Config for NGINX SSL/TLS.

This adds additional SSL/TLS config to specify the acceptable TLS version, cipher suites, session cache, etc. Values are currently based on the Mozilla Foundation's recommendations for intermediate compatibility: https://wiki.mozilla.org/Security/Server_Side_TLS We will manage NGINX configuration snippets as a K8s ConfigMap so that they can be included in server blocks as-needed.
2019-11-14 14:20:17 -05:00
parent 26c5b5ea7f
commit a3aa3e6935
4 changed files with 106 additions and 70 deletions
--- a/deploy/azure/nginx-snippets.yml
+++ b/deploy/azure/nginx-snippets.yml
@@ -0,0 +1,24 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-snippets
+  namespace: atat
+data:
+  ssl.conf: |-
+    # Guard against HTTPS -> HTTP downgrade
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always";
+    # Set SSL protocols, ciphers, and related options
+    ssl_protocols TLSv1.3 TLSv1.2;
+    ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
+    ssl_prefer_server_ciphers on;
+    ssl_ecdh_curve X25519:prime256v1:secp384r1;
+    ssl_dhparam /etc/ssl/dhparam.pem;
+    # SSL session options
+    ssl_session_timeout 4h;
+    ssl_session_cache shared:SSL:10m;   # 1mb = ~4000 sessions
+    ssl_session_tickets off;
+    # OCSP Stapling
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    resolver 8.8.8.8 8.8.4.4;