From aaa640232141c2f8578540ad7f4e09cd7ae1aade Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <michal@cihar.com>
Date: Sun, 7 Feb 2021 13:36:03 +0100
Subject: [PATCH] Add script to upgrade ssl config

---
 install-remote    |  1 +
 upgrade-nginx-ssl | 30 ++++++++++++++++++++++++++++++
 2 files changed, 31 insertions(+)
 create mode 100755 upgrade-nginx-ssl

diff --git a/install-remote b/install-remote
index 2e82fac..04dc75f 100755
--- a/install-remote
+++ b/install-remote
@@ -51,6 +51,7 @@ s ./scripts/configure-system
 s ./scripts/install-exim
 s ./scripts/install-posgtresql
 s ./scripts/install-weblate
+s ./scripts/upgrade-nginx-ssl
 s ./scripts/install-munin
 
 # Configure mail sending
diff --git a/upgrade-nginx-ssl b/upgrade-nginx-ssl
new file mode 100755
index 0000000..9439a57
--- /dev/null
+++ b/upgrade-nginx-ssl
@@ -0,0 +1,30 @@
+#!/bin/sh
+
+# Based on https://ssl-config.mozilla.org/#server=nginx
+
+# Disable Letsencrypt SSL configuraion (it is weak)
+sed -i '/\/etc\/letsencrypt\/options-ssl-nginx.conf/ D' /etc/nginx/sites-available/*
+
+# Update SSL config
+cat > /etc/nginx/conf.d/ssl.conf <<EOT
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:50m;
+ssl_session_tickets off;
+
+ssl_dhparam /etc/nginx/ffdhe4096.pem;
+
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_prefer_server_ciphers off;
+
+ssl_stapling on;
+ssl_stapling_verify on;
+EOT
+
+# Update DH params
+if [ ! -f /etc/nginx/ffdhe4096.pem ] ; then
+    curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/nginx/ffdhe4096.pem
+fi
+
+# Reload ngxin
+systemctl reload nginx