Class: Nginx::ListenHttps

Inherits:

Listen

• Object
• Listen
• Nginx::ListenHttps

Defined in:

lib/shared_infrastructure/nginx/listen.rb

Instance Method Summary

• #initialize(domain_name, certificate_domain = nil) ⇒ ListenHttps constructor

  A new instance of ListenHttps.

• #to_s(level = 0) ⇒ Object

Constructor Details

#initialize(domain_name, certificate_domain = nil) ⇒ ListenHttps

Returns a new instance of ListenHttps.

# File 'lib/shared_infrastructure/nginx/listen.rb', line 25

def initialize(domain_name, certificate_domain = nil)
  @domain_name = domain_name
  @certificate_domain = certificate_domain || domain_name
  super 443
end

Instance Method Details

#to_s(level = 0) ⇒ Object

# File 'lib/shared_infrastructure/nginx/listen.rb', line 31

def to_s(level = 0)
  Lines.new(
    "# TLS config from: http://nginx.org/en/docs/http/configuring_https_servers.html",
    "# HTTP2 doesn't require encryption, but at last reading, no browsers support",
    "# HTTP2 without TLS, so only do http2 when we have TLS.",
    "listen #{port} ssl http2;",
    "listen [::]:#{port} ssl http2;",
    "# Let's Encrypt file names and locations from: https://certbot.eff.org/docs/using.html#where-are-my-certificates",
    "ssl_certificate_key #{Nginx.certificate_directory(certificate_domain)}/privkey.pem;",
    "ssl_certificate     #{Nginx.certificate_directory(certificate_domain)}/fullchain.pem;",
    "",
    "# Test the site using: https://www.ssllabs.com/ssltest/index.html",
    "# Optimize TLS, from: https://www.bjornjohansen.no/optimizing-https-nginx, steps 1-3",
    "ssl_session_cache shared:SSL:1m; # Enough for 4,000 sessions.",
    "ssl_session_timeout 180m;",
    "ssl_protocols TLSv1.3 TLSv1.2;",
    "ssl_prefer_server_ciphers on;",
    "ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;",
    "# Step 4",
    "ssl_dhparam #{Nginx.certificate_directory(certificate_domain)}/dhparam.pem;",
    "# Step 5",
    "ssl_stapling on;",
    "ssl_stapling_verify on;",
    "ssl_trusted_certificate #{Nginx.certificate_directory(certificate_domain)}/chain.pem;",
    "resolver 8.8.8.8 8.8.4.4;",
    "# Step 6 pin for a fortnight",
    "add_header Strict-Transport-Security \"max-age=1209600\" always;",
    "# Other steps TBD"
  ).format(level)
end