From 0c15c2888d9fd3b0b1f1ff0b36a2fe8d24762fe5 Mon Sep 17 00:00:00 2001
From: Jimmy Zelinskie <jimmy.zelinskie@coreos.com>
Date: Fri, 22 May 2015 13:35:49 -0400
Subject: [PATCH] nginx: update cipher suite, HSTS, X-Frame-Options

---
 conf/nginx.conf | 34 ++++++++++++++++++++++++----------
 1 file changed, 24 insertions(+), 10 deletions(-)

diff --git a/conf/nginx.conf b/conf/nginx.conf
index f04ed663c..ca872b224 100644
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@@ -10,35 +10,49 @@ http {
     server {
         include server-base.conf;
 
-        add_header Strict-Transport-Security "max-age=63072000; preload";
-
         listen 443 default;
+
         ssl on;
         ssl_certificate ./stack/ssl.cert;
         ssl_certificate_key ./stack/ssl.key;
+
+        ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_timeout 5m;
+
         ssl_stapling on;
         ssl_stapling_verify on;
-        ssl_session_timeout 5m;
-        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-        ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
+
         ssl_prefer_server_ciphers on;
+
+        add_header Strict-Transport-Security "max-age=63072000; preload";
+        add_header X-Frame-Options DENY;
     }
 
     server {
         include proxy-protocol.conf;
         include server-base.conf;
 
-        add_header Strict-Transport-Security "max-age=63072000; preload";
-
         listen 8443 default proxy_protocol;
+
         ssl on;
         ssl_certificate ./stack/ssl.cert;
         ssl_certificate_key ./stack/ssl.key;
+
+        ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_timeout 5m;
+
         ssl_stapling on;
         ssl_stapling_verify on;
-        ssl_session_timeout 5m;
-        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-        ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
+
         ssl_prefer_server_ciphers on;
+
+        add_header Strict-Transport-Security "max-age=63072000; preload";
+        add_header X-Frame-Options DENY;
     }
 }