Improve SSL: Use Mozilla SSL Intermediate Config / Enable Reuseport / Extend HSTS

(Dan) #1

With the recent Discourse version.
I’m using this config: Generate Mozilla Security Recommended Web Server Configuration Files

nano templates/web.ssl.template.yml

Modify the ssl config to:

       listen 443 ssl http2 reuseport;
       ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
       ssl_prefer_server_ciphers on;
       ssl_ecdh_curve secp384r1;

       ssl_certificate /shared/ssl/ssl.crt;
       ssl_certificate_key /shared/ssl/ssl.key;

       ssl_session_tickets off;
       ssl_session_timeout 1d;
       ssl_session_cache shared:SSL:50m;

       gzip on;

       add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';

nano templates/web.letsencrypt.ssl.template.yml

Modify the very bottom config to:

add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains; preload';


./launcher rebuild app

I hope I posted on the right category.

(Dan) #2


(Robby O'Connor) #3

Why not make a PR :wink:

(Dan) #4

I’ll try.
Haven’t tried github pull request yet :D.

(Dan) #5

I hope I did it right:

(Sam Saffron) #6

@mpalmer you have been summoned to this topic :walking:

(Robby O'Connor) #7

Why so many PRs? You could have done this in one…

(Sam Saffron) #8

I asked for more PRs, 1 PR per functional change.

(Robby O'Connor) #9

Oh, that makes sense.

(Matt Palmer) #10

You’ve got to say my name three times. Preferably into a mirror at midnight.

(Robby O'Connor) #11

Careful – this could get scary if you accidentally say Beatlejuice or Bloody Mary…jus sayin.

(Sam Saffron) #12

I don’t see this screenshot as any progress over what we have today:

IE8 XP support, Android 2.3.7 support … I do not particularly care about them at all.

(Dan) #13

Lucky you having site users with updated system and browsers.

Sadly I still have 10% of my total visitors using Windows XP and some IE8 and even old Android.

StackExchange sites also use that whole cipher suite.

(Sam Saffron) #14

Well they can not use Discourse anyway, so I don’t see the point in allowing them access to a page that simply shows “your browser it too old”

(Jeff Atwood) #15

Discourse has always had unapologetically and extremely high browser requirements. We barely work on IE11 these days… will probably drop IE11 support in 2018 as well.

(Simon Clausen) #16

From a user experience point of view that message would be better than a timeout or tls error and maybe prompt the person visiting to get a proper browser :slight_smile:

(Sam Saffron) #17

Sure, if that is a requirement for your users feel free to amend your SSL config in NGINX. The global market share of IE8/6 on Windows XP is not big enough for me to feel it is justified to cannibalise our default config for users that can probably be owned anyway after 5 minutes of browsing the modern web.