/
nginx-stream.conf.j2
41 lines (36 loc) · 2.04 KB
/
nginx-stream.conf.j2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# This 'stream' configuration file terminates TLS and forwards the plain TCP stream to the restund process.
upstream restund {
least_conn;
zone backend 64k;
server {{ hostvars[inventory_hostname]['ansible_' + restund_network_interface].ipv4.address }}:{{ restund_tcp_listen_port }} weight=1 max_fails=1 fail_timeout=10s;
}
# see also https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-tcp/
server {
listen {{ restund_tls_listen_port }} ssl;
proxy_pass restund;
proxy_timeout 3s;
proxy_connect_timeout 1s;
proxy_protocol off;
ssl_certificate /etc/letsencrypt/live/{{ certbot_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ certbot_domain }}/privkey.pem;
# intermediate configuration as per https://ssl-config.mozilla.org/#server=nginx
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# NOTE: These cipher suites are compliant to TR-02102-2. If you need to override them, please open a PR to introduce this functionality.
# For TR-02102-2 see https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-2.html
# As a Wire employee, for Wire-internal discussions and context see
# * https://wearezeta.atlassian.net/browse/FS-33
# * https://wearezeta.atlassian.net/browse/FS-444
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
# NOTE TLS context:
# The restund usecase is one of allowing calls to work in
# restricted networking setups, where UDP traffic is blocked and plain TCP
# traffic may also be blocked. We don't rely on the transport encryption of
# TLS, since the content is already end-to-end encrypted, and most calls
# should go through UDP or plain TCP anyway.
# Using TLS is a fallback mode only.
# Improving TLS configuration/ciphers is thus likely unnecessary
}