From 415f10406fe2a0c51682f65c96c9d8c117dc772b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sa=C3=BAl=20Ibarra=20Corretg=C3=A9?= <saghul@jitsi.org>
Date: Wed, 7 Nov 2018 09:55:59 +0100
Subject: [PATCH] web: split TLS configuration and make it stronger

Resources:

- https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
- https://weakdh.org/sysadmin.html
---
 web/rootfs/defaults/default          |  5 ++---
 web/rootfs/defaults/ssl.conf         | 16 ++++++++++++++++
 web/rootfs/etc/cont-init.d/10-config |  8 ++++++++
 3 files changed, 26 insertions(+), 3 deletions(-)
 create mode 100644 web/rootfs/defaults/ssl.conf

diff --git a/web/rootfs/defaults/default b/web/rootfs/defaults/default
index 3495abd..ddc8b13 100644
--- a/web/rootfs/defaults/default
+++ b/web/rootfs/defaults/default
@@ -2,11 +2,10 @@ server {
 	listen 80 default_server;
 	listen 443 ssl;
 
-	ssl_certificate /config/keys/cert.crt;
-	ssl_certificate_key /config/keys/cert.key;
-
 	server_name _;
 
+	include /config/nginx/ssl.conf;
+
 	client_max_body_size 0;
 
 	root /usr/share/jitsi-meet;
diff --git a/web/rootfs/defaults/ssl.conf b/web/rootfs/defaults/ssl.conf
new file mode 100644
index 0000000..2132e2f
--- /dev/null
+++ b/web/rootfs/defaults/ssl.conf
@@ -0,0 +1,16 @@
+# session settings
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:50m;
+ssl_session_tickets off;
+
+# Diffie-Hellman parameter for DHE cipher suites
+ssl_dhparam /config/nginx/dhparams.pem;
+
+# ssl certs
+ssl_certificate /config/keys/cert.crt;
+ssl_certificate_key /config/keys/cert.key;
+
+# protocols
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_prefer_server_ciphers on;
+ssl_ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS;
diff --git a/web/rootfs/etc/cont-init.d/10-config b/web/rootfs/etc/cont-init.d/10-config
index cb4cb1b..d6ba8c1 100644
--- a/web/rootfs/etc/cont-init.d/10-config
+++ b/web/rootfs/etc/cont-init.d/10-config
@@ -12,6 +12,14 @@ if [[ ! -f /config/nginx/nginx.conf ]]; then
     cp /defaults/nginx.conf /config/nginx/nginx.conf
 fi
 
+if [[ ! -f /config/nginx/ssl.conf ]]; then
+    cp /defaults/ssl.conf /config/nginx/ssl.conf
+fi
+
+if [ ! -f "/config/nginx/dhparams.pem" ]; then
+    openssl dhparam -out /config/nginx/dhparams.pem 2048
+fi
+
 if [[ ! -f /config/nginx/site-confs/default ]]; then
     tpl /defaults/default > /config/nginx/site-confs/default
 fi