Merge pull request #543 from hpcloud/T4-758-enable-tls-for-nginx

T4-758 Enable TLS for nginx (UI web server)
cloudfoundry · Aug 11, 2016 · 85e4142 · 85e4142
2 parents 6a40fb0 + 901bc42
commit 85e4142
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 3 deletions.
diff --git a/ci/nginx.conf.HCP b/ci/nginx.conf.HCP
@@ -14,7 +14,7 @@ http {
 
     include                         mime.types;
     default_type                    application/octet-stream;
-    keepalive_timeout               65;
+    keepalive_timeout               70;
     proxy_read_timeout              200;
     sendfile                        off;
     tcp_nopush                      on;
@@ -33,8 +33,18 @@ http {
         ''      close;
     }
 
+    ssl_session_cache               shared:SSL:10m;
+    ssl_session_timeout             10m;
+
     server {
         listen                      80;
+        listen                      443 ssl;
+
+        ssl_certificate             /etc/secrets/console-cert;
+        ssl_certificate_key         /etc/secrets/console-cert-key;
+        ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
+        ssl_ciphers                 HIGH:!aNULL:!MD5;
+
         client_max_body_size        50M;
 
         location /pp/ {

diff --git a/containers/nginx/Dockerfile.dev b/containers/nginx/Dockerfile.dev
@@ -1,5 +1,11 @@
 FROM nginx
 
+RUN mkdir -p /etc/secrets/ && \
+  openssl req -batch -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout /etc/secrets/server.key -out /etc/secrets/server.crt && \
+  chmod 0600 /etc/secrets && \
+  chmod 0600 /etc/secrets/server.key && \
+  chmod 0600 /etc/secrets/server.crt
+
 COPY ./conf/nginx.dev.conf /etc/nginx/nginx.conf
 
 EXPOSE 80 443

diff --git a/containers/nginx/conf/nginx.HCP.conf b/containers/nginx/conf/nginx.HCP.conf
@@ -14,7 +14,7 @@ http {
 
     include                         mime.types;
     default_type                    application/octet-stream;
-    keepalive_timeout               65;
+    keepalive_timeout               70;
     proxy_read_timeout              200;
     sendfile                        off;
     tcp_nopush                      on;
@@ -33,8 +33,18 @@ http {
         ''      close;
     }
 
+    ssl_session_cache               shared:SSL:10m;
+    ssl_session_timeout             10m;
+
     server {
         listen                      80;
+        listen                      443 ssl;
+
+        ssl_certificate             /etc/secrets/console-cert;
+        ssl_certificate_key         /etc/secrets/console-cert-key;
+        ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
+        ssl_ciphers                 HIGH:!aNULL:!MD5;
+
         client_max_body_size        50M;
 
         location /pp/ {

diff --git a/containers/nginx/conf/nginx.dev.conf b/containers/nginx/conf/nginx.dev.conf
@@ -14,7 +14,7 @@ http {
 
     include                         mime.types;
     default_type                    application/octet-stream;
-    keepalive_timeout               65;
+    keepalive_timeout               70;
     proxy_read_timeout              200;
     sendfile                        off;
     tcp_nopush                      on;
@@ -33,8 +33,18 @@ http {
         ''      close;
     }
 
+    ssl_session_cache               shared:SSL:10m;
+    ssl_session_timeout             10m;
+
     server {
         listen                      80;
+        listen                      443 ssl;
+
+        ssl_certificate             /etc/secrets/server.crt;
+        ssl_certificate_key         /etc/secrets/server.key;
+        ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
+        ssl_ciphers                 HIGH:!aNULL:!MD5;
+
         client_max_body_size        50M;
 
         location /pp/ {