summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Grothoff <christian@grothoff.org>2016-08-08 16:05:10 +0200
committerChristian Grothoff <christian@grothoff.org>2016-08-08 16:05:10 +0200
commit280733bd93af564f84c3bb7bc045d00a5af25588 (patch)
tree0d01a9cec9706007252c9b62fcee60d8408fd08d
parente4ac947e23cf2d1ce4a4e280ec9f89d6a098b99a (diff)
downloaddeployment-280733bd93af564f84c3bb7bc045d00a5af25588.tar.gz
deployment-280733bd93af564f84c3bb7bc045d00a5af25588.tar.bz2
deployment-280733bd93af564f84c3bb7bc045d00a5af25588.zip
use inline TLS config everywhere, enable includeSubDomains directive
-rw-r--r--etc/nginx/conf.d/talerssl2
-rw-r--r--etc/nginx/sites-enabled/api-ssl.site10
-rw-r--r--etc/nginx/sites-enabled/buildbot-ssl.site10
-rw-r--r--etc/nginx/sites-enabled/decentralise-ssl.site10
-rw-r--r--etc/nginx/sites-enabled/gauger-ssl.site10
-rw-r--r--etc/nginx/sites-enabled/git-ssl.site10
-rw-r--r--etc/nginx/sites-enabled/lcov-ssl.site10
-rw-r--r--etc/nginx/sites-enabled/www-ssl.site10
-rw-r--r--etc/nginx/sites-enabled/www.git-ssl.site10
9 files changed, 9 insertions, 73 deletions
diff --git a/etc/nginx/conf.d/talerssl b/etc/nginx/conf.d/talerssl
index 3deae2c..1f6aacb 100644
--- a/etc/nginx/conf.d/talerssl
+++ b/etc/nginx/conf.d/talerssl
@@ -6,4 +6,4 @@ ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
-add_header Strict-Transport-Security "max-age=63072000; preload";
+add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
diff --git a/etc/nginx/sites-enabled/api-ssl.site b/etc/nginx/sites-enabled/api-ssl.site
index c0cf2bd..37cc459 100644
--- a/etc/nginx/sites-enabled/api-ssl.site
+++ b/etc/nginx/sites-enabled/api-ssl.site
@@ -9,15 +9,7 @@ server {
server_name api.taler.net;
server_name www.api.taler.net;
- ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem;
- ssl_prefer_server_ciphers on;
- ssl_session_cache shared:SSL:10m;
- ssl_dhparam /etc/ssl/certs/dhparam.pem;
- ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
- ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
-
- add_header Strict-Transport-Security "max-age=63072000; preload";
+ include conf.d/talerssl;
location / {
autoindex off;
diff --git a/etc/nginx/sites-enabled/buildbot-ssl.site b/etc/nginx/sites-enabled/buildbot-ssl.site
index 8b7332f..a79d3cd 100644
--- a/etc/nginx/sites-enabled/buildbot-ssl.site
+++ b/etc/nginx/sites-enabled/buildbot-ssl.site
@@ -8,15 +8,7 @@ server {
# Make site accessible from http://localhost/
server_name buildbot.taler.net;
server_name www.buildbot.taler.net;
- ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem;
- ssl_prefer_server_ciphers on;
- ssl_session_cache shared:SSL:10m;
- ssl_dhparam /etc/ssl/certs/dhparam.pem;
- ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
- ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
-
- add_header Strict-Transport-Security "max-age=63072000; preload";
+ include conf.d/talerssl;
location / {
proxy_pass http://localhost:8010;
diff --git a/etc/nginx/sites-enabled/decentralise-ssl.site b/etc/nginx/sites-enabled/decentralise-ssl.site
index 866107f..9dd0470 100644
--- a/etc/nginx/sites-enabled/decentralise-ssl.site
+++ b/etc/nginx/sites-enabled/decentralise-ssl.site
@@ -8,15 +8,7 @@ server {
# Make site accessible from http://localhost/
server_name www.decentralise.rennes.inria.fr;
server_name decentralise.rennes.inria.fr;
- ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem;
- ssl_prefer_server_ciphers on;
- ssl_session_cache shared:SSL:10m;
- ssl_dhparam /etc/ssl/certs/dhparam.pem;
- ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
- ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
-
- add_header Strict-Transport-Security "max-age=63072000; preload";
+ include conf.d/talerssl;
rewrite / http://www.inria.fr/en/teams/decentralise redirect;
}
diff --git a/etc/nginx/sites-enabled/gauger-ssl.site b/etc/nginx/sites-enabled/gauger-ssl.site
index 89eb339..e889b59 100644
--- a/etc/nginx/sites-enabled/gauger-ssl.site
+++ b/etc/nginx/sites-enabled/gauger-ssl.site
@@ -8,15 +8,7 @@ server {
# Make site accessible from http://localhost/
server_name gauger.taler.net;
server_name www.gauger.taler.net;
- ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem;
- ssl_prefer_server_ciphers on;
- ssl_session_cache shared:SSL:10m;
- ssl_dhparam /etc/ssl/certs/dhparam.pem;
- ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
- ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
-
- add_header Strict-Transport-Security "max-age=63072000; preload";
+ include conf.d/talerssl;
location / {
proxy_pass http://localhost:1801;
diff --git a/etc/nginx/sites-enabled/git-ssl.site b/etc/nginx/sites-enabled/git-ssl.site
index f64bd05..338dde4 100644
--- a/etc/nginx/sites-enabled/git-ssl.site
+++ b/etc/nginx/sites-enabled/git-ssl.site
@@ -6,15 +6,7 @@ server {
root /var/git;
# Make site accessible from http://localhost/
server_name git.taler.net;
- ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem;
- ssl_prefer_server_ciphers on;
- ssl_session_cache shared:SSL:10m;
- ssl_dhparam /etc/ssl/certs/dhparam.pem;
- ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
- ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
-
- add_header Strict-Transport-Security "max-age=63072000; preload";
+ include conf.d/talerssl;
location / {
autoindex off;
diff --git a/etc/nginx/sites-enabled/lcov-ssl.site b/etc/nginx/sites-enabled/lcov-ssl.site
index e3f313d..0620bfe 100644
--- a/etc/nginx/sites-enabled/lcov-ssl.site
+++ b/etc/nginx/sites-enabled/lcov-ssl.site
@@ -8,15 +8,7 @@ server {
# Make site accessible from http://localhost/
server_name lcov.taler.net;
server_name www.lcov.taler.net;
- ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem;
- ssl_prefer_server_ciphers on;
- ssl_session_cache shared:SSL:10m;
- ssl_dhparam /etc/ssl/certs/dhparam.pem;
- ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
- ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
-
- add_header Strict-Transport-Security "max-age=63072000; preload";
+ include conf.d/talerssl;
location / {
autoindex on;
diff --git a/etc/nginx/sites-enabled/www-ssl.site b/etc/nginx/sites-enabled/www-ssl.site
index 7e234ec..de5d59c 100644
--- a/etc/nginx/sites-enabled/www-ssl.site
+++ b/etc/nginx/sites-enabled/www-ssl.site
@@ -7,15 +7,7 @@ server {
# Make site accessible from http://localhost/
server_name taler.net;
server_name www.taler.net;
- ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem;
- ssl_prefer_server_ciphers on;
- ssl_session_cache shared:SSL:10m;
- ssl_dhparam /etc/ssl/certs/dhparam.pem;
- ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
- ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
-
- add_header Strict-Transport-Security "max-age=63072000; preload";
+ include conf.d/talerssl;
location / {
root /var/www/taler.net;
diff --git a/etc/nginx/sites-enabled/www.git-ssl.site b/etc/nginx/sites-enabled/www.git-ssl.site
index 404585d..4ac7cfa 100644
--- a/etc/nginx/sites-enabled/www.git-ssl.site
+++ b/etc/nginx/sites-enabled/www.git-ssl.site
@@ -6,15 +6,7 @@ server {
# Make site accessible from http://localhost/
server_name www.git.taler.net;
- ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem;
- ssl_prefer_server_ciphers on;
- ssl_session_cache shared:SSL:10m;
- ssl_dhparam /etc/ssl/certs/dhparam.pem;
- ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
- ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
-
- add_header Strict-Transport-Security "max-age=63072000; preload";
+ include conf.d/talerssl;
location /index.cgi {
root /usr/share/gitweb/;