From 9d4814c6bd6cb13fd94b4224e62c9385605e06cc Mon Sep 17 00:00:00 2001
From: Argus Duong <mrsugarvn@gmail.com>
Date: Thu, 31 Oct 2019 23:01:59 +0700
Subject: [PATCH 1/3] Handle Let's Encrypt HTTP challenge

Fix for #25
---
 volumes/proxy/templates/nginx-compose-v2.tmpl | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/volumes/proxy/templates/nginx-compose-v2.tmpl b/volumes/proxy/templates/nginx-compose-v2.tmpl
index a48da6f..6b1c0a5 100644
--- a/volumes/proxy/templates/nginx-compose-v2.tmpl
+++ b/volumes/proxy/templates/nginx-compose-v2.tmpl
@@ -207,6 +207,11 @@ server {
                 include /etc/nginx/vhost.d/default_location;
                 {{ end }}
     }
+    
+    location ^~ /.well-known/acme-challenge/ {
+        default_type "text/plain";
+        alias /var/www/acme-challenge/;
+    }
 }
 
 {{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}

From 520962e938ca1125d01580abf920141e50541171 Mon Sep 17 00:00:00 2001
From: tdtgit <hi@duonganhtuan.com>
Date: Thu, 31 Oct 2019 23:05:37 +0700
Subject: [PATCH 2/3] TLS 1.0 is no more safe

---
 volumes/proxy/templates/nginx-compose-v2.tmpl | 11 +++++++----
 volumes/proxy/templates/nginx.tmpl            | 11 +++++++----
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/volumes/proxy/templates/nginx-compose-v2.tmpl b/volumes/proxy/templates/nginx-compose-v2.tmpl
index a48da6f..653aec0 100644
--- a/volumes/proxy/templates/nginx-compose-v2.tmpl
+++ b/volumes/proxy/templates/nginx-compose-v2.tmpl
@@ -147,10 +147,10 @@ server {
     listen 443 ssl http2 {{ $default_server }};
     access_log /var/log/nginx/access.log vhost;
 
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
 
-    ssl_prefer_server_ciphers on;
     ssl_session_timeout 5m;
     ssl_session_cache shared:SSL:50m;
 
@@ -161,7 +161,10 @@ server {
     ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }};
     {{ end }}
 
-    add_header Strict-Transport-Security "max-age=31536000";
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
 
     {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
     include {{ printf "/etc/nginx/vhost.d/%s" $host }};
diff --git a/volumes/proxy/templates/nginx.tmpl b/volumes/proxy/templates/nginx.tmpl
index 292f608..d81ebc5 100644
--- a/volumes/proxy/templates/nginx.tmpl
+++ b/volumes/proxy/templates/nginx.tmpl
@@ -121,10 +121,10 @@ server {
     listen 443 ssl http2 {{ $default_server }};
     access_log /var/log/nginx/access.log vhost;
 
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
 
-    ssl_prefer_server_ciphers on;
     ssl_session_timeout 5m;
     ssl_session_cache shared:SSL:50m;
 
@@ -135,7 +135,10 @@ server {
     ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }};
     {{ end }}
 
-    add_header Strict-Transport-Security "max-age=31536000";
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
 
     {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
     include {{ printf "/etc/nginx/vhost.d/%s" $host }};

From 0238a8a11ff03028aa70ae7311226717ec579981 Mon Sep 17 00:00:00 2001
From: tdtgit <hi@duonganhtuan.com>
Date: Thu, 31 Oct 2019 23:07:43 +0700
Subject: [PATCH 3/3] Update nginx.tmpl

---
 volumes/proxy/templates/nginx.tmpl | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/volumes/proxy/templates/nginx.tmpl b/volumes/proxy/templates/nginx.tmpl
index 292f608..e7b055a 100644
--- a/volumes/proxy/templates/nginx.tmpl
+++ b/volumes/proxy/templates/nginx.tmpl
@@ -181,6 +181,11 @@ server {
                 include /etc/nginx/vhost.d/default_location;
                 {{ end }}
     }
+
+    location ^~ /.well-known/acme-challenge/ {
+        default_type "text/plain";
+        alias /var/www/acme-challenge/;
+    }
 }
 
 {{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}