From a9e016f68af5d0a77ef19997c989b84a5b75b33d Mon Sep 17 00:00:00 2001
From: Ari Timonen <arit@fastmail.com>
Date: Sun, 8 Nov 2020 17:15:46 +0100
Subject: [PATCH] Update nginx from master

---
 ext/nginx.conf.d/production.conf.template | 18 ++++++-------
 ext/nginx.conf.d/staging.conf.template    | 33 +++--------------------
 2 files changed, 13 insertions(+), 38 deletions(-)

diff --git a/ext/nginx.conf.d/production.conf.template b/ext/nginx.conf.d/production.conf.template
index 764972b..3879d6e 100644
--- a/ext/nginx.conf.d/production.conf.template
+++ b/ext/nginx.conf.d/production.conf.template
@@ -3,7 +3,7 @@
 # Use it in production or copy it over
 
 upstream ensl_production {
-  server production:$PRODUCTION_PUMA_PORT;
+  server ensl_production:$PRODUCTION_PUMA_PORT;
   # server unix:/var/tmp/puma.$RAILS_ENV.sock fail_timeout=0;
 }
 
@@ -51,12 +51,12 @@ server {
   # ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key
 
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
-  ssl_session_timeout 1d;
-  ssl_session_cache shared:SSL:50m;
+  # ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
+  # ssl_session_timeout 1d;
+  # ssl_session_cache shared:SSL:50m;
   # ssl_stapling on;
   # ssl_stapling_verify on;
-  # add_header Strict-Transport-Security max-age=15768000;
+  add_header Strict-Transport-Security max-age=0;
 
   # Fixme: add logs as volume
   access_log /var/log/nginx/ensl.production.access.log;
@@ -109,10 +109,10 @@ server {
 
   ssl_certificate /etc/letsencrypt/live/ensl.org/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/ensl.org/privkey.pem;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
-  ssl_session_timeout 1d;
-  ssl_session_cache shared:SSL:50m;
+  # ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  # ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
+  # ssl_session_timeout 1d;
+  # ssl_session_cache shared:SSL:50m;
   # ssl_stapling on;
   # ssl_stapling_verify on;
   add_header Strict-Transport-Security max-age=0;
diff --git a/ext/nginx.conf.d/staging.conf.template b/ext/nginx.conf.d/staging.conf.template
index 1ba0f43..b809b5e 100644
--- a/ext/nginx.conf.d/staging.conf.template
+++ b/ext/nginx.conf.d/staging.conf.template
@@ -7,28 +7,6 @@ upstream ensl_staging {
   # server unix:/var/tmp/puma.$RAILS_ENV.sock fail_timeout=0;
 }
 
-# root-level -> www redirect
-#server {
-#  listen *:$STAGING_PORT;
-#  listen *:$STAGING_PORT_SSL ssl;
-
-  # FIXME
-  # ssl_certificate /etc/ssl/certs/ensl_fullchain.pem;
-  # ssl_certificate_key /etc/ssl/private/ensl_privkey.pem;
-  # ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-
-#  #server_name $STAGING_ROOT_DOMAIN;
-#  #root $APP_PATH_PUBLIC;
-#  return 301 https://$STAGING_DOMAIN$request_uri;
-#}
-
-# HTTP -> HTTPS redirect
-#server {
-#  listen *:$STAGING_PORT;
-#  server_name $STAGING_DOMAIN;
-#  return 301 https://$STAGING_DOMAIN$request_uri;
-#}
-
 server {
   #listen *:$STAGING_PORT default_server;
   listen *:$STAGING_PORT_SSL ssl default_server;
@@ -38,7 +16,7 @@ server {
 
   ## domain_agnostic staging
   # server_name $STAGING_DOMAIN;
-  root $APP_PATH_PUBLIC;
+  root $STAGING_NGINX_PUBLIC;
   index index.html index.htm index.php;
 
   # Add basic auth
@@ -49,15 +27,12 @@ server {
   ssl_certificate /etc/letsencrypt/live/ensl.org/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/ensl.org/privkey.pem;
 
-  # ssl-cert /etc/ssl/certs/ssl-cert-snakeoil.pem
-  # ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key
-
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
   ssl_session_timeout 1d;
   ssl_session_cache shared:SSL:50m;
-  ssl_stapling on;
-  ssl_stapling_verify on;
+  # ssl_stapling on;
+  # ssl_stapling_verify on;
   # add_header Strict-Transport-Security max-age=15768000;
 
   access_log /var/log/nginx/ensl.access.log;
@@ -88,7 +63,7 @@ server {
   location @puma {
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header Host $http_host;
-    proxy_pass http://puma;
+    proxy_pass http://ensl_staging;
   }
 
   try_files $uri/index.html $uri @puma;