Allow some apps to use ciphers better suited for mobile apps

This commit is contained in:
Bob Mottram 2017-05-10 22:27:52 +01:00
parent 58a8c2b2f2
commit c9eb34c7d1
3 changed files with 17 additions and 3 deletions

View File

@ -442,7 +442,7 @@ function install_nextcloud_main {
echo '' >> $nextcloud_nginx_site
echo ' # Security' >> $nextcloud_nginx_site
function_check nginx_ssl
nginx_ssl $NEXTCLOUD_DOMAIN_NAME
nginx_ssl $NEXTCLOUD_DOMAIN_NAME mobile
function_check nginx_disable_sniffing
nginx_disable_sniffing $NEXTCLOUD_DOMAIN_NAME

View File

@ -612,7 +612,11 @@ function update_ciphersuite {
cd $WEBSITES_DIRECTORY
for file in `dir -d *` ; do
sed -i "s|ssl_protocols .*|ssl_protocols $RECOMMENDED_SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file
if ! grep -q "Mobile compatible ciphers" $WEBSITES_DIRECTORY/$file; then
sed -i "s|ssl_ciphers .*|ssl_ciphers '$RECOMMENDED_SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file
else
sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS_MOBILE';|g" $WEBSITES_DIRECTORY/$file
fi
done
systemctl restart nginx
write_config_param "SSL_PROTOCOLS" "$RECOMMENDED_SSL_PROTOCOLS"

View File

@ -45,6 +45,10 @@ SSL_PROTOCOLS="TLSv1 TLSv1.1 TLSv1.2"
# See https://wiki.mozilla.org/Security/Server_Side_TLS
SSL_CIPHERS="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
# some mobile apps (eg. NextCloud) have not very good cipher compatibility.
# These ciphers can be used for those cases
SSL_CIPHERS_MOBILE="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA"
NGINX_ENSITE_REPO="https://github.com/perusio/nginx_ensite"
NGINX_ENSITE_COMMIT='fa4d72ce1c0a490442c8474e9c8dc21ed52c93d0'
@ -123,6 +127,7 @@ function nginx_http_redirect {
function nginx_ssl {
# creates the SSL/TLS section for a website
domain_name=$1
mobile_ciphers=$2
filename=/etc/nginx/sites-available/$domain_name
echo ' ssl_stapling off;' >> $filename
@ -136,7 +141,12 @@ function nginx_ssl {
echo ' ssl_session_timeout 60m;' >> $filename
echo ' ssl_prefer_server_ciphers on;' >> $filename
echo " ssl_protocols $SSL_PROTOCOLS;" >> $filename
if [ $mobile_ciphers ]; then
echo " # Mobile compatible ciphers" >> $filename
echo " ssl_ciphers '$SSL_CIPHERS_MOBILE';" >> $filename
else
echo " ssl_ciphers '$SSL_CIPHERS';" >> $filename
fi
echo " add_header Content-Security-Policy \"default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'\";" >> $filename
echo ' add_header X-XSS-Protection "1; mode=block";' >> $filename
echo ' add_header X-Robots-Tag none;' >> $filename