nginx: move SSL parameters to a separate file

Author: sitnik

Dockerfile

@@ -12,9 +12,9 @@ RUN apt-get update && \
   apt-get install -y openssl && \
   rm -rf /var/lib/apt/lists/*
 
-RUN mkdir /etc/nginx/location.d
 ADD nginx.conf /etc/nginx/nginx.conf
 
+ADD server.d/ /etc/nginx/server.d/
 ADD upstream.d/ /etc/nginx/upstream.d/
 ADD location.d/ /etc/nginx/location.d/
 ADD upstreams-available/ /etc/nginx/upstreams-available/

nginx.conf

@@ -47,33 +47,10 @@ http {
 
     server {
         listen 8080;
-        listen 8443 ssl http2;
-        port_in_redirect off;
-
-        # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
-        ssl_certificate /etc/ssl/ssl_certificate;
-        ssl_certificate_key /etc/ssl/ssl_certificate_key;
-
-        ssl_session_timeout 1d;
-        ssl_session_cache shared:SSL:50m;
-        ssl_session_tickets off;
-
-        # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
-        ssl_dhparam /etc/ssl/dhparam.pem;
-
-        # intermediate configuration. tweak to your needs.
-        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
-        ssl_prefer_server_ciphers on;
-
-        # OCSP Stapling ---
-        # fetch OCSP records from URL in ssl_certificate and cache them
-        ssl_stapling on;
-        ssl_stapling_verify on;
-
-        ## verify chain of trust of OCSP response using Root CA and Intermediate certs
-        #ssl_trusted_certificate /etc/ssl/root_CA_cert_plus_intermediates;
+        # Also listens on 8443 if certificates are provided:
+        include /etc/nginx/server.d/*.conf;
 
+        port_in_redirect off;
 
         # location.d/api-gateway.conf implements API Gateway for DeviceHive services
         include /etc/nginx/location.d/*.conf;

server.d/ssl-parameters.conf

@@ -0,0 +1,24 @@
+listen 8443 ssl http2;
+# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
+ssl_certificate /etc/ssl/ssl_certificate;
+ssl_certificate_key /etc/ssl/ssl_certificate_key;
+
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:50m;
+ssl_session_tickets off;
+
+# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
+ssl_dhparam /etc/ssl/dhparam.pem;
+
+# intermediate configuration. tweak to your needs.
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
+ssl_prefer_server_ciphers on;
+
+# OCSP Stapling ---
+# fetch OCSP records from URL in ssl_certificate and cache them
+ssl_stapling on;
+ssl_stapling_verify on;
+
+## verify chain of trust of OCSP response using Root CA and Intermediate certs
+#ssl_trusted_certificate /etc/ssl/root_CA_cert_plus_intermediates;