Improve SSL security

Author: clcain

README.md

@@ -8,7 +8,7 @@ To start using this software, clone this repository and then run `docker-compose
 
 ## Obtaining new certificates from Let's Encrypt
 ```
-certbot --nginx -d example.com
+certbot --nginx --no-redirect -d example.com
 ```
 
 The helper script `gen-cert.sh` will run the above command inside the nginx Docker container for you.

gen-cert.sh

@@ -1,3 +1,3 @@
 #!/bin/bash
 
-docker exec -ti nginx-https-proxy_app_1 certbot --nginx -d $1
+docker exec -ti nginx-https-proxy_app_1 certbot --nginx --no-redirect -d $1

nginx/nginx.conf

@@ -31,8 +31,11 @@ http {
 	# SSL Settings
 	##
 
-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
+	ssl_protocols TLSv1.2;
 	ssl_prefer_server_ciphers on;
+	ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
+	ssl_stapling on;
+	ssl_stapling_verify on;
 
 	##
 	# Logging Settings

nginx/sites-enabled/.example.com

@@ -6,11 +6,6 @@ server {
     ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
 
-    ssl_session_cache builtin:1000 shared:SSL:10m;
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
-    ssl_prefer_server_ciphers on;
-
     location / {
         proxy_pass http://127.0.0.1:8000;
         proxy_set_header Host $host;