diff --git a/debian/control b/debian/control index d8881e06d..a92bd8f54 100644 --- a/debian/control +++ b/debian/control @@ -5,7 +5,7 @@ Priority: optional Architecture: amd64 Depends: locales, git, make, curl, gcc, man-db, sshcommand (>= 0.6.0), gliderlabs-sigil, docker-engine-cs (>= 1.9.1) | docker-engine (>= 1.9.1) | docker-ce | docker-ee, software-properties-common, python-software-properties Recommends: herokuish (>= 0.3.4), parallel -Pre-Depends: nginx, dnsutils, cgroupfs-mount | cgroup-lite, plugn (>= 0.3.0), sudo, python2.7, debconf +Pre-Depends: nginx (>= 1.8.0), dnsutils, cgroupfs-mount | cgroup-lite, plugn (>= 0.3.0), sudo, python2.7, debconf Maintainer: Jose Diaz-Gonzalez Description: Docker-powered PaaS that helps build and manage the lifecycle of applications Dokku is an extensible, open source Platform as a Service diff --git a/plugins/nginx-vhosts/install b/plugins/nginx-vhosts/install index 6057a8720..bc0ba7905 100755 --- a/plugins/nginx-vhosts/install +++ b/plugins/nginx-vhosts/install @@ -35,10 +35,12 @@ include $DOKKU_ROOT/*/nginx.conf; server_tokens off; +# Settings from https://mozilla.github.io/server-side-tls/ssl-config-generator/ ssl_session_cache shared:SSL:20m; -ssl_session_timeout 10m; +ssl_session_timeout 1d; +ssl_session_tickets on; -ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; +ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS; EOF fi diff --git a/plugins/nginx-vhosts/templates/nginx.conf.sigil b/plugins/nginx-vhosts/templates/nginx.conf.sigil index 610e34ab7..84c51ae22 100644 --- a/plugins/nginx-vhosts/templates/nginx.conf.sigil +++ b/plugins/nginx-vhosts/templates/nginx.conf.sigil @@ -47,7 +47,8 @@ server { ssl_certificate {{ $.APP_SSL_PATH }}/server.crt; ssl_certificate_key {{ $.APP_SSL_PATH }}/server.key; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_protocols TLSv1.2; + ssl_prefer_server_ciphers on; keepalive_timeout 70; {{ if and (eq $.SPDY_SUPPORTED "true") (ne $.HTTP2_SUPPORTED "true") }}add_header Alternate-Protocol {{ $.NGINX_SSL_PORT }}:npn-spdy/2;{{ end }} diff --git a/rpm.mk b/rpm.mk index a1391a7c4..ea178a2eb 100644 --- a/rpm.mk +++ b/rpm.mk @@ -99,7 +99,7 @@ endif --depends 'gliderlabs-sigil' \ --depends '/usr/bin/docker' \ --depends 'bind-utils' \ - --depends 'nginx' \ + --depends 'nginx >= 1.8.0' \ --depends 'plugn' \ --depends 'sudo' \ --depends 'python' \