Allow some apps to use ciphers better suited for mobile apps
This commit is contained in:
parent
58a8c2b2f2
commit
c9eb34c7d1
|
@ -442,7 +442,7 @@ function install_nextcloud_main {
|
|||
echo '' >> $nextcloud_nginx_site
|
||||
echo ' # Security' >> $nextcloud_nginx_site
|
||||
function_check nginx_ssl
|
||||
nginx_ssl $NEXTCLOUD_DOMAIN_NAME
|
||||
nginx_ssl $NEXTCLOUD_DOMAIN_NAME mobile
|
||||
|
||||
function_check nginx_disable_sniffing
|
||||
nginx_disable_sniffing $NEXTCLOUD_DOMAIN_NAME
|
||||
|
|
|
@ -612,7 +612,11 @@ function update_ciphersuite {
|
|||
cd $WEBSITES_DIRECTORY
|
||||
for file in `dir -d *` ; do
|
||||
sed -i "s|ssl_protocols .*|ssl_protocols $RECOMMENDED_SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file
|
||||
if ! grep -q "Mobile compatible ciphers" $WEBSITES_DIRECTORY/$file; then
|
||||
sed -i "s|ssl_ciphers .*|ssl_ciphers '$RECOMMENDED_SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file
|
||||
else
|
||||
sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS_MOBILE';|g" $WEBSITES_DIRECTORY/$file
|
||||
fi
|
||||
done
|
||||
systemctl restart nginx
|
||||
write_config_param "SSL_PROTOCOLS" "$RECOMMENDED_SSL_PROTOCOLS"
|
||||
|
|
|
@ -45,6 +45,10 @@ SSL_PROTOCOLS="TLSv1 TLSv1.1 TLSv1.2"
|
|||
# See https://wiki.mozilla.org/Security/Server_Side_TLS
|
||||
SSL_CIPHERS="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
|
||||
|
||||
# some mobile apps (eg. NextCloud) have not very good cipher compatibility.
|
||||
# These ciphers can be used for those cases
|
||||
SSL_CIPHERS_MOBILE="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA"
|
||||
|
||||
NGINX_ENSITE_REPO="https://github.com/perusio/nginx_ensite"
|
||||
NGINX_ENSITE_COMMIT='fa4d72ce1c0a490442c8474e9c8dc21ed52c93d0'
|
||||
|
||||
|
@ -123,6 +127,7 @@ function nginx_http_redirect {
|
|||
function nginx_ssl {
|
||||
# creates the SSL/TLS section for a website
|
||||
domain_name=$1
|
||||
mobile_ciphers=$2
|
||||
filename=/etc/nginx/sites-available/$domain_name
|
||||
|
||||
echo ' ssl_stapling off;' >> $filename
|
||||
|
@ -136,7 +141,12 @@ function nginx_ssl {
|
|||
echo ' ssl_session_timeout 60m;' >> $filename
|
||||
echo ' ssl_prefer_server_ciphers on;' >> $filename
|
||||
echo " ssl_protocols $SSL_PROTOCOLS;" >> $filename
|
||||
if [ $mobile_ciphers ]; then
|
||||
echo " # Mobile compatible ciphers" >> $filename
|
||||
echo " ssl_ciphers '$SSL_CIPHERS_MOBILE';" >> $filename
|
||||
else
|
||||
echo " ssl_ciphers '$SSL_CIPHERS';" >> $filename
|
||||
fi
|
||||
echo " add_header Content-Security-Policy \"default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'\";" >> $filename
|
||||
echo ' add_header X-XSS-Protection "1; mode=block";' >> $filename
|
||||
echo ' add_header X-Robots-Tag none;' >> $filename
|
||||
|
|
Loading…
Reference in New Issue