Skip to content

Instantly share code, notes, and snippets.

@mtauraso
Created November 1, 2013 01:56
Show Gist options
  • Save mtauraso/7259991 to your computer and use it in GitHub Desktop.
Save mtauraso/7259991 to your computer and use it in GitHub Desktop.
Asana's current Nginx configuration. It terminates TLS in a hardened, performant, and future looking manner, and passes connections on to a local Haproxy process
# LBs have 8 cores. One is used for haproxy, rest are used for nginx workers
worker_processes 7;
worker_rlimit_nofile 90000;
pid <PID_FILE>;
events {
use epoll;
multi_accept off;
accept_mutex off;
worker_connections 65536;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
gzip off;
proxy_buffering off;
# nginx default is 1m which is too small for us.
client_max_body_size 20m;
# The default log format plus the request time which is the amount of time
# to process the request.
# $proxy_add_x_forwarded_for includes the Client IP and the LB IP
log_format asana '$proxy_add_x_forwarded_for - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent NT:$request_time '
'JT:$upstream_response_time "$http_referer" "$http_user_agent"';
access_log <ACCESS_LOG> asana;
error_log <ERROR_LOG>;
#### SSL SETTINGS ####
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
# This gives a good summary of the issues with picking ciphers
# http://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
#
# - We prefer key exchange algorithms that support forward secrecy
# - We avoid algorithms with EDH and3DES for performance reasons by putting
# them later in the list.
# - We strongly prefer AES-GCM, and do not allow RC4. Most people are going
# To end up communicating to use with AES-CBC, but most will not be
# vulnerable to BEAST due to browser side fixes.
#
# With this config we pass The ssl-labs test with flying colors
# https://www.ssllabs.com/ssltest/
#
# To find out what ciphers a given browser is using, go here:
# https://cc.dcsec.uni-hannover.de/
# https://www.ssllabs.com/ssltest/viewMyClient.html
#
# Sources:
# http://comments.gmane.org/gmane.network.stunnel.user/6220
# http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html
# https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what
# https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
# https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy
# https://community.qualys.com/blogs/securitylabs/2013/09/10/is-beast-still-a-threat
#
# Performance tips taken from this blog post:
# http://unhandledexpression.com/2013/01/25/5-easy-tips-to-accelerate-ssl/
#
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:ECDH+AES128:DH+AES256:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS;
ssl_certificate <CERT>;
ssl_certificate_key <KEY>;
# 1MB holds ~1000 Sessions 100k sessions seems like enough sessions to keep
# around for 10 mins
ssl_session_cache shared:SSL:100m;
ssl_session_timeout 10m;
#OCSP stapling
resolver 8.8.8.8;
ssl_stapling on;
ssl_trusted_certificate <CERT>;
# Local haproxy backend
upstream backend {
server 127.0.0.1:<HAPROXY_PORT> max_fails=3 fail_timeout=15s;
}
# We don't do port 80. Speak https or no asana for you
server {
listen 80 default_server;
return 301 https://$host$request_uri;
}
# Listen for https connections and connect them locally to the haproxy backend
server {
listen 443 ssl default_server;
# Turn on strict transport security to help protect against MITM attacks
# http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
location / {
proxy_pass http://backend;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $host;
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment