From a10d1b50bf7859d5b2c156c7a2a75192b12541d1 Mon Sep 17 00:00:00 2001 From: Kuo-Cheng Yeu Date: Thu, 21 May 2015 15:19:58 +0800 Subject: [PATCH 1/3] add support for ssl_dhparams to prevent 'Logjam' attack --- nginx.tmpl | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nginx.tmpl b/nginx.tmpl index e7a4542..50574c4 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -105,6 +105,10 @@ server { ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }}; ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }}; + {{ if (exists (printf "/etc/nginx/certs/%s.dhparams.pem" $cert)) }} + ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparams.pem" $cert }}; + {{ end }} + add_header Strict-Transport-Security "max-age=31536000"; {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} From da0191a778443692745845add08b1ff39d10b368 Mon Sep 17 00:00:00 2001 From: Kuo-Cheng Yeu Date: Thu, 21 May 2015 15:37:19 +0800 Subject: [PATCH 2/3] add 'Diffie-Hellman Groups' section in README.md --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index e4cfac3..b078315 100644 --- a/README.md +++ b/README.md @@ -83,6 +83,12 @@ hosts in use. The certificate and keys should be named after the virtual host w `.key` extension. For example, a container with `VIRTUAL_HOST=foo.bar.com` should have a `foo.bar.com.crt` and `foo.bar.com.key` file in the certs directory. +#### Diffie-Hellman Groups + +If you have Diffie-Hellman groups enabled, the files should be named after the virtual host with a +`dhparams` suffix and `.pem` extension. For example, a container with `VIRTUAL_HOST=foo.bar.com` +should have a `foo.bar.com.dhparams.pem` file in the certs directory. + #### Wildcard Certificates Wildcard certificates and keys should be name after the domain name with a `.crt` and `.key` extension. From d74a4146c82e14664bf7da80260b6e3a01be8276 Mon Sep 17 00:00:00 2001 From: Kuo-Cheng Yeu Date: Thu, 21 May 2015 23:43:09 +0800 Subject: [PATCH 3/3] fix indention, and file nameing --- README.md | 4 ++-- nginx.tmpl | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index b078315..8bab1ec 100644 --- a/README.md +++ b/README.md @@ -86,8 +86,8 @@ hosts in use. The certificate and keys should be named after the virtual host w #### Diffie-Hellman Groups If you have Diffie-Hellman groups enabled, the files should be named after the virtual host with a -`dhparams` suffix and `.pem` extension. For example, a container with `VIRTUAL_HOST=foo.bar.com` -should have a `foo.bar.com.dhparams.pem` file in the certs directory. +`dhparam` suffix and `.pem` extension. For example, a container with `VIRTUAL_HOST=foo.bar.com` +should have a `foo.bar.com.dhparam.pem` file in the certs directory. #### Wildcard Certificates diff --git a/nginx.tmpl b/nginx.tmpl index 50574c4..f674b49 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -105,9 +105,9 @@ server { ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }}; ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }}; - {{ if (exists (printf "/etc/nginx/certs/%s.dhparams.pem" $cert)) }} - ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparams.pem" $cert }}; - {{ end }} + {{ if (exists (printf "/etc/nginx/certs/%s.dhparam.pem" $cert)) }} + ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }}; + {{ end }} add_header Strict-Transport-Security "max-age=31536000";