ambiser
/
openvidu
mirror of https://github.com/OpenVidu/openvidu.git
8
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #560 from robert-scheck/tls-hardening 

openvidu-proxy: Make TLS version, ciphers and HSTS configurable
pull/567/head
Carlos Ruiz Ballesteros 2020-11-23 21:36:13 +01:00 committed by GitHub
parent ed2096c18e fc92eb7cb4
commit 56cbef5cc7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 15 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/ssl_config.conf
View File

@ -8,7 +8,9 @@
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_protocols {ssl_protocols};
ssl_ciphers "{ssl_ciphers}";
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "{add_header_hsts}" always;

10
openvidu-server/docker/openvidu-proxy/entrypoint.sh
View File

@ -36,6 +36,8 @@ CERTIFICATES_CONF="${CERTIFICATES_LIVE_FOLDER}/certificates.conf"
[ ! -f "${CERTIFICATES_CONF}" ] && touch "${CERTIFICATES_CONF}"
[ -z "${PROXY_HTTP_PORT}" ] && export PROXY_HTTP_PORT=80
[ -z "${PROXY_HTTPS_PORT}" ] && export PROXY_HTTPS_PORT=443
[ -z "${PROXY_HTTPS_PROTOCOLS}" ] && export PROXY_HTTPS_PROTOCOLS='TLSv1 TLSv1.1 TLSv1.2 TLSv1.3'
[ -z "${PROXY_HTTPS_CIPHERS}" ] && export PROXY_HTTPS_CIPHERS='ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
[ -z "${WITH_APP}" ] && export WITH_APP=true
[ -z "${SUPPORT_DEPRECATED_API}" ] && export SUPPORT_DEPRECATED_API=true
[ -z "${REDIRECT_WWW}" ] && export REDIRECT_WWW=false
@ -259,6 +261,14 @@ fi
sed -i "s/{http_port}/${PROXY_HTTP_PORT}/g" /etc/nginx/conf.d/*
sed -i "s/{https_port}/${PROXY_HTTPS_PORT}/g" /etc/nginx/conf.d/*
sed -i "s/{ssl_protocols}/${PROXY_HTTPS_PROTOCOLS}/g" /etc/nginx/conf.d/*
sed -i "s/{ssl_ciphers}/${PROXY_HTTPS_CIPHERS}/g" /etc/nginx/conf.d/*
if [ -n "${PROXY_HTTPS_HSTS}" ]; then
sed -i "s/{add_header_hsts}/${PROXY_HTTPS_HSTS}/g" /etc/nginx/conf.d/*
else
sed -i '/{add_header_hsts}/d' /etc/nginx/conf.d/*
fi
# NGINX access
printf "\n"