I noticed that some HTTPS settings are set server-wide in the global Nginx template, which seems strange because HTTPS may not be enabled. Wouldn't it be better to move this to HTTPS-enabled vhosts? It could be that there was a good reason things were set up like this, but I'm sure what it would be.

If we don't have a good reason for it, let's move it out of Provision, and into Aegir HTTPS.

It we still need to support hosting_ssl, we can move it there too, but it's deprecated so I'd rather we didn't put our efforts there. (Nobody's been doing any work on it.) See #2751801: Deprecate SSL in core (to be re-integrated later) for that status of that.

From http/Provision/Config/Nginx/server.tpl.php:

 ## SSL performance
  ssl_session_cache   shared:SSL:10m;

<?php if ($satellite_mode == 'boa'): ?>
 ## SSL protocols, ciphers and settings
  ssl_protocols TLSv1.1 TLSv1.2;
  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
  ssl_prefer_server_ciphers  on;

Comments

colan created an issue. See original summary.

colan’s picture

colan
he/him
Primary language English
Location Toronto 🇨🇦
CreditAttribution: colan at Colan Schwartz Consulting commented
Issue summary: View changes
memtkmcc’s picture

memtkmcc CreditAttribution: memtkmcc at Omega8.cc commented

It's BOA specific stuff, so can be safely ignored in the wider Aegir on Nginx context, because never printed anyway, unless you run BOA. The reason was that on BOA there was always a local HTTPS proxy enabled and HTTPS forced for Aegir control panel, and then there are added services with vhosts managed by BOA, not Aegir, and to avoid duplication when we need to update stuff like ssl_protocols and ssl_ciphers etc, it has been moved to the master config, and then probably merged in during BOA unfork phase. It doesn't hurt to have it here for anyone not running BOA and is very handy when using BOA.