Merge pull request #522 from wingrunr21/improve_ssl_support

Improve SSL support and implement SPDY

README.md

@@ -104,16 +104,35 @@ config:set <app> KEY1=VALUE1 [KEY2=VALUE2 ...] - set one or more config vars
 config:unset <app> KEY1 [KEY2 ...] - unset one or more config vars
 ```
 
-## TLS support
+## TLS/SPDY support
 
-Dokku provides easy TLS support from the box. This can be done app-by-app or for all subdomains at once. 
+Dokku provides easy TLS/SPDY support out of the box. This can be done app-by-app or for all subdomains at once. Note that whenever TLS support is enabled SPDY is also enabled.
 
-* To enable TLS connection to to one of your applications, copy the `.crt` and `.key` files into the applications `/home/dokku/:app/ssl` folder (notice, file names should be `server.crt` and `server.key`, respectively). 
+### Per App
 
-* To enable TLS connections for all your applications at once you will need a wildcard TLS certificate. To enable TLS across the server copy the `.crt` and `.key` files into the  `/home/dokku/ssl` folder (notice, file names should be `server.crt` and `server.key`, respectively). **Note**: A global/wildcard TLS will not be applied unless the application's VHOST matches the certificate's name. (i.e. if you have a cert for *.example.com TLS won't be applied for something.example.org or example.net)
+To enable TLS connection to to one of your applications, copy or symlink the `.crt`/`.pem` and `.key` files into the application's `/home/dokku/:app/tls` folder (create this folder if it doesn't exist) as `server.crt` and `server.key` respectively.
 
 Redeployment of the application will be needed to apply TLS configuration. Once it is redeployed, the application will be accessible by `https://` (redirection from `http://` is applied as well).
 
+### All Subdomains
+
+To enable TLS connections for all your applications at once you will need a wildcard TLS certificate.
+
+To enable TLS across all apps, copy or symlink the `.crt`/`.pem` and `.key` files into the  `/home/dokku/tls` folder (create this folder if it doesn't exist) as `server.crt` and `server.key` respectively. Then, enable the certificates by editing `/etc/nginx/conf.d/dokku.conf` and uncommenting these two lines (remove the #):
+
+    ssl_certificate /home/dokku/tls/server.crt;
+    ssl_certificate_key /home/dokku/tls/server.key;
+
+The nginx configuration will need to be reloaded in order for the updated TLS configuration to be applied. This can be done either via the init system or by re-deploying the application. Once TLS is enabled, the application will be accessible by `https://` (redirection from `http://` is applied as well).
+
+**Note**: TLS will not be enabled unless the application's VHOST matches the certificate's name. (i.e. if you have a cert for *.example.com TLS won't be enabled for something.example.org or example.net)
+
+### HSTS Header
+
+The [HSTS header](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) is an HTTP header that can inform browsers that all requests to a given site should be made via HTTPS. dokku does not, by default, enable this header. It is thus left up to you, the user, to enable it for your site.
+
+Beware that if you enable the header and a subsequent deploy of your application results in an HTTP deploy (for whatever reason), the way the header works means that a browser will not attempt to request the HTTP version of your site if the HTTPS version fails.
+
 ## Upgrading
 
 Dokku is in active development. You can update the deployment step and the build step separately.

plugins/nginx-vhosts/install

@@ -14,8 +14,19 @@ if ! grep -q dokku-nginx-reload "/etc/sudoers"; then
   rm /tmp/sudoers.new
 fi
 
-echo "include $DOKKU_ROOT/*/nginx.conf;" > /etc/nginx/conf.d/dokku.conf
+cat<<EOF > /etc/nginx/conf.d/dokku.conf
+include $DOKKU_ROOT/*/nginx.conf;
 
+ssl_session_cache shared:SSL:20m;
+ssl_session_timeout 10m;
+
+ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!CAMELLIA;
+ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
+ssl_prefer_server_ciphers on;
+
+#ssl_certificate $DOKKU_ROOT/tls/server.crt;
+#ssl_certificate_key $DOKKU_ROOT/tls/server.key;
+EOF
 sed -i 's/# server_names_hash_bucket_size/server_names_hash_bucket_size/' /etc/nginx/nginx.conf
 
 if [[ ! -f  "$DOKKU_ROOT/VHOST" ]]; then

plugins/nginx-vhosts/post-deploy

@@ -1,8 +1,8 @@
 #!/usr/bin/env bash
 set -eo pipefail; [[ $DOKKU_TRACE ]] && set -x
 APP="$1"; PORT="$2"
-WILDCARD_SSL="$DOKKU_ROOT/ssl"
-SSL="$DOKKU_ROOT/$APP/ssl"
+WILDCARD_SSL="$DOKKU_ROOT/tls"
+SSL="$DOKKU_ROOT/$APP/tls"
 
 if [[ -f "$DOKKU_ROOT/VHOST" ]]; then
   VHOST=$(< "$DOKKU_ROOT/VHOST")
@@ -13,10 +13,16 @@ if [[ -f "$DOKKU_ROOT/VHOST" ]]; then
     hostname="${APP/\//-}.$VHOST"
   fi
 
-  if [[ -f "$SSL/server.crt" ]] && [[ -f "$SSL/server.key" ]]; then
+  if [[ -e "$SSL/server.crt" ]] && [[ -e "$SSL/server.key" ]]; then
     SSL_INUSE="$SSL"
-  elif  [[ -f "$WILDCARD_SSL/server.crt" ]] && [[ -f "$WILDCARD_SSL/server.key" ]] && [[ $hostname = `openssl x509 -in $WILDCARD_SSL/server.crt -noout -subject | tr '/' '\n' | grep CN= | cut -c4-` ]]; then
+    SSL_DIRECTIVES=$(cat <<EOF
+  ssl_certificate     $SSL_INUSE/server.crt;
+  ssl_certificate_key $SSL_INUSE/server.key;
+EOF
+)
+  elif  [[ -e "$WILDCARD_SSL/server.crt" ]] && [[ -e "$WILDCARD_SSL/server.key" ]] && [[ $hostname = `openssl x509 -in $WILDCARD_SSL/server.crt -noout -subject | tr '/' '\n' | grep CN= | cut -c4-` ]]; then
     SSL_INUSE="$WILDCARD_SSL"
+    SSL_DIRECTIVES=""
   fi
 
   # ssl based nginx.conf
@@ -31,16 +37,13 @@ server {
 }
 
 server {
-  listen      [::]:443;
-  listen      443;
+  listen      [::]:443 ssl spdy;
+  listen      443 ssl spdy;
   server_name $hostname;
+$SSL_DIRECTIVES
 
-  ssl on;
-  ssl_certificate     $SSL_INUSE/server.crt;
-  ssl_certificate_key $SSL_INUSE/server.key;
-  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!CAMELLIA;
-  ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
-  ssl_prefer_server_ciphers on;
+  keepalive_timeout   70;
+  add_header          Alternate-Protocol  443:npn-spdy/2;
 
   location    / {
     proxy_pass  http://$APP;