Asana's current Nginx configuration. It terminates TLS in a hardened, performant, and future looking manner, and passes connections on to a local Haproxy process

asana-nginx.conf

# LBs have 8 cores.  One is used for haproxy, rest are used for nginx workers
worker_processes 7;
worker_rlimit_nofile 90000;
 
pid <PID_FILE>;
 
events {
  use epoll;
  multi_accept off;
  accept_mutex off;
  worker_connections 65536;
}
 
http {
  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  gzip off;
  proxy_buffering off;
 
  # nginx default is 1m which is too small for us.
  client_max_body_size 20m;
 
  # The default log format plus the request time which is the amount of time
  # to process the request.
  # $proxy_add_x_forwarded_for includes the Client IP and the LB IP
  log_format asana '$proxy_add_x_forwarded_for - $remote_user [$time_local]  '
                   '"$request" $status $body_bytes_sent NT:$request_time '
                   'JT:$upstream_response_time "$http_referer" "$http_user_agent"';
 
  access_log <ACCESS_LOG> asana;
  error_log <ERROR_LOG>;
 
  #### SSL SETTINGS ####
  ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  # This gives a good summary of the issues with picking ciphers
  # http://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
  #
  # - We prefer key exchange algorithms that support forward secrecy
  # - We avoid algorithms with EDH and3DES for performance reasons by putting
  #   them later in the list.
  # - We strongly prefer AES-GCM, and do not allow RC4.  Most people are going
  #   To end up communicating to use with AES-CBC, but most will not be
  #   vulnerable to BEAST due to browser side fixes.
  #
  # With this config we pass The ssl-labs test with flying colors
  # https://www.ssllabs.com/ssltest/
  #
  # To find out what ciphers a given browser is using, go here:
  # https://cc.dcsec.uni-hannover.de/
  # https://www.ssllabs.com/ssltest/viewMyClient.html
  #
  # Sources:
  # http://comments.gmane.org/gmane.network.stunnel.user/6220
  # http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html
  # https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what
  # https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
  # https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy
  # https://community.qualys.com/blogs/securitylabs/2013/09/10/is-beast-still-a-threat
  #
  # Performance tips taken from this blog post:
  # http://unhandledexpression.com/2013/01/25/5-easy-tips-to-accelerate-ssl/
  #
  ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:ECDH+AES128:DH+AES256:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS;
 
  ssl_certificate <CERT>;
  ssl_certificate_key <KEY>;
 
  # 1MB holds ~1000 Sessions  100k sessions seems like enough sessions to keep
  # around for 10 mins
  ssl_session_cache shared:SSL:100m;
  ssl_session_timeout 10m;
 
  #OCSP stapling
  resolver 8.8.8.8;
  ssl_stapling on;
  ssl_trusted_certificate <CERT>;
 
  # Local haproxy backend
  upstream backend {
    server 127.0.0.1:<HAPROXY_PORT> max_fails=3 fail_timeout=15s;
  }
 
  # We don't do port 80.  Speak https or no asana for you
  server {
    listen 80 default_server;
    return 301 https://$host$request_uri;
  }
 
  # Listen for https connections and connect them locally to the haproxy backend
  server {
    listen 443 ssl default_server;
 
    # Turn on strict transport security to help protect against MITM attacks
    # http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
 
    location / {
      proxy_pass http://backend;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
      proxy_set_header Host $host;
    }
  }
}