From d24d972d19d4665f4d0a934a1712fc351cc5a17e Mon Sep 17 00:00:00 2001
From: nono <np@laquadrature.net>
Date: Tue, 19 Jan 2021 19:30:40 +0100
Subject: [PATCH] Updated Nginx config

---
 files/etc/nginx/hedgedocs-nginx.conf.j2 | 35 ++++++++++++++++++++++---
 1 file changed, 31 insertions(+), 4 deletions(-)

diff --git a/files/etc/nginx/hedgedocs-nginx.conf.j2 b/files/etc/nginx/hedgedocs-nginx.conf.j2
index 445ab40..05ae994 100644
--- a/files/etc/nginx/hedgedocs-nginx.conf.j2
+++ b/files/etc/nginx/hedgedocs-nginx.conf.j2
@@ -3,7 +3,7 @@ map $http_upgrade $connection_upgrade {
         ''      close;
 }
 server {
-        server_name {{hedgedoc-domain}};
+        server_name {{ service_hedgedocs_domain }};
 
         location / {
                 proxy_pass http://127.0.0.1:3000;
@@ -25,8 +25,35 @@ server {
 
     listen [::]:443 ssl http2;
     listen 443 ssl http2;
-    ssl_certificate {{hedgedocs-ssl-fullchain}};
-    ssl_certificate_key {{hedgedocs-ssl-privkey}};
+
+    ssl_certificate /etc/letsencrypt/live/{{ service_hedgedocs_domain }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ service_hedgedocs_domain }}/fullchain.pem;
+
     include options-ssl-nginx.conf;
-    ssl_dhparam {{ hedgedocs-ssl-dhparams}};
+
+  	# Improve HTTPS performance with session resumption
+  	ssl_session_cache shared:SSL:10m;
+  	ssl_session_timeout 10m;
+
+	# Enable server-side protection against BEAST attacks
+  	ssl_protocols TLSv1.2;
+	ssl_prefer_server_ciphers on;
+	ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
+
+    # RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096
+    ssl_dhparam /etc/ssl/ffdhe4096.pem;
+    ssl_ecdh_curve secp521r1:secp384r1;
+
+	# Aditional Security Headers
+	# ref: https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
+	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
+
+	# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+	add_header X-Frame-Options DENY always;
+
+	# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+	add_header X-Content-Type-Options nosniff always;
+
+	# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+	add_header X-Xss-Protection "1; mode=block" always;
 }
-- 
GitLab