Merge pull request #1521 from RotherOSS/issue-#1518-nginx_config

Issue #1518 nginx config

scripts/nginx/snippets/ssl-params.conf

@@ -1,17 +1,34 @@
 # See https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-18-04
+# See https://ssl-config.mozilla.org/ , going for the intermediate configuration
 
-ssl_protocols TLSv1.2;
-ssl_prefer_server_ciphers on;
+# TLS 1.0, TLS 1.1, and SSL v2 are obsolete
+# TLS 1.2 is still used by browsers
+ssl_protocols TLSv1.2 TLSv1.3;
+
+# all activated ciphers are safe, the browser can specify what the fastest is for her
+ssl_prefer_server_ciphers off;
+
+# Presumables the diffie hellman parameters are included in the certificate.
 #ssl_dhparam /etc/nginx/dhparam.pem;
-ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
-ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
-ssl_session_timeout  10m;
+
+# ECDHE-ECDSA-CHACHA20-POLY1305 and ECDHE-RSA-CHACHA20-POLY1305 are not included even though they are
+# considered to be safe, however they are not included Technische Richtlinie TR-02102-2 of the BSI
+#ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+
+# Trusting the recommendation from https://ssl-config.mozilla.org/
+ssl_session_timeout 1d;
 ssl_session_cache shared:SSL:10m;
-ssl_session_tickets off; # Requires nginx >= 1.5.9
-ssl_stapling on; # Requires nginx >= 1.3.7
-ssl_stapling_verify on; # Requires nginx => 1.3.7
+ssl_session_tickets off;
+
+# OCSP stapling is considered to be a good thing, https://en.wikipedia.org/wiki/OCSP_stapling
+ssl_stapling on;
+ssl_stapling_verify on;
+
 #resolver 8.8.8.8 8.8.4.4 valid=300s;
 #resolver_timeout 5s;
+
 # Disable strict transport security for now. You can uncomment the following
 # line if you understand the implications.
+# Be aware that static content migth be treated differentyl from dynamic content.
 # add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

scripts/nginx/templates/otobo_nginx-kerberos.conf.template

@@ -26,10 +26,11 @@ server {
 
 # serve HTTPS
 server {
-    listen 8443 ssl;
-    listen [::]:8443 ssl;
+    listen 8443 ssl http2;                # falls back to regular HTTPS over HTTP/1.1 when the browser does not support HTTP/2
+    listen [::]:8443 ssl http2;
 
-    # see https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-18-04
+    # See https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-18-04
+    # See https://ssl-config.mozilla.org/
     include snippets/ssl-params.conf;
     ssl_certificate     ${OTOBO_NGINX_SSL_CERTIFICATE};
     ssl_certificate_key ${OTOBO_NGINX_SSL_CERTIFICATE_KEY};

scripts/nginx/templates/otobo_nginx.conf.template

@@ -26,10 +26,11 @@ server {
 
 # serve HTTPS
 server {
-    listen 8443 ssl;
-    listen [::]:8443 ssl;
+    listen 8443 ssl http2;                # falls back to regular HTTPS over HTTP/1.1 when the browser does not support HTTP/2
+    listen [::]:8443 ssl http2;
 
-    # see https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-18-04
+    # See https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-18-04
+    # See https://ssl-config.mozilla.org/
     include snippets/ssl-params.conf;
     ssl_certificate     ${OTOBO_NGINX_SSL_CERTIFICATE};
     ssl_certificate_key ${OTOBO_NGINX_SSL_CERTIFICATE_KEY};