Enabling HTTPS Strict Transport Security (HSTS) support.

install/deb/nginx/nginx.conf

@@ -103,14 +103,26 @@ http {
     #set_real_ip_from  2a06:98c0::/29;
     real_ip_header     CF-Connecting-IP;
 
-    #openssl dhparam 4096 -out /etc/ssl/dhparam.pem
-    #ssl_dhparam /etc/ssl/dhparam.pem;
+    # SSL dhparam.pem
+    ssl_dhparam /etc/ssl/dhparam.pem;
 
     # SSL PCI Compliance
     ssl_session_cache   shared:SSL:10m;
     ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
     ssl_prefer_server_ciphers on;
-    ssl_ciphers        "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
+    ssl_ciphers         "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
+    ssl_dhparam         /etc/nginx/dhparams.pem;
+    ssl_ecdh_curve secp384r1;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_tickets off;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_buffer_size 1400;
+    resolver 1.0.0.1 1.1.1.1 valid=300s;
+    resolver_timeout 5s;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
+    add_header X-Frame-Options SAMEORIGIN;
+    add_header X-Content-Type-Options nosniff;
 
     # Error pages
     error_page          403          /error/403.html;
@@ -124,7 +136,7 @@ http {
     proxy_ignore_headers Expires Cache-Control;
     proxy_cache_use_stale error timeout invalid_header http_502;
     proxy_cache_valid any 1d;
-    
+
     # Cache bypass
     map $http_cookie $no_cache {
         default 0;

install/hst-install-debian.sh

@@ -1099,6 +1099,25 @@ if [ "$nginx" = 'yes' ]; then
         done
     fi
 
+    # Generating dhparam.
+    echo "(*) Enabling HTTPS Strict Transport Security (HSTS) support, this will take some time. Please wait..."
+    openssl dhparam 4096 -out /etc/ssl/dhparam.pem > /dev/null 2>&1 &
+    BACK_PID=$!
+
+    # Check if package installation is done, print a spinner
+    spin_i=1
+    while kill -0 $BACK_PID > /dev/null 2>&1 ; do
+        printf "\b${spinner:spin_i++%${#spinner}:1}"
+        sleep 0.5
+    done
+
+    # Do a blank echo to get the \n back
+    echo
+
+    # Update dns servers in nginx.conf
+    dns_resolver=$(cat /etc/resolv.conf | grep -i '^nameserver' | cut -d ' ' -f2 | tr '\r\n' ' ' | xargs)
+    sed -i "s/1.0.0.1 1.1.1.1/$dns_resolver/g" /etc/nginx/nginx.conf
+
     update-rc.d nginx defaults > /dev/null 2>&1
     service nginx start >> $LOG
     check_result $? "nginx start failed"

install/hst-install-ubuntu.sh

@@ -1077,6 +1077,25 @@ if [ "$nginx" = 'yes' ]; then
         done
     fi
 
+    # Generating dhparam.
+    echo "(*) Enabling HTTPS Strict Transport Security (HSTS) support, this will take some time. Please wait..."
+    openssl dhparam 4096 -out /etc/ssl/dhparam.pem > /dev/null 2>&1 &
+    BACK_PID=$!
+
+    # Check if package installation is done, print a spinner
+    spin_i=1
+    while kill -0 $BACK_PID > /dev/null 2>&1 ; do
+        printf "\b${spinner:spin_i++%${#spinner}:1}"
+        sleep 0.5
+    done
+
+    # Do a blank echo to get the \n back
+    echo
+
+    # Update dns servers in nginx.conf
+    dns_resolver=$(cat /etc/resolv.conf | grep -i '^nameserver' | cut -d ' ' -f2 | tr '\r\n' ' ' | xargs)
+    sed -i "s/1.0.0.1 1.1.1.1/$dns_resolver/g" /etc/nginx/nginx.conf
+
     update-rc.d nginx defaults > /dev/null 2>&1
     service nginx start >> $LOG
     check_result $? "nginx start failed"