From 280733bd93af564f84c3bb7bc045d00a5af25588 Mon Sep 17 00:00:00 2001 From: Christian Grothoff Date: Mon, 8 Aug 2016 16:05:10 +0200 Subject: use inline TLS config everywhere, enable includeSubDomains directive --- etc/nginx/conf.d/talerssl | 2 +- etc/nginx/sites-enabled/api-ssl.site | 10 +--------- etc/nginx/sites-enabled/buildbot-ssl.site | 10 +--------- etc/nginx/sites-enabled/decentralise-ssl.site | 10 +--------- etc/nginx/sites-enabled/gauger-ssl.site | 10 +--------- etc/nginx/sites-enabled/git-ssl.site | 10 +--------- etc/nginx/sites-enabled/lcov-ssl.site | 10 +--------- etc/nginx/sites-enabled/www-ssl.site | 10 +--------- etc/nginx/sites-enabled/www.git-ssl.site | 10 +--------- 9 files changed, 9 insertions(+), 73 deletions(-) diff --git a/etc/nginx/conf.d/talerssl b/etc/nginx/conf.d/talerssl index 3deae2c..1f6aacb 100644 --- a/etc/nginx/conf.d/talerssl +++ b/etc/nginx/conf.d/talerssl @@ -6,4 +6,4 @@ ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; -add_header Strict-Transport-Security "max-age=63072000; preload"; +add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; diff --git a/etc/nginx/sites-enabled/api-ssl.site b/etc/nginx/sites-enabled/api-ssl.site index c0cf2bd..37cc459 100644 --- a/etc/nginx/sites-enabled/api-ssl.site +++ b/etc/nginx/sites-enabled/api-ssl.site @@ -9,15 +9,7 @@ server { server_name api.taler.net; server_name www.api.taler.net; - ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_dhparam /etc/ssl/certs/dhparam.pem; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; - - add_header Strict-Transport-Security "max-age=63072000; preload"; + include conf.d/talerssl; location / { autoindex off; diff --git a/etc/nginx/sites-enabled/buildbot-ssl.site b/etc/nginx/sites-enabled/buildbot-ssl.site index 8b7332f..a79d3cd 100644 --- a/etc/nginx/sites-enabled/buildbot-ssl.site +++ b/etc/nginx/sites-enabled/buildbot-ssl.site @@ -8,15 +8,7 @@ server { # Make site accessible from http://localhost/ server_name buildbot.taler.net; server_name www.buildbot.taler.net; - ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_dhparam /etc/ssl/certs/dhparam.pem; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; - - add_header Strict-Transport-Security "max-age=63072000; preload"; + include conf.d/talerssl; location / { proxy_pass http://localhost:8010; diff --git a/etc/nginx/sites-enabled/decentralise-ssl.site b/etc/nginx/sites-enabled/decentralise-ssl.site index 866107f..9dd0470 100644 --- a/etc/nginx/sites-enabled/decentralise-ssl.site +++ b/etc/nginx/sites-enabled/decentralise-ssl.site @@ -8,15 +8,7 @@ server { # Make site accessible from http://localhost/ server_name www.decentralise.rennes.inria.fr; server_name decentralise.rennes.inria.fr; - ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_dhparam /etc/ssl/certs/dhparam.pem; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; - - add_header Strict-Transport-Security "max-age=63072000; preload"; + include conf.d/talerssl; rewrite / http://www.inria.fr/en/teams/decentralise redirect; } diff --git a/etc/nginx/sites-enabled/gauger-ssl.site b/etc/nginx/sites-enabled/gauger-ssl.site index 89eb339..e889b59 100644 --- a/etc/nginx/sites-enabled/gauger-ssl.site +++ b/etc/nginx/sites-enabled/gauger-ssl.site @@ -8,15 +8,7 @@ server { # Make site accessible from http://localhost/ server_name gauger.taler.net; server_name www.gauger.taler.net; - ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_dhparam /etc/ssl/certs/dhparam.pem; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; - - add_header Strict-Transport-Security "max-age=63072000; preload"; + include conf.d/talerssl; location / { proxy_pass http://localhost:1801; diff --git a/etc/nginx/sites-enabled/git-ssl.site b/etc/nginx/sites-enabled/git-ssl.site index f64bd05..338dde4 100644 --- a/etc/nginx/sites-enabled/git-ssl.site +++ b/etc/nginx/sites-enabled/git-ssl.site @@ -6,15 +6,7 @@ server { root /var/git; # Make site accessible from http://localhost/ server_name git.taler.net; - ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_dhparam /etc/ssl/certs/dhparam.pem; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; - - add_header Strict-Transport-Security "max-age=63072000; preload"; + include conf.d/talerssl; location / { autoindex off; diff --git a/etc/nginx/sites-enabled/lcov-ssl.site b/etc/nginx/sites-enabled/lcov-ssl.site index e3f313d..0620bfe 100644 --- a/etc/nginx/sites-enabled/lcov-ssl.site +++ b/etc/nginx/sites-enabled/lcov-ssl.site @@ -8,15 +8,7 @@ server { # Make site accessible from http://localhost/ server_name lcov.taler.net; server_name www.lcov.taler.net; - ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_dhparam /etc/ssl/certs/dhparam.pem; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; - - add_header Strict-Transport-Security "max-age=63072000; preload"; + include conf.d/talerssl; location / { autoindex on; diff --git a/etc/nginx/sites-enabled/www-ssl.site b/etc/nginx/sites-enabled/www-ssl.site index 7e234ec..de5d59c 100644 --- a/etc/nginx/sites-enabled/www-ssl.site +++ b/etc/nginx/sites-enabled/www-ssl.site @@ -7,15 +7,7 @@ server { # Make site accessible from http://localhost/ server_name taler.net; server_name www.taler.net; - ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_dhparam /etc/ssl/certs/dhparam.pem; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; - - add_header Strict-Transport-Security "max-age=63072000; preload"; + include conf.d/talerssl; location / { root /var/www/taler.net; diff --git a/etc/nginx/sites-enabled/www.git-ssl.site b/etc/nginx/sites-enabled/www.git-ssl.site index 404585d..4ac7cfa 100644 --- a/etc/nginx/sites-enabled/www.git-ssl.site +++ b/etc/nginx/sites-enabled/www.git-ssl.site @@ -6,15 +6,7 @@ server { # Make site accessible from http://localhost/ server_name www.git.taler.net; - ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_dhparam /etc/ssl/certs/dhparam.pem; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; - - add_header Strict-Transport-Security "max-age=63072000; preload"; + include conf.d/talerssl; location /index.cgi { root /usr/share/gitweb/; -- cgit v1.2.3