commit 280733bd93af564f84c3bb7bc045d00a5af25588
parent e4ac947e23cf2d1ce4a4e280ec9f89d6a098b99a
Author: Christian Grothoff <christian@grothoff.org>
Date: Mon, 8 Aug 2016 16:05:10 +0200
use inline TLS config everywhere, enable includeSubDomains directive
Diffstat:
9 files changed, 9 insertions(+), 73 deletions(-)
diff --git a/etc/nginx/conf.d/talerssl b/etc/nginx/conf.d/talerssl
@@ -6,4 +6,4 @@ ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
-add_header Strict-Transport-Security "max-age=63072000; preload";
+add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
diff --git a/etc/nginx/sites-enabled/api-ssl.site b/etc/nginx/sites-enabled/api-ssl.site
@@ -9,15 +9,7 @@ server {
server_name api.taler.net;
server_name www.api.taler.net;
- ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem;
- ssl_prefer_server_ciphers on;
- ssl_session_cache shared:SSL:10m;
- ssl_dhparam /etc/ssl/certs/dhparam.pem;
- ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
- ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
-
- add_header Strict-Transport-Security "max-age=63072000; preload";
+ include conf.d/talerssl;
location / {
autoindex off;
diff --git a/etc/nginx/sites-enabled/buildbot-ssl.site b/etc/nginx/sites-enabled/buildbot-ssl.site
@@ -8,15 +8,7 @@ server {
# Make site accessible from http://localhost/
server_name buildbot.taler.net;
server_name www.buildbot.taler.net;
- ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem;
- ssl_prefer_server_ciphers on;
- ssl_session_cache shared:SSL:10m;
- ssl_dhparam /etc/ssl/certs/dhparam.pem;
- ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
- ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
-
- add_header Strict-Transport-Security "max-age=63072000; preload";
+ include conf.d/talerssl;
location / {
proxy_pass http://localhost:8010;
diff --git a/etc/nginx/sites-enabled/decentralise-ssl.site b/etc/nginx/sites-enabled/decentralise-ssl.site
@@ -8,15 +8,7 @@ server {
# Make site accessible from http://localhost/
server_name www.decentralise.rennes.inria.fr;
server_name decentralise.rennes.inria.fr;
- ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem;
- ssl_prefer_server_ciphers on;
- ssl_session_cache shared:SSL:10m;
- ssl_dhparam /etc/ssl/certs/dhparam.pem;
- ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
- ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
-
- add_header Strict-Transport-Security "max-age=63072000; preload";
+ include conf.d/talerssl;
rewrite / http://www.inria.fr/en/teams/decentralise redirect;
}
diff --git a/etc/nginx/sites-enabled/gauger-ssl.site b/etc/nginx/sites-enabled/gauger-ssl.site
@@ -8,15 +8,7 @@ server {
# Make site accessible from http://localhost/
server_name gauger.taler.net;
server_name www.gauger.taler.net;
- ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem;
- ssl_prefer_server_ciphers on;
- ssl_session_cache shared:SSL:10m;
- ssl_dhparam /etc/ssl/certs/dhparam.pem;
- ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
- ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
-
- add_header Strict-Transport-Security "max-age=63072000; preload";
+ include conf.d/talerssl;
location / {
proxy_pass http://localhost:1801;
diff --git a/etc/nginx/sites-enabled/git-ssl.site b/etc/nginx/sites-enabled/git-ssl.site
@@ -6,15 +6,7 @@ server {
root /var/git;
# Make site accessible from http://localhost/
server_name git.taler.net;
- ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem;
- ssl_prefer_server_ciphers on;
- ssl_session_cache shared:SSL:10m;
- ssl_dhparam /etc/ssl/certs/dhparam.pem;
- ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
- ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
-
- add_header Strict-Transport-Security "max-age=63072000; preload";
+ include conf.d/talerssl;
location / {
autoindex off;
diff --git a/etc/nginx/sites-enabled/lcov-ssl.site b/etc/nginx/sites-enabled/lcov-ssl.site
@@ -8,15 +8,7 @@ server {
# Make site accessible from http://localhost/
server_name lcov.taler.net;
server_name www.lcov.taler.net;
- ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem;
- ssl_prefer_server_ciphers on;
- ssl_session_cache shared:SSL:10m;
- ssl_dhparam /etc/ssl/certs/dhparam.pem;
- ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
- ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
-
- add_header Strict-Transport-Security "max-age=63072000; preload";
+ include conf.d/talerssl;
location / {
autoindex on;
diff --git a/etc/nginx/sites-enabled/www-ssl.site b/etc/nginx/sites-enabled/www-ssl.site
@@ -7,15 +7,7 @@ server {
# Make site accessible from http://localhost/
server_name taler.net;
server_name www.taler.net;
- ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem;
- ssl_prefer_server_ciphers on;
- ssl_session_cache shared:SSL:10m;
- ssl_dhparam /etc/ssl/certs/dhparam.pem;
- ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
- ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
-
- add_header Strict-Transport-Security "max-age=63072000; preload";
+ include conf.d/talerssl;
location / {
root /var/www/taler.net;
diff --git a/etc/nginx/sites-enabled/www.git-ssl.site b/etc/nginx/sites-enabled/www.git-ssl.site
@@ -6,15 +6,7 @@ server {
# Make site accessible from http://localhost/
server_name www.git.taler.net;
- ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem;
- ssl_prefer_server_ciphers on;
- ssl_session_cache shared:SSL:10m;
- ssl_dhparam /etc/ssl/certs/dhparam.pem;
- ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
- ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
-
- add_header Strict-Transport-Security "max-age=63072000; preload";
+ include conf.d/talerssl;
location /index.cgi {
root /usr/share/gitweb/;
