cloudfleet · DoubleMalt · Sep 24, 2015 · Sep 23, 2015 · Sep 23, 2015 · Sep 23, 2015
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,5 @@
 FROM nginx
 ADD cloudfleet.conf /etc/nginx/conf.d/default.conf
+ADD better-crypto.conf /etc/nginx/better-crypto.conf
 ADD start.sh /root/start.sh
 CMD /root/start.sh
diff --git a/better-crypto.conf b/better-crypto.conf
@@ -0,0 +1,12 @@
+#From Better Crypto:
+#+BEGIN_SRC
+ssl_prefer_server_ciphers on;
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
+ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
+add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
+
+# TODO establish trust of NIST Eliptic Curve recommendations
+ssl_ecdh_curve secp384r1;
+
+#+END_SRC
+
diff --git a/cloudfleet.conf b/cloudfleet.conf
@@ -4,9 +4,14 @@ server {
 
     ssl_certificate     /opt/cloudfleet/conf/tls/tls_crt.pem;
     ssl_certificate_key /opt/cloudfleet/conf/tls/tls_key.pem;
-    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers         HIGH:!aNULL:!MD5;
+
+    include ./better-crypto.conf;
 
     include /opt/cloudfleet/conf/nginx/*.conf;
+}
 
+server {
+    listen       80;
+    server_name  localhost;
+    return 301 https://$server_name$request_uri;
 }