooltips tooltip-template="Oldest compatible clients: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7">intermediate</span>
</label>
</div>
<div class="form-check">
<input class="form-check-input" type="radio" id="old" ng-model="data.ssl_profile" value="old">
<label class="form-check-label" for="old">
<span tooltips tooltip-template="Oldest compatible clients: Windows XP IE6, Java 6">old</span>
</label>
</div>
<div class="form-check">
<input class="form-check-input" type="checkbox" id="hsts" ng-model="data.hsts">
<label class="form-check-label" for="hsts">
<span tooltips tooltip-template="HTTP Strict Transport Security is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking.">HSTS</span>
</label>
</div>
</div>
</div>
<div class="mt-2">
<div class="form-group">
<div class="input-group input-group-sm">
@@ -359,7 +388,7 @@
<div class="col-md-6 col-lg-7 files">
<div class="row grid">
<div class="grid-sizer col-xl-6"></div>
<div ng-if="isHTTPS() || isWordPress()" class="grid-item col-xl-12" ng-cloak>
<div ng-if="(isHTTPS() && (isCertLetsEncrypt() || !isSSLProfileModern())) || isWordPress()" class="grid-item col-xl-12" ng-cloak>
<div class="commands">
<pre><code class="hljs bash" ng-include="'templates/commands.html?v=COMMIT_HASH'"></code></pre>
</div>

13
public/templates/commands.html
View File

@@ -1,15 +1,16 @@
<!--
✔ HTTPS --><span ng-if="isHTTPS()"><!--
✔ HTTPS --><span ng-if="isHTTPS() && !isSSLProfileModern()"><!--
--><span class="hljs-comment"># <strong>HTTPS</strong>: create Diffie-Hellman keys</span>
<span class="hljs-section">openssl dhparam</span> <span class="hljs-attribute">-dsaparam</span> <span class="hljs-attribute">-out</span> /etc/nginx/dhparam.pem <span class="hljs-number">2048</span><!--
<span class="hljs-section">openssl dhparam</span> <span class="hljs-attribute">-dsaparam</span> <span class="hljs-attribute">-out</span> /etc/nginx/dhparam.pem <span class="hljs-number">{{ isSSLProfileOld() ? 1024 : 2048 }}</span><!--
--></span><!--
--><span ng-if="isCertLetsEncrypt()">
</span></span><!--
✔ Let's Encrypt --><span ng-if="isCertLetsEncrypt()">
<span class="hljs-comment"># <strong>HTTPS</strong>: create ACME-challenge common directory</span>
✔ Let's Encrypt --><span ng-if="isCertLetsEncrypt()"><!--
--><span class="hljs-comment"># <strong>HTTPS</strong>: create ACME-challenge common directory</span>
<span class="hljs-section">sudo</span> <span class="hljs-attribute">-u</span> {{ data.user }} <span class="hljs-section">sh</span> <span class="hljs-attribute">-c</span> "<span class="hljs-section">mkdir</span> <span class="hljs-attribute">-p</span> /var/www/_letsencrypt"
<span class="hljs-comment"># <strong>HTTPS</strong>: certbot (obtain certificates)<br># disable before first run: <strong>ssl_certificate</strong>, <strong>ssl_certificate_key</strong>, <strong>ssl_trusted_certificate</strong></span>

21
public/templates/conf/_ssl.conf.html
View File

@@ -1,18 +1,21 @@
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.1.0g&hsts=yes&profile=intermediate
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_session_tickets off;<!--
✘ SSLProfileModern --><span ng-if="!isSSLProfileModern()">
# Diffie-Hellman parameter for DHE ciphersuites
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_dhparam /etc/nginx/dhparam.pem;</span>
# intermediate configuration
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
# {{ data.ssl_profile }} configuration
ssl_protocols {{ sslProfiles[ data.ssl_profile ].protocols }};
ssl_ciphers {{ sslProfiles[ data.ssl_profile ].ciphers }};
ssl_prefer_server_ciphers on;<!--
# HSTS
add_header Strict-Transport-Security "max-age=15768000" always;
HSTS--><span ng-if="isHSTS()">
# HSTS (1 year, preload)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;</span>
# OCSP Stapling
ssl_stapling on;