diff --git a/beaglebone.txt b/beaglebone.txt index 41d8853e..bf9d2c09 100644 --- a/beaglebone.txt +++ b/beaglebone.txt @@ -2542,17 +2542,19 @@ server { ssl on; ssl_certificate /etc/ssl/certs/mydomainname.com.crt; ssl_certificate_key /etc/ssl/private/mydomainname.com.key; + ssl_dhparam /etc/ssl/certs/mydomainname.com.dhparam; ssl_session_timeout 5m; ssl_prefer_server_ciphers on; + ssl_session_cache builtin:1000 shared:SSL:10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'; - add_header Strict-Transport-Security "max-age=0;"; - # Only uncomment one of the Strict-Transport-Security entries if you are - # not using a self-signed certificate - # add_header Strict-Transport-Security max-age=15768000; # six months - # use this only if all subdomains support HTTPS! - # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains"; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Strict-Transport-Security max-age=15768000; + # if you want to be able to access the site via HTTP + # then replace the above with the following: + # add_header Strict-Transport-Security "max-age=0;"; # rewrite to front controller as default rule location / { @@ -2657,7 +2659,12 @@ openssl req \ -newkey rsa:2048 \ -keyout /etc/ssl/private/$HOSTNAME.key \ -out /etc/ssl/certs/$HOSTNAME.crt + +openssl dhparam -check -text -5 1024 -out /etc/ssl/certs/$HOSTNAME.dhparam + chmod 400 /etc/ssl/private/$HOSTNAME.key +chmod 640 /etc/ssl/certs/$HOSTNAME.crt +chmod 640 /etc/ssl/certs/$HOSTNAME.dhparam /etc/init.d/nginx reload # add the public certificate to a separate directory @@ -4998,17 +5005,18 @@ server { ssl on; ssl_certificate /etc/ssl/certs/mypumpiodomainname.com.bundle.crt; ssl_certificate_key /etc/ssl/private/mypumpiodomainname.com.key; + ssl_dhparam /etc/ssl/certs/mypumpiodomainname.com.dhparam; ssl_session_timeout 5m; ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'; - add_header Strict-Transport-Security "max-age=0;"; - # Only uncomment one of the Strict-Transport-Security entries if you are - # not using a self-signed certificate - # add_header Strict-Transport-Security max-age=15768000; # six months - # use this only if all subdomains support HTTPS! - # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains"; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Strict-Transport-Security max-age=15768000; + # if you want to be able to access the site via HTTP + # then replace the above with the following: + # add_header Strict-Transport-Security "max-age=0;"; client_max_body_size 6m; @@ -5541,17 +5549,18 @@ server { ssl on; ssl_certificate /etc/ssl/certs/myownclouddomainname.com.crt; ssl_certificate_key /etc/ssl/private/myownclouddomainname.com.key; + ssl_dhparam /etc/ssl/certs/myownclouddomainname.com.dhparam; ssl_session_timeout 5m; ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'; - add_header Strict-Transport-Security "max-age=0;"; - # Only uncomment one of the Strict-Transport-Security entries if you are - # not using a self-signed certificate - # add_header Strict-Transport-Security max-age=15768000; # six months - # use this only if all subdomains support HTTPS! - # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains"; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Strict-Transport-Security max-age=15768000; + # if you want to be able to access the site via HTTP + # then replace the above with the following: + # add_header Strict-Transport-Security "max-age=0;"; # make sure webfinger and other well known services aren't blocked # by denying dot files and rewrite request to the front controller @@ -7204,18 +7213,13 @@ Delete all existing contents then add the following: #+BEGIN_SRC: bash server { listen 80; - server_name tunes.us.to; + server_name mysubsonicdomainname.com; rewrite ^ https://$server_name$request_uri? permanent; } -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} - server { listen 443; - server_name tunes.us.to; + server_name mysubsonicdomainname.com; index index.html index.htm; error_log /var/www/mysubsonicdomainname.com/error.log debug; @@ -7223,18 +7227,17 @@ server { ssl on; ssl_certificate /etc/ssl/certs/mysubsonicdomainname.com.crt; ssl_certificate_key /etc/ssl/private/mysubsonicdomainname.com.key; + ssl_dhparam /etc/ssl/certs/mysubsonicdomainname.com.dhparam; ssl_session_timeout 5m; ssl_prefer_server_ciphers on; + ssl_session_cache builtin:1000 shared:SSL:10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'; - #add_header Strict-Transport-Security max-age=0; # six months + add_header Strict-Transport-Security "max-age=0;"; client_max_body_size 20M; - keepalive_timeout 75 75; - gzip_vary off; - location / { proxy_pass http://localhost:4040/; proxy_redirect http:// https://; @@ -8040,7 +8043,7 @@ editor /etc/nginx/sites-available/$HOSTNAME Add the following to the section which starts with *listen 443* #+BEGIN_SRC: bash - ssl_certificate /etc/ssl/certs/mydomainname.com_bundle.crt; + ssl_certificate /etc/ssl/certs/mydomainname.com.bundle.crt; #+END_SRC Save and exit, then restart the web server.