diff --git a/README.md b/README.md index 0940a8a4e..fede724ba 100644 --- a/README.md +++ b/README.md @@ -104,16 +104,35 @@ config:set KEY1=VALUE1 [KEY2=VALUE2 ...] - set one or more config vars config:unset KEY1 [KEY2 ...] - unset one or more config vars ``` -## TLS support +## TLS/SPDY support -Dokku provides easy TLS support from the box. This can be done app-by-app or for all subdomains at once. +Dokku provides easy TLS/SPDY support out of the box. This can be done app-by-app or for all subdomains at once. Note that whenever TLS support is enabled SPDY is also enabled. -* To enable TLS connection to to one of your applications, copy the `.crt` and `.key` files into the applications `/home/dokku/:app/ssl` folder (notice, file names should be `server.crt` and `server.key`, respectively). +### Per App -* To enable TLS connections for all your applications at once you will need a wildcard TLS certificate. To enable TLS across the server copy the `.crt` and `.key` files into the `/home/dokku/ssl` folder (notice, file names should be `server.crt` and `server.key`, respectively). **Note**: A global/wildcard TLS will not be applied unless the application's VHOST matches the certificate's name. (i.e. if you have a cert for *.example.com TLS won't be applied for something.example.org or example.net) +To enable TLS connection to to one of your applications, copy or symlink the `.crt`/`.pem` and `.key` files into the application's `/home/dokku/:app/tls` folder (create this folder if it doesn't exist) as `server.crt` and `server.key` respectively. Redeployment of the application will be needed to apply TLS configuration. Once it is redeployed, the application will be accessible by `https://` (redirection from `http://` is applied as well). +### All Subdomains + +To enable TLS connections for all your applications at once you will need a wildcard TLS certificate. + +To enable TLS across all apps, copy or symlink the `.crt`/`.pem` and `.key` files into the `/home/dokku/tls` folder (create this folder if it doesn't exist) as `server.crt` and `server.key` respectively. Then, enable the certificates by editing `/etc/nginx/conf.d/dokku.conf` and uncommenting these two lines (remove the #): + + ssl_certificate /home/dokku/tls/server.crt; + ssl_certificate_key /home/dokku/tls/server.key; + +The nginx configuration will need to be reloaded in order for the updated TLS configuration to be applied. This can be done either via the init system or by re-deploying the application. Once TLS is enabled, the application will be accessible by `https://` (redirection from `http://` is applied as well). + +**Note**: TLS will not be enabled unless the application's VHOST matches the certificate's name. (i.e. if you have a cert for *.example.com TLS won't be enabled for something.example.org or example.net) + +### HSTS Header + +The [HSTS header](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) is an HTTP header that can inform browsers that all requests to a given site should be made via HTTPS. dokku does not, by default, enable this header. It is thus left up to you, the user, to enable it for your site. + +Beware that if you enable the header and a subsequent deploy of your application results in an HTTP deploy (for whatever reason), the way the header works means that a browser will not attempt to request the HTTP version of your site if the HTTPS version fails. + ## Upgrading Dokku is in active development. You can update the deployment step and the build step separately. diff --git a/plugins/nginx-vhosts/install b/plugins/nginx-vhosts/install index a62d4505a..d21bdeac5 100755 --- a/plugins/nginx-vhosts/install +++ b/plugins/nginx-vhosts/install @@ -14,8 +14,19 @@ if ! grep -q dokku-nginx-reload "/etc/sudoers"; then rm /tmp/sudoers.new fi -echo "include $DOKKU_ROOT/*/nginx.conf;" > /etc/nginx/conf.d/dokku.conf +cat< /etc/nginx/conf.d/dokku.conf +include $DOKKU_ROOT/*/nginx.conf; +ssl_session_cache shared:SSL:20m; +ssl_session_timeout 10m; + +ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!CAMELLIA; +ssl_protocols TLSv1.2 TLSv1.1 TLSv1; +ssl_prefer_server_ciphers on; + +#ssl_certificate $DOKKU_ROOT/tls/server.crt; +#ssl_certificate_key $DOKKU_ROOT/tls/server.key; +EOF sed -i 's/# server_names_hash_bucket_size/server_names_hash_bucket_size/' /etc/nginx/nginx.conf if [[ ! -f "$DOKKU_ROOT/VHOST" ]]; then diff --git a/plugins/nginx-vhosts/post-deploy b/plugins/nginx-vhosts/post-deploy index 824eb6915..be7fd2007 100755 --- a/plugins/nginx-vhosts/post-deploy +++ b/plugins/nginx-vhosts/post-deploy @@ -1,8 +1,8 @@ #!/usr/bin/env bash set -eo pipefail; [[ $DOKKU_TRACE ]] && set -x APP="$1"; PORT="$2" -WILDCARD_SSL="$DOKKU_ROOT/ssl" -SSL="$DOKKU_ROOT/$APP/ssl" +WILDCARD_SSL="$DOKKU_ROOT/tls" +SSL="$DOKKU_ROOT/$APP/tls" if [[ -f "$DOKKU_ROOT/VHOST" ]]; then VHOST=$(< "$DOKKU_ROOT/VHOST") @@ -13,10 +13,16 @@ if [[ -f "$DOKKU_ROOT/VHOST" ]]; then hostname="${APP/\//-}.$VHOST" fi - if [[ -f "$SSL/server.crt" ]] && [[ -f "$SSL/server.key" ]]; then + if [[ -e "$SSL/server.crt" ]] && [[ -e "$SSL/server.key" ]]; then SSL_INUSE="$SSL" - elif [[ -f "$WILDCARD_SSL/server.crt" ]] && [[ -f "$WILDCARD_SSL/server.key" ]] && [[ $hostname = `openssl x509 -in $WILDCARD_SSL/server.crt -noout -subject | tr '/' '\n' | grep CN= | cut -c4-` ]]; then + SSL_DIRECTIVES=$(cat <