software/nginx-push-stream: enable HTTP2 and TLS

with a self sign certificate for now config generated using https://ssl-config.mozilla.org/#server=nginx&version=1.19.2&config=modern&openssl=1.1.1k&hsts=false&ocsp=false&guideline=5.6

software/nginx-push-stream: enable HTTP2 and TLS
with a self sign certificate for now config generated using https://ssl-config.mozilla.org/#server=nginx&version=1.19.2&config=modern&openssl=1.1.1k&hsts=false&ocsp=false&guideline=5.6
d43d6792 · Jérome Perrin · 635f6ec4 · d43d6792 · d43d6792 · d43d6792
Commit d43d6792 authored Jul 30, 2021 by Jérome Perrin
3 changed files
--- a/software/nginx-push-stream/buildout.hash.cfg
+++ b/software/nginx-push-stream/buildout.hash.cfg
@@ -4,8 +4,8 @@ md5sum = eb4c69df9a8dbb94fb76d0a6c11e360f

 [template-nginx-configuration]
 filename = template-nginx.cfg.in
-md5sum = b957c4cbaa4d5644688a38f1eca7a516
+md5sum = 6f3ab2e441ff435182930b4b1140afd7

 [template-nginx]
 filename = instance-nginx.cfg.in
-md5sum = 4a8c49421c7a36901d3ab8c0b4a07769
+md5sum = ac425cdab9c374985c84ea4928c0ce1b
--- a/software/nginx-push-stream/instance-nginx.cfg.in
+++ b/software/nginx-push-stream/instance-nginx.cfg.in
@@ -54,7 +54,24 @@ subscriber-location-prefix = /sub
 subscriber-allow-credential = 'false'
 subscriber-allow-methods = 'GET, HEAD, OPTIONS'
 subscriber-allow-headers = 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since'
-base-url = http://[$${nginx-configuration:ip}]:$${nginx-configuration:port}
+base-url = https://[$${nginx-configuration:ip}]:$${nginx-configuration:port}
+
+# Generate a self-signed TLS certificate.
+[nginx-certificate]
+recipe = plone.recipe.command
+command =
+  if [ ! -e $${:key-file} ]
+  then
+    ${openssl:location}/bin/openssl req -x509 -nodes -days 3650 \
+      -subj "/C=AA/ST=X/L=X/O=Dis/CN=$${nginx-configuration:ip}" \
+      -newkey rsa:1024 -keyout $${:key-file} \
+      -out $${:cert-file}
+  fi
+update-command = $${:command}
+key-file = $${directory:ssl}/${:_buildout_section_name_}.key
+cert-file = $${directory:ssl}/${:_buildout_section_name_}.cert
+common-name = $${nginx-configuration:ip}
+stop-on-error = true

 [promises]
 recipe =

--- a/software/nginx-push-stream/template-nginx.cfg.in
+++ b/software/nginx-push-stream/template-nginx.cfg.in
@@ -54,9 +54,21 @@ http {
  ##
  push_stream_shared_memory_size                32m;

+
 server {
-  listen [$${nginx-configuration:ip}]:$${nginx-configuration:port};
-  listen $${nginx-configuration:local-ip}:$${nginx-configuration:port};
+  listen [$${nginx-configuration:ip}]:$${nginx-configuration:port} ssl http2;
+  listen $${nginx-configuration:local-ip}:$${nginx-configuration:port} ssl http2;
+
+  # generated 2021-08-02, Mozilla Guideline v5.6, nginx 1.19.2, OpenSSL 1.1.1k, modern configuration, no HSTS, no OCSP
+  # https://ssl-config.mozilla.org/#server=nginx&version=1.19.2&config=modern&openssl=1.1.1k&hsts=false&ocsp=false&guideline=5.6
+  ssl_certificate $${nginx-certificate:cert-file};
+  ssl_certificate_key $${nginx-certificate:key-file};
+  ssl_session_timeout 1d;
+  ssl_session_cache shared:MozSSL:10m;
+  ssl_session_tickets off;
+  ssl_protocols TLSv1.3;
+  ssl_prefer_server_ciphers off;
+

  fastcgi_temp_path  $${directory:varnginx} 1 2;
  uwsgi_temp_path  $${directory:varnginx} 1 2;