diff --git a/deploy/local_install/dhparams.pem b/deploy/local_install/dhparams.pem new file mode 100644 index 0000000..5545ca9 --- /dev/null +++ b/deploy/local_install/dhparams.pem @@ -0,0 +1,13 @@ +-----BEGIN DH PARAMETERS----- +MIICCAKCAgEAo3MMiEY/fNbu+usIM0cDi6x8G3JBApv0Lswta4kiyedWT1WN51iQ +9zhOFpmcu6517f/fR9MUdyhVKHxxSqWQTcmTEFtz4P3VLTS/W1N5VbKE2VEMLpIi +wr350aGvV1Er0ujcp5n4O4h0I1tn4/fNyDe7+pHCdwM+hxe8hJ3T0/tKtad4fnIs +WHDjl4f7m7KuFfheiK7Efb8MsT64HDDAYXn+INjtDZrbE5XPw20BqyWkrf07FcPx +8o9GW50Ox7/FYq7jVMI/skEu0BRc8u6uUD9+UOuWUQpdeHeFcvLOgW53Z03XwWuX +RXosUKzBPuGtUDAaKD/HsGW6xmGr2W9yRmu27jKpfYLUb/eWbbnRJwCw04LdzPqv +jmtq02Gioo3lf5H5wYV9IYF6M8+q/slpbttsAcKERimD1273FBRt5VhSugkXWKjr +XDhoXu6vZgj8Opei38qPa8pI1RUFoXHFlCe6WpZQmU8efL8gAMrJr9jUIY8eea1n +u20t5B9ueb9JMjrNafcq6QkKhZLi6fRDDTUyeDvc0dN9R/3Yts97SXfdi1/lX7HS +Ht4zXd5hEkvjo8GcnjsfZpAC39QfHWkDaeUGEqsl3jXjVMfkvoVY51OuokPWZzrJ +M5+wyXNpfGbH67dPk7iHgN7VJvgX0SYscDPTtms50Vk7RwEzLeGuSHMCAQI= +-----END DH PARAMETERS----- \ No newline at end of file diff --git a/deploy/local_install/mediacms.io b/deploy/local_install/mediacms.io index 59c75de..1d929c5 100644 --- a/deploy/local_install/mediacms.io +++ b/deploy/local_install/mediacms.io @@ -46,6 +46,12 @@ server { ssl_certificate_key /etc/letsencrypt/live/localhost/privkey.pem; ssl_certificate /etc/letsencrypt/live/localhost/fullchain.pem; + ssl_dhparam /etc/nginx/dhparams/dhparams.pem; + + ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_ecdh_curve secp521r1:secp384r1; + ssl_prefer_server_ciphers on; gzip on; access_log /var/log/nginx/mediacms.io.access.log; diff --git a/deploy/local_install/nginx.conf b/deploy/local_install/nginx.conf index 1dda610..c13f677 100644 --- a/deploy/local_install/nginx.conf +++ b/deploy/local_install/nginx.conf @@ -19,10 +19,7 @@ http { include /etc/nginx/mime.types; default_type application/octet-stream; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE - ssl_prefer_server_ciphers on; - + access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; diff --git a/install.sh b/install.sh index 53cb509..402d2ed 100644 --- a/install.sh +++ b/install.sh @@ -93,10 +93,16 @@ cp deploy/local_install/mediacms.service /etc/systemd/system/mediacms.service && mkdir -p /etc/letsencrypt/live/mediacms.io/ mkdir -p /etc/letsencrypt/live/$FRONTEND_HOST +mkdir -p /etc/nginx/sites-enabled +mkdir -p /etc/nginx/sites-available +mkdir -p /etc/nginx/dhparams/ +rm -rf /etc/nginx/conf.d/default.conf +rm -rf /etc/nginx/sites-enabled/default cp deploy/local_install/mediacms.io_fullchain.pem /etc/letsencrypt/live/$FRONTEND_HOST/fullchain.pem cp deploy/local_install/mediacms.io_privkey.pem /etc/letsencrypt/live/$FRONTEND_HOST/privkey.pem -cp deploy/local_install/mediacms.io /etc/nginx/sites-available/default -cp deploy/local_install/mediacms.io /etc/nginx/sites-enabled/default +cp deploy/local_install/dhparams.pem /etc/nginx/dhparams/dhparams.pem +cp deploy/local_install/mediacms.io /etc/nginx/sites-available/mediacms.io +ln -s /etc/nginx/sites-available/mediacms.io /etc/nginx/sites-enabled/mediacms.io cp deploy/local_install/uwsgi_params /etc/nginx/sites-enabled/uwsgi_params cp deploy/local_install/nginx.conf /etc/nginx/ systemctl stop nginx @@ -115,6 +121,14 @@ else echo "will not call certbot utility to update ssl certificate for url 'localhost', using default ssl certificate" fi +# Generate individual DH params +if [ "$FRONTEND_HOST" != "localhost" ]; then + # Only generate new DH params when using "real" certificates. + openssl dhparam -out /etc/nginx/dhparams/dhparams.pem 4096 + systemctl restart nginx +else + echo "will not generate new DH params for url 'localhost', using default DH params" +fi # Bento4 utility installation, for HLS