From 05bba204386ab3744d53d212098d51c1f7d68bde Mon Sep 17 00:00:00 2001 From: Lars Beckers <lars.beckers@rwth-aachen.de> Date: Wed, 3 Jun 2020 23:41:50 +0200 Subject: [PATCH] webserver: allow only a single cipher setting The documentation allows setting ssl_protocols in both http and server blocks. However, setting different protocols on the same socket that is used across servers is unsupported. This is only clear from a five year old bug report, referencing even older mailing list posts. All our setups use different server blocks on the same IP address and ports, thus the possibility to configure different settings per server is removed to be more clear in what is supported. See: https://trac.nginx.org/nginx/ticket/766 --- webserver/templates/nginx-proxy.conf | 6 ++++++ webserver/templates/ssl-certificate | 7 ------- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/webserver/templates/nginx-proxy.conf b/webserver/templates/nginx-proxy.conf index c9b9974..8decc0e 100644 --- a/webserver/templates/nginx-proxy.conf +++ b/webserver/templates/nginx-proxy.conf @@ -59,6 +59,12 @@ http { ## # SSL Settings ## + ssl_protocols {{protocols[cipher_strength]}}; + ssl_prefer_server_ciphers {{'on' if prefer_server_ciphers[cipher_strength] else 'off'}}; + {% if ciphers[cipher_strength] is not none %} + ssl_ciphers '{{ciphers[cipher_strength]}}'; + {% endif %} + ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; diff --git a/webserver/templates/ssl-certificate b/webserver/templates/ssl-certificate index 5ddb5e2..50f3390 100644 --- a/webserver/templates/ssl-certificate +++ b/webserver/templates/ssl-certificate @@ -1,10 +1,3 @@ ssl_certificate {{server.certificate|default("/etc/ssl/acmebot/cert/" + server.server_name + ".pem")}}; ssl_trusted_certificate {{server.certificate|default("/etc/ssl/acmebot/cert/" + server.server_name + ".pem")}}; ssl_certificate_key {{server.private_key|default("/etc/ssl/acmebot/privkey/" + server.server_name + ".pem")}}; - - {% set strength = server.cipher_strength|default(cipher_strength) %} - ssl_protocols {{protocols[strength]}}; - ssl_prefer_server_ciphers {{'on' if prefer_server_ciphers[strength] else 'off'}}; - {% if ciphers[strength] is not none %} - ssl_ciphers '{{ciphers[strength]}}'; - {% endif %} -- GitLab