Merge branch 'master' of git://git.evergreen-ils.org/OpenSRF

diff --git a/README b/README
index 5bbba0d..2abbc83 100644 (file)
--- a/README
+++ b/README
@@ -616,14 +616,22 @@ rm /etc/nginx/sites-enabled/default
 +
 4. Edit `/etc/nginx/sites-available/osrf-ws-http-proxy` to set the location
    of the SSL certificate and private key.
-5. Start NGINX
+5. Generate a dhparam file in the directory specified in the nginx config.
++
+[source, bash]
+---------------------------------------------------------------------------
+# Default config stores dhparam.pem in the Apache2 ssl directory.
+openssl dhparam -out /etc/apache2/ssl/dhparam.pem 2048
+---------------------------------------------------------------------------
++
+6. Start NGINX
 +
 [source, bash]
 ---------------------------------------------------------------------------
 /etc/init.d/nginx start
 ---------------------------------------------------------------------------
 +
-6. If you didn't run `configure` with the `--with-websockets-port=443` option,
+7. If you didn't run `configure` with the `--with-websockets-port=443` option,
 edit `<PREFIX>/javascript/opensrf_ws.js` and `<PREFIX>/javascript/opensrf_ws_shared.js`
    and change
 +

diff --git a/examples/nginx/osrf-ws-http-proxy b/examples/nginx/osrf-ws-http-proxy
index d079230..db2e6e2 100644 (file)
--- a/examples/nginx/osrf-ws-http-proxy
+++ b/examples/nginx/osrf-ws-http-proxy
@@ -6,36 +6,73 @@
 #
 # Assumes Apache is listening on HTTP=7080 and HTTPS=7443
 
+# Example sending nginx logs to syslog
+# error_log  syslog:server=unix:/dev/log,nohostname;
+# access_log syslog:server=unix:/dev/log,severity=info,nohostname combined;
+
 server { 
     listen 80;
 
+    # For SSL-everywhere:
+    # server_name domain.example.org
+    # return 301 https://domain.example.org$request_uri;
+
     location / {
         proxy_pass http://localhost:7080;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 300s;
     }
 }
 
 server {
-    listen 443;
-    ssl on;
+    listen 443 ssl http2;
 
     # Use the same SSL certificate as Apache.
     ssl_certificate /etc/apache2/ssl/server.crt;
     ssl_certificate_key /etc/apache2/ssl/server.key;
 
+    # -----------------------------------------------------------------
+    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
+    # generate with openssl dhparam -out dhparams.pem 2048
+    ssl_dhparam /etc/apache2/ssl/dhparam.pem;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_tickets off;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    # Intermediate ciphers config / updated 2018-07-11
+    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
+    ssl_prefer_server_ciphers on;
+    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+    add_header Strict-Transport-Security max-age=15768000;
+    # OCSP Stapling ---
+    # fetch OCSP records from URL in ssl_certificate and cache them
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    # -----------------------------------------------------------------
+
     location / {
         proxy_pass https://localhost:7443;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 300s;
     }
 
     location /osrf-websocket-translator {
+
+        # apache2-websockets:
+        # Defaults to HTTPS with or without a proxy.
         proxy_pass https://localhost:7682;
+
+        # websocketd:
+        # websocketd may be run with or without SSL.  When used with
+        # NGINX, the assumption is it runs w/o SSL.  Change to taste.
+        #proxy_pass http://localhost:7682;
+
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 
@@ -44,12 +81,20 @@ server {
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
 
-        # Raise the default nginx proxy timeout values to an arbitrarily
-        # high value so that we can leverage osrf-websocket-translator's 
-        # timeout settings.
         proxy_connect_timeout 5m;
+
+        # apache2-websockets:
+        # Raise the default nginx proxy timeout settings to
+        # an arbitrarily high value so that we can leverage
+        # osrf-websocket-translator's native timeout settings.
         proxy_send_timeout 1h;
         proxy_read_timeout 1h;
+
+        # websocketd:
+        # websocketd connections persist indefinitely. Leverage nginx
+        # timeouts to periodically disconnect long-idle clients.
+        #proxy_send_timeout 5m;
+        #proxy_read_timeout 5m;
     }
 }