From 05bba204386ab3744d53d212098d51c1f7d68bde Mon Sep 17 00:00:00 2001
From: Lars Beckers <lars.beckers@rwth-aachen.de>
Date: Wed, 3 Jun 2020 23:41:50 +0200
Subject: [PATCH] webserver: allow only a single cipher setting

The documentation allows setting ssl_protocols in both http and server
blocks. However, setting different protocols on the same socket that is
used across servers is unsupported. This is only clear from a five year
old bug report, referencing even older mailing list posts. All our
setups use different server blocks on the same IP address and ports,
thus the possibility to configure different settings per server is
removed to be more clear in what is supported.

See: https://trac.nginx.org/nginx/ticket/766
---
 webserver/templates/nginx-proxy.conf | 6 ++++++
 webserver/templates/ssl-certificate  | 7 -------
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/webserver/templates/nginx-proxy.conf b/webserver/templates/nginx-proxy.conf
index c9b9974..8decc0e 100644
--- a/webserver/templates/nginx-proxy.conf
+++ b/webserver/templates/nginx-proxy.conf
@@ -59,6 +59,12 @@ http {
     ##
     # SSL Settings
     ##
+    ssl_protocols {{protocols[cipher_strength]}};
+    ssl_prefer_server_ciphers {{'on' if prefer_server_ciphers[cipher_strength] else 'off'}};
+    {% if ciphers[cipher_strength] is not none %}
+    ssl_ciphers '{{ciphers[cipher_strength]}}';
+    {% endif %}
+
     ssl_session_timeout 1d;
     ssl_session_cache shared:SSL:50m;
     ssl_session_tickets off;
diff --git a/webserver/templates/ssl-certificate b/webserver/templates/ssl-certificate
index 5ddb5e2..50f3390 100644
--- a/webserver/templates/ssl-certificate
+++ b/webserver/templates/ssl-certificate
@@ -1,10 +1,3 @@
     ssl_certificate {{server.certificate|default("/etc/ssl/acmebot/cert/" + server.server_name + ".pem")}};
     ssl_trusted_certificate {{server.certificate|default("/etc/ssl/acmebot/cert/" + server.server_name + ".pem")}};
     ssl_certificate_key {{server.private_key|default("/etc/ssl/acmebot/privkey/" + server.server_name + ".pem")}};
-
-    {% set strength = server.cipher_strength|default(cipher_strength) %}
-    ssl_protocols {{protocols[strength]}};
-    ssl_prefer_server_ciphers {{'on' if prefer_server_ciphers[strength] else 'off'}};
-    {% if ciphers[strength] is not none %}
-    ssl_ciphers '{{ciphers[strength]}}';
-    {% endif %}
-- 
GitLab