enable HSTS, added rationales

JaneliaSciComp · Aug 3, 2024 · fc5d855 · fc5d855
1 parent d563b36
commit fc5d855
Showing 1 changed file with 13 additions and 5 deletions.
diff --git a/docker/include/ssl.conf b/docker/include/ssl.conf
@@ -1,25 +1,33 @@
-# generated 2024-08-02, Mozilla Guideline v5.7, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
+# Based on config generated 2024-08-02, Mozilla Guideline v5.7, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.7
 
+# Configure SSL sessions, see https://github.com/mozilla/server-side-tls/issues/198
 ssl_session_timeout 1d;
 ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+
+# Disable SSL session tickets, see https://github.com/mozilla/server-side-tls/issues/135
 ssl_session_tickets off;
 
-# openssl dhparam -out dhparam.pem 4096
+# DH key for DHE ciphers
+# Generated using `openssl dhparam -out dhparam.pem 4096`
 ssl_dhparam /etc/nginx/conf/dhparam.pem;
 
 # intermediate configuration
 ssl_protocols TLSv1.2 TLSv1.3;
 ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+
+# Prefering sever ciphers is no longer needed, see https://github.com/mozilla/server-side-tls/issues/260
 ssl_prefer_server_ciphers off;
 
 ## Strict Transport Security (HSTS): Yes
 # ngx_http_headers_module is required
-#add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
+add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
 
 # OCSP stapling
-ssl_stapling on;
-ssl_stapling_verify on;
+#ssl_stapling on;
+#ssl_stapling_verify on;
+# OCSP generates an error I haven't been able to solve:
+# jproxy_nginx | 2024/08/03 16:55:39 [error] 22#22: OCSP responder sent invalid "Content-Type" header: "text/html; charset=UTF-8" while requesting certificate status, responder: ocsp.sectigo.com, peer: 172.64.149.23:80, certificate: "/certs/wildcard.janelia.org/cert.crt"
 
 # verify chain of trust of OCSP response using Root CA and Intermediate certs
 #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;