update to modern security in 2018

tools/openssl.cnf

@@ -16,7 +16,7 @@ new_certs_dir           = $dir/certs
 certificate             = $dir/public/cacert.pem
 private_key             = $dir/private/cakey.pem
 default_days            = 365
-default_md              = sha1
+default_md              = sha256
 preserve                = no
 email_in_dn             = no
 nameopt                 = default_ca
@@ -37,7 +37,7 @@ emailAddress            = optional
 [ req ]
 default_bits            = 2048      # Size of keys
 default_keyfile         = key.pem   # name of generated keys
-default_md              = md5       # message digest algorithm
+default_md              = sha256    # message digest algorithm
 string_mask             = nombstr   # permitted characters
 distinguished_name      = req_distinguished_name
 x509_extensions         = v3_req

tools/reverseproxy

@@ -1,7 +1,19 @@
 access_log off;
 add_header Cache-Control public;
+# do not show server version, avoid information leak and exploids
 server_tokens off;
 
+# Security HTTP headers
+#   test service: https://securityheaders.com/
+# Allow to use frame from same origin
+add_header X-Frame-Options "SAMEORIGIN" always;
+# Enable buildin XSS protection in browser
+add_header X-Xss-Protection "1; mode=block" always;
+# Disable Content sniffing
+add_header X-Content-Type-Options "nosniff" always;
+# Disable referrer to avoid information leak to other sides
+add_header Referrer-Policy "no-referrer" always;
+
 # HTTP 80
 server {
  listen         80;
@@ -11,22 +23,31 @@ server {
 
 # HTTPS 443
 server  {
-  listen 443 ssl;
+  listen 443 ssl http2;
   keepalive_timeout 70;
 
   # SSL config
   ssl on;
   ssl_certificate /etc/ssl/localcerts/RPi-Experiences-cert.pem;
   ssl_certificate_key /etc/ssl/localcerts/RPi-Experiences-key.pem;
 
-  ssl_session_timeout 5m;
-  ssl_protocols SSLv3 TLSv1.2;
-  ssl_ciphers RC4:HIGH:!aNULL:!MD5;
+  ssl_session_timeout 1d;
+  ssl_session_cache shared:SSL:50m;
+  ssl_session_tickets off;
+
+  # more informations:
+  #   recomendations: https://mozilla.github.io/server-side-tls/ssl-config-generator/
+  #   test service: https://www.ssllabs.com/ssltest/
+  # SSLv3 is broken, do not enable; TLSv1 TLSv1.1 are not recomended
+  # works with modern 
+  ssl_protocols TLSv1.2;
+
+  # RC4 is brokenm, do not enable
+  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
   ssl_prefer_server_ciphers on;
-  ssl_session_cache shared:SSL:10m;
 
-  # Allow to use frame from same origin
-  add_header X-Frame-Options SAMEORIGIN;
+  # strict ssl connection
+  add_header Strict-Transport-Security "max-age=31536000;";
 
   # DDOS protection - Tune Values or deactivate in case of issue
   # limit_conn conn_limit_per_ip 20;