Skip to content
This repository has been archived by the owner on Apr 23, 2019. It is now read-only.

How does one set Nginx attributes within the node file, example.com.json ? #189

Open
conradwt opened this issue Mar 30, 2015 · 6 comments
Open

How does one set Nginx attributes within the node file, example.com.json ? #189

conradwt opened this issue Mar 30, 2015 · 6 comments

Comments

@conradwt
Copy link

I have read through the available documentation but how does one set the following Nginx attributes within the example.com.json:

ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
ssl_certificate    /u/apps/example_production/shared/config/certificate.crt;
ssl_certificate_key /u/apps/sec_production/shared/config/certificate.key;
ssl_session_cache   shared:SSL:10m;
ssl_session_timeout 10m;

Can this process be automated with the current software or is this a manual process?
@jvanbaarsen
Copy link
Contributor

@berkes Is it possible to set these information with the NGINX config hooks you created a little while back?

@berkes
Copy link
Collaborator

berkes commented Mar 31, 2015

@conradwt there are some placeholders for custom config. But I am not sure if they suite your case exactly.

server {
  listen 443 ssl;

  ssl_certificate /u/apps/example_com/shared/config/certificate.crt;
  ssl_certificate_key /u/apps/example_com/shared/config/certificate.key;

  server_name example.com;

  root /u/apps/example_com/current/public;

  location / {
    try_files $uri @app;
  }

  location @app {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-Proto https;
    proxy_redirect off;

    proxy_pass http://explained;
    <%= @custom_configuration["ssl_app"] %>
  }
  <%= @custom_configuration["ssl_main"] %>
}

The last may be or help to you. But I am not sure if that is too late in the config to define the settings. Could you try to set the following in your my_node_name.json:

  "nginx_custom": {
    "ssl_main": "ssl_protocols TLSv1 TLSv1.1 TLSv1.2;\nssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;\nssl_session_cache shared:SSL:10m;\nssl_session_timeout 10m;",
    ...

That will insert the extra ssl-config at the bottom of your server { }-block for the SSL server. It might work, provided the exact order and place of these settings does not matter to nginx.

OTOH, it sounds like these settings might actually be sane and secure defaults. Would it make sense to include these settings by default in the recipes?

@jvanbaarsen
Copy link
Contributor

@berkes Yeah I think adding these:

ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;

as default would be good! Will you make a PR for that? Or do you want me to do it?

@berkes
Copy link
Collaborator

berkes commented Mar 31, 2015

@jvanbaarsen I don't have time coming days, so please don't wait for me :)

@jvanbaarsen
Copy link
Contributor

@berkes Ok! I'll put it on the internal todo list :)

@conradwt
Copy link
Author

@berkes I received these settings from the following resource:

http://nginx.org/en/docs/http/ngx_http_ssl_module.html

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@conradwt @berkes @jvanbaarsen