From fc92eb7cb4bd012d7eeae427d600bd1d1b9d0b54 Mon Sep 17 00:00:00 2001
From: Robert Scheck <robert@fedoraproject.org>
Date: Wed, 18 Nov 2020 22:07:28 +0100
Subject: [PATCH] openvidu-proxy: Make TLS version, ciphers and HSTS
 configurable

Allow flexible HTTPS security hardening using run-time configuration,
rather just build-time container/volume layering.
---
 .../default_nginx_conf/global/ssl_config.conf          |  8 +++++---
 openvidu-server/docker/openvidu-proxy/entrypoint.sh    | 10 ++++++++++
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/ssl_config.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/ssl_config.conf
index ae29491c..77ba1dc0 100644
--- a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/ssl_config.conf
+++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/ssl_config.conf
@@ -8,7 +8,9 @@
     ssl_stapling on;
     ssl_stapling_verify on;
 
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
-    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+    ssl_protocols {ssl_protocols};
+    ssl_ciphers "{ssl_ciphers}";
 
-    ssl_prefer_server_ciphers on;
\ No newline at end of file
+    ssl_prefer_server_ciphers on;
+
+    add_header Strict-Transport-Security "{add_header_hsts}" always;
\ No newline at end of file
diff --git a/openvidu-server/docker/openvidu-proxy/entrypoint.sh b/openvidu-server/docker/openvidu-proxy/entrypoint.sh
index ebf5d8f1..a15a843f 100755
--- a/openvidu-server/docker/openvidu-proxy/entrypoint.sh
+++ b/openvidu-server/docker/openvidu-proxy/entrypoint.sh
@@ -36,6 +36,8 @@ CERTIFICATES_CONF="${CERTIFICATES_LIVE_FOLDER}/certificates.conf"
 [ ! -f "${CERTIFICATES_CONF}" ] && touch "${CERTIFICATES_CONF}"
 [ -z "${PROXY_HTTP_PORT}" ] && export PROXY_HTTP_PORT=80
 [ -z "${PROXY_HTTPS_PORT}" ] && export PROXY_HTTPS_PORT=443
+[ -z "${PROXY_HTTPS_PROTOCOLS}" ] && export PROXY_HTTPS_PROTOCOLS='TLSv1 TLSv1.1 TLSv1.2 TLSv1.3'
+[ -z "${PROXY_HTTPS_CIPHERS}" ] && export PROXY_HTTPS_CIPHERS='ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
 [ -z "${WITH_APP}" ] && export WITH_APP=true
 [ -z "${SUPPORT_DEPRECATED_API}" ] && export SUPPORT_DEPRECATED_API=true
 [ -z "${REDIRECT_WWW}" ] && export REDIRECT_WWW=false
@@ -252,6 +254,14 @@ sed -e '/{proxy_config}/{r default_nginx_conf/global/proxy_config.conf' -e 'd}'
 sed -i "s/{domain_name}/${DOMAIN_OR_PUBLIC_IP}/g" /etc/nginx/conf.d/*
 sed -i "s/{http_port}/${PROXY_HTTP_PORT}/g" /etc/nginx/conf.d/*
 sed -i "s/{https_port}/${PROXY_HTTPS_PORT}/g" /etc/nginx/conf.d/*
+sed -i "s/{ssl_protocols}/${PROXY_HTTPS_PROTOCOLS}/g" /etc/nginx/conf.d/*
+sed -i "s/{ssl_ciphers}/${PROXY_HTTPS_CIPHERS}/g" /etc/nginx/conf.d/*
+
+if [ -n "${PROXY_HTTPS_HSTS}" ]; then
+  sed -i "s/{add_header_hsts}/${PROXY_HTTPS_HSTS}/g" /etc/nginx/conf.d/*
+else
+  sed -i '/{add_header_hsts}/d' /etc/nginx/conf.d/*
+fi
 
 # NGINX access
 printf "\n"