From d94503c35f76cb4a9b96ecb2d6edccb152fd7423 Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Sat, 7 May 2022 10:51:28 +0300
Subject: [PATCH] SSL legacy support.
Up to now I supported older browsers by supporting older versions of TLS
and cipher suites. I still think it makes sense for my blog, etc. but
not for Nextcloud or GitLab. So here's the first step, make the previous
default SSL configuration be ssl-legacy (split out the common parts to
ssl-common) and next is ssl-modern.
---
conf.d/default.conf | 2 +-
conf.d/matrix.shore.co.il | 37 ++++++++++++++++++++++++++
snippets/{ssl.conf => ssl-common.conf} | 2 --
snippets/ssl-legacy.conf | 3 +++
4 files changed, 41 insertions(+), 3 deletions(-)
create mode 100644 conf.d/matrix.shore.co.il
rename snippets/{ssl.conf => ssl-common.conf} (76%)
create mode 100644 snippets/ssl-legacy.conf
diff --git a/conf.d/default.conf b/conf.d/default.conf
index f428ba9..8d37f41 100644
--- a/conf.d/default.conf
+++ b/conf.d/default.conf
@@ -8,6 +8,6 @@ server {
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
- include snippets/ssl.conf;
+ include snippets/ssl-legacy.conf;
location / { return 301 https://www.shore.co.il$request_uri; }
}
diff --git a/conf.d/matrix.shore.co.il b/conf.d/matrix.shore.co.il
new file mode 100644
index 0000000..8450d25
--- /dev/null
+++ b/conf.d/matrix.shore.co.il
@@ -0,0 +1,37 @@
+map $host $matrix { default synapse; }
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name matrix.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/www-acme-challenge.conf;
+ include snippets/redirect-https.conf;
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name matrix.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/ssl.conf;
+
+ location / {
+ proxy_pass http://$matrix:8008;
+ proxy_http_version 1.1;
+ client_max_body_size 512m;
+ include snippets/proxy-headers.conf;
+ }
+
+ location /_synapse/admin {
+ proxy_pass http://$matrix:8008;
+ proxy_http_version 1.1;
+ client_max_body_size 512m;
+ include snippets/proxy-headers.conf;
+ include snippets/allow-shore-ips.conf;
+ }
+}
diff --git a/snippets/ssl.conf b/snippets/ssl-common.conf
similarity index 76%
rename from snippets/ssl.conf
rename to snippets/ssl-common.conf
index cb1f77f..b8ed307 100644
--- a/snippets/ssl.conf
+++ b/snippets/ssl-common.conf
@@ -4,8 +4,6 @@ include snippets/common-headers.conf;
ssl_certificate /var/ssl/site.crt;
ssl_certificate_key /var/ssl/site.key;
ssl_dhparam /var/ssl/dhparams;
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
-ssl_ciphers !AESCCM:!kRSA:!3DES:!RC4:!DES:!MD5:!aNULL:!NULL:AESGCM+ECDH:ECDH+CHACHA20:AES256+ECDH:AES128:CHACHA20:+SHA1;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
diff --git a/snippets/ssl-legacy.conf b/snippets/ssl-legacy.conf
new file mode 100644
index 0000000..4e569dd
--- /dev/null
+++ b/snippets/ssl-legacy.conf
@@ -0,0 +1,3 @@
+include snippets/ssl-common.conf;
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+ssl_ciphers !AESCCM:!kRSA:!3DES:!RC4:!DES:!MD5:!aNULL:!NULL:AESGCM+ECDH:ECDH+CHACHA20:AES256+ECDH:AES128:CHACHA20:+SHA1;
--
GitLab