Created
November 1, 2013 01:56
Revisions
-
mtauraso created this gist
Nov 1, 2013 .There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,106 @@ # LBs have 8 cores. One is used for haproxy, rest are used for nginx workers worker_processes 7; worker_rlimit_nofile 90000; pid <PID_FILE>; events { use epoll; multi_accept off; accept_mutex off; worker_connections 65536; } http { sendfile on; tcp_nopush on; tcp_nodelay on; gzip off; proxy_buffering off; # nginx default is 1m which is too small for us. client_max_body_size 20m; # The default log format plus the request time which is the amount of time # to process the request. # $proxy_add_x_forwarded_for includes the Client IP and the LB IP log_format asana '$proxy_add_x_forwarded_for - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent NT:$request_time ' 'JT:$upstream_response_time "$http_referer" "$http_user_agent"'; access_log <ACCESS_LOG> asana; error_log <ERROR_LOG>; #### SSL SETTINGS #### ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; # This gives a good summary of the issues with picking ciphers # http://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ # # - We prefer key exchange algorithms that support forward secrecy # - We avoid algorithms with EDH and3DES for performance reasons by putting # them later in the list. # - We strongly prefer AES-GCM, and do not allow RC4. Most people are going # To end up communicating to use with AES-CBC, but most will not be # vulnerable to BEAST due to browser side fixes. # # With this config we pass The ssl-labs test with flying colors # https://www.ssllabs.com/ssltest/ # # To find out what ciphers a given browser is using, go here: # https://cc.dcsec.uni-hannover.de/ # https://www.ssllabs.com/ssltest/viewMyClient.html # # Sources: # http://comments.gmane.org/gmane.network.stunnel.user/6220 # http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html # https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what # https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls # https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy # https://community.qualys.com/blogs/securitylabs/2013/09/10/is-beast-still-a-threat # # Performance tips taken from this blog post: # http://unhandledexpression.com/2013/01/25/5-easy-tips-to-accelerate-ssl/ # ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:ECDH+AES128:DH+AES256:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS; ssl_certificate <CERT>; ssl_certificate_key <KEY>; # 1MB holds ~1000 Sessions 100k sessions seems like enough sessions to keep # around for 10 mins ssl_session_cache shared:SSL:100m; ssl_session_timeout 10m; #OCSP stapling resolver 8.8.8.8; ssl_stapling on; ssl_trusted_certificate <CERT>; # Local haproxy backend upstream backend { server 127.0.0.1:<HAPROXY_PORT> max_fails=3 fail_timeout=15s; } # We don't do port 80. Speak https or no asana for you server { listen 80 default_server; return 301 https://$host$request_uri; } # Listen for https connections and connect them locally to the haproxy backend server { listen 443 ssl default_server; # Turn on strict transport security to help protect against MITM attacks # http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; location / { proxy_pass http://backend; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_set_header Host $host; } } }