formular.hamburg.freifunk.net via trusted https

2015-01-12 17:54:50 +00:00 · 2015-01-12 17:54:50 +00:00 · d170593345
parent e603c0e666
commit d170593345
1 changed files with 31 additions and 2 deletions
--- a/sites-available/formular_ffhh
+++ b/sites-available/formular_ffhh
@ -1,6 +1,16 @@
 server {
-	listen   80;
-	listen   [::]:80;
+	listen	80;
+	listen	[::]:80;
+	server_name formular.hamburg.freifunk.net formular.services.ffhh formular.ffhh;
+
+	access_log off;
+
+	return 301 https://formular.hamburg.freifunk.net$request_uri;
+}
+
+server {
+	listen   443;
+	listen   [::]:443;
 	server_name formular.hamburg.freifunk.net formular.services.ffhh formular.ffhh;

 	access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen.
@ -9,6 +19,25 @@ server {
 	# So stellen wir sicher, dass keine IPs geloggt werden.
 	error_log /dev/null crit;

+        ssl_certificate                 /etc/ssl/certs/formular.hamburg.freifunk.net.crt;
+        ssl_certificate_key             /etc/ssl/private/formular.hamburg.freifunk.net.key;
+
+	ssl_prefer_server_ciphers on;
+	ssl_session_cache shared:SSL:10m;
+	ssl_session_timeout 10m;
+
+	# Only strong ciphers in PFS mode
+	ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA;
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+
+	# Don't allow to get framed by sites that aren't on the same domain
+	add_header X-Frame-Options SAMEORIGIN;
+
+	# Tell clients never to use http or self-signed (!) certificates
+	# There's no way to bypass this option after it has been cached!
+	add_header Strict-Transport-Security max-age=31536000;
+
 	#return 301 $scheme://formular.hamburg.freifunk.net:8080$request_uri;
 	location / {
 		proxy_pass http://formular.hamburg.freifunk.net:8080;