Config for NGINX SSL/TLS.

This adds additional SSL/TLS config to specify the acceptable TLS
version, cipher suites, session cache, etc. Values are currently based
on the Mozilla Foundation's recommendations for intermediate
compatibility:

https://wiki.mozilla.org/Security/Server_Side_TLS

We will manage NGINX configuration snippets as a K8s ConfigMap so that
they can be included in server blocks as-needed.

deploy/azure/atst-nginx-configmap.yml

@@ -41,6 +41,9 @@ data:
         listen [::]:${PORT_PREFIX}442 ssl ipv6only=on;
         ssl_certificate /etc/ssl/private/atat.crt;
         ssl_certificate_key /etc/ssl/private/atat.key;
+        # additional SSL/TLS settings
+        include /etc/nginx/snippets/ssl.conf
+
         location /login-redirect {
             return 301 https://auth-azure.atat.code.mil$request_uri;
         }
@@ -75,8 +78,9 @@ data:
         ssl_verify_client on;
         ssl_verify_depth 10;
         ssl_client_certificate /etc/ssl/client-ca-bundle.pem;
-        # Guard against HTTPS -> HTTP downgrade
+        # additional SSL/TLS settings
-        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always";
+        include /etc/nginx/snippets/ssl.conf
+
         location / {
             return 301 https://azure.atat.code.mil$request_uri;
         }

deploy/azure/azure.yml

@@ -74,6 +74,8 @@ spec:
               mountPath: "/etc/ssl/"
             - name: acme
               mountPath: "/usr/share/nginx/html/.well-known/acme-challenge/"
+            - name: snippets
+              mountPath: "/etc/nginx/snippets/"
       volumes:
         - name: atst-config
           secret:
@@ -131,6 +133,9 @@ spec:
               - key: uwsgi.ini
                 path: uwsgi.ini
                 mode: 0644
+        - name: snippets
+          configMap:
+            name: nginx-snippets
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
@@ -157,13 +162,14 @@ spec:
       containers:
         - name: atst-worker
           image: $CONTAINER_IMAGE
-          args: [
+          args:
+            [
               "/opt/atat/atst/.venv/bin/python",
               "/opt/atat/atst/.venv/bin/celery",
               "-A",
               "celery_worker.celery",
               "worker",
-            "--loglevel=info"
+              "--loglevel=info",
             ]
           envFrom:
             - configMapRef:
@@ -218,13 +224,14 @@ spec:
       containers:
         - name: atst-beat
           image: $CONTAINER_IMAGE
-          args: [
+          args:
+            [
               "/opt/atat/atst/.venv/bin/python",
               "/opt/atat/atst/.venv/bin/celery",
               "-A",
               "celery_worker.celery",
               "beat",
-            "--loglevel=info"
+              "--loglevel=info",
             ]
           envFrom:
             - configMapRef:

deploy/azure/kustomization.yaml

@@ -11,3 +11,4 @@ resources:
   - nginx-client-ca-bundle.yml
   - acme-challenges.yml
   - aadpodidentity.yml
+  - nginx-snippets.yml

deploy/azure/nginx-snippets.yml

@@ -0,0 +1,24 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-snippets
+  namespace: atat
+data:
+  ssl.conf: |-
+    # Guard against HTTPS -> HTTP downgrade
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always";
+    # Set SSL protocols, ciphers, and related options
+    ssl_protocols TLSv1.3 TLSv1.2;
+    ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
+    ssl_prefer_server_ciphers on;
+    ssl_ecdh_curve X25519:prime256v1:secp384r1;
+    ssl_dhparam /etc/ssl/dhparam.pem;
+    # SSL session options
+    ssl_session_timeout 4h;
+    ssl_session_cache shared:SSL:10m;   # 1mb = ~4000 sessions
+    ssl_session_tickets off;
+    # OCSP Stapling
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    resolver 8.8.8.8 8.8.4.4;