From e916998bb29c0adf0e75eb3c62ebeb7e9df1268c Mon Sep 17 00:00:00 2001
From: Pierre Jaury <pierre@jaury.eu>
Date: Fri, 19 Aug 2016 15:07:16 +0200
Subject: [PATCH] Apply the BetterCrypto nginx configuration, related to #45

---
 nginx/nginx.conf | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index eb700a4e..11e459de 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -20,14 +20,18 @@ http {
       listen 80;
       listen 443 ssl;
 
+      # TLS configuration hardened according to:
+      # https://bettercrypto.org/static/applied-crypto-hardening.pdf
       ssl_protocols TLSv1.1 TLSv1.2;
-      ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+      ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
       ssl_prefer_server_ciphers on;
       ssl_session_timeout 5m;
       ssl_session_cache shared:SSL:50m;
       ssl_certificate /certs/cert.pem;
       ssl_certificate_key /certs/key.pem;
 
+      add_header Strict-Transport-Security max-age=15768000;
+
       if ($scheme = http) {
     		return 301 https://$host$request_uri;
     	}