From 029ff47286b423ab0d408bde62229e4b36b4ef69 Mon Sep 17 00:00:00 2001
From: AD7six <andydawson76@gmail.com>
Date: Mon, 28 Jul 2014 14:08:19 +0000
Subject: [PATCH] move ssl config to a seperate file

---
 h5bp/directive-only/ssl.conf | 18 ++++++++++++++++++
 nginx.conf                   | 19 +------------------
 2 files changed, 19 insertions(+), 18 deletions(-)
 create mode 100644 h5bp/directive-only/ssl.conf

diff --git a/h5bp/directive-only/ssl.conf b/h5bp/directive-only/ssl.conf
new file mode 100644
index 0000000..a4ae8ef
--- /dev/null
+++ b/h5bp/directive-only/ssl.conf
@@ -0,0 +1,18 @@
+# Protect against the BEAST attack by preferring RC4-SHA when using SSLv3 and TLS protocols.
+# Note that TLSv1.1 and TLSv1.2 are immune to the beast attack but only work with OpenSSL v1.0.1 and higher and has limited client support.
+# Ciphers set to best allow protection from Beast, while providing forwarding secrecy, as defined by Mozilla - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
+ssl_protocols              SSLv3 TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers                ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
+ssl_prefer_server_ciphers  on;
+
+# Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes.
+# The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection.
+# By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state.
+# Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS.
+ssl_session_cache    shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
+ssl_session_timeout  10m;
+
+# This default SSL certificate will be served whenever the client lacks support for SNI (Server Name Indication).
+# Make it a symlink to the most important certificate you have, so that users of IE 8 and below on WinXP can see your main site without SSL errors.
+#ssl_certificate      /etc/nginx/default_ssl.crt;
+#ssl_certificate_key  /etc/nginx/default_ssl.key;
diff --git a/nginx.conf b/nginx.conf
index 1792f8b..76f77ee 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -118,24 +118,7 @@ http {
   # a specific directory, or on an individual server{} level.
   # gzip_static on;
 
-  # Protect against the BEAST attack by preferring RC4-SHA when using SSLv3 and TLS protocols.
-  # Note that TLSv1.1 and TLSv1.2 are immune to the beast attack but only work with OpenSSL v1.0.1 and higher and has limited client support.
-  # Ciphers set to best allow protection from Beast, while providing forwarding secrecy, as defined by Mozilla - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
-  ssl_protocols              SSLv3 TLSv1 TLSv1.1 TLSv1.2;
-  ssl_ciphers                ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
-  ssl_prefer_server_ciphers  on;
-
-  # Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes.
-  # The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection.
-  # By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state.
-  # Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS.
-  ssl_session_cache    shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
-  ssl_session_timeout  10m;
-
-  # This default SSL certificate will be served whenever the client lacks support for SNI (Server Name Indication).
-  # Make it a symlink to the most important certificate you have, so that users of IE 8 and below on WinXP can see your main site without SSL errors.
-  #ssl_certificate      /etc/nginx/default_ssl.crt;
-  #ssl_certificate_key  /etc/nginx/default_ssl.key;
+  include h5bp/directive-only/ssl.conf;
 
   include sites-enabled/*;
 }