From b5f56effbf03e285b9463827b58933ab0d96ca95 Mon Sep 17 00:00:00 2001
From: Livvy Mackintosh <livvy@protonmail.com>
Date: Fri, 19 May 2017 02:23:18 +0200
Subject: [PATCH] Add dehydrated + updated nginx confs

---
 nginx.template                         | 27 -----------
 support/dehydrated                     |  1 +
 support/nginx/directives/tls.directive | 18 ++++++++
 support/nginx/nginx.template           | 62 ++++++++++++++++++++++++++
 4 files changed, 81 insertions(+), 27 deletions(-)
 delete mode 100644 nginx.template
 create mode 160000 support/dehydrated
 create mode 100644 support/nginx/directives/tls.directive
 create mode 100644 support/nginx/nginx.template

diff --git a/nginx.template b/nginx.template
deleted file mode 100644
index 0ee674b..0000000
--- a/nginx.template
+++ /dev/null
@@ -1,27 +0,0 @@
-server {
-    listen 80; listen [::]:80;
-    server_name forum.example.com;  # <-- change this
-
-    return 301 https://$host$request_uri;
-}
-
-server {
-    listen 443 ssl http2;  listen [::]:443 ssl http2;
-    server_name forum.ojuso.org;  # <-- change this
-
-    ssl on;
-    ssl_certificate      /web/certs/forum.ojuso.org/forum.ojuso.org.cer;
-    ssl_certificate_key  /web/certs/forum.ojuso.org/forum.ojuso.org.key;
-    ssl_session_tickets off;
-    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
-
-    http2_idle_timeout 5m; # up from 3m default
-
-    location / {
-        proxy_pass http://unix:/containers/forum/http.sock:;
-        proxy_set_header Host $http_host;
-        proxy_http_version 1.1;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto https;
-    }
-}
diff --git a/support/dehydrated b/support/dehydrated
new file mode 160000
index 0000000..1163864
--- /dev/null
+++ b/support/dehydrated
@@ -0,0 +1 @@
+Subproject commit 116386486b3749e4c5e1b4da35904f30f8b2749b
diff --git a/support/nginx/directives/tls.directive b/support/nginx/directives/tls.directive
new file mode 100644
index 0000000..b35dadd
--- /dev/null
+++ b/support/nginx/directives/tls.directive
@@ -0,0 +1,18 @@
+# TLS Directive
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:50m;
+ssl_session_tickets off;
+
+## Protocols and ciphers
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
+ssl_prefer_server_ciphers on;
+
+## HSTS
+add_header Strict-Transport-Security max-age=15768000;
+
+## Stapling
+ssl_stapling on;
+ssl_stapling_verify on;
+resolver 8.8.8.8;
+
diff --git a/support/nginx/nginx.template b/support/nginx/nginx.template
new file mode 100644
index 0000000..b74b507
--- /dev/null
+++ b/support/nginx/nginx.template
@@ -0,0 +1,62 @@
+server {
+    listen 80; listen [::]:80;
+    server_name _;
+    
+    location /.well-known/acme-challenge {
+        alias /web/acme;
+    }
+
+    return 301 https://$host$request_uri;
+
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name map.ojuso.org;
+
+    ssl_certificate         /web/certs/map.ojuso.org/fullchain.pem;
+    ssl_certificate_key     /web/certs/map.ojuso.org/privkey.pem;
+    ssl_dhparam             /web/certs/dhparam.pem;
+    ssl_trusted_certificate /web/certs/map.ojuso.org/chain.pem;
+   
+    include directives/*;
+    
+    location /static/  {
+        alias /web/static/;
+        expires 30d;
+    }
+
+    location / {
+        proxy_pass http://map:8000;
+        proxy_set_header Host $http_host;
+        proxy_http_version 1.1;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+    }
+
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name forum.ojuso.org;
+
+    ssl_certificate         /web/certs/forum.ojuso.org/fullchain.pem;
+    ssl_certificate_key     /web/certs/forum.ojuso.org/privkey.pem;
+    ssl_dhparam             /web/certs/dhparam.pem;
+    ssl_trusted_certificate /web/certs/map.ojuso.org/chain.pem;
+ 
+    include directives/*;
+
+    http2_idle_timeout 5m;
+
+    location / {
+        proxy_pass http://unix:/web/run/discourse.sock:;
+        proxy_set_header Host $http_host;
+        proxy_http_version 1.1;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+    }
+    
+}