Config for NGINX SSL/TLS.

This adds additional SSL/TLS config to specify the acceptable TLS version, cipher suites, session cache, etc. Values are currently based on the Mozilla Foundation's recommendations for intermediate compatibility: https://wiki.mozilla.org/Security/Server_Side_TLS We will manage NGINX configuration snippets as a K8s ConfigMap so that they can be included in server blocks as-needed.
2019-11-14 14:20:17 -05:00
parent 26c5b5ea7f
commit a3aa3e6935
4 changed files with 106 additions and 70 deletions
--- a/deploy/azure/atst-nginx-configmap.yml
+++ b/deploy/azure/atst-nginx-configmap.yml
@@ -41,6 +41,9 @@ data:
        listen [::]:${PORT_PREFIX}442 ssl ipv6only=on;
        ssl_certificate /etc/ssl/private/atat.crt;
        ssl_certificate_key /etc/ssl/private/atat.key;
+        # additional SSL/TLS settings
+        include /etc/nginx/snippets/ssl.conf
+
        location /login-redirect {
            return 301 https://auth-azure.atat.code.mil$request_uri;
        }
@@ -75,8 +78,9 @@ data:
        ssl_verify_client on;
        ssl_verify_depth 10;
        ssl_client_certificate /etc/ssl/client-ca-bundle.pem;
-        # Guard against HTTPS -> HTTP downgrade
-        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always";
+        # additional SSL/TLS settings
+        include /etc/nginx/snippets/ssl.conf
+
        location / {
            return 301 https://azure.atat.code.mil$request_uri;
        }