Merge pull request #17342 from king-frog/patch-1

openshift-merge-robot · web-flow · commit aea595c0c3b6 · 2018-02-26T15:27:57.000-08:00
Automatic merge from submit-queue.

update nginx-config.template
diff --git a/images/router/nginx/conf/nginx-config.template b/images/router/nginx/conf/nginx-config.template
@@ -21,6 +21,9 @@ http {
   #include    /etc/nginx/fastcgi.conf;
   index    index.html index.htm index.php;
 
+  ssl_certificate     {{$workingDir}}/certs/default.pem;
+  ssl_certificate_key {{$workingDir}}/certs/default.pem;
+
   default_type application/octet-stream;
   log_format   main '$remote_addr - $remote_user [$time_local]  $status '
     '"$request" $body_bytes_sent "$http_referer" '
@@ -48,17 +51,40 @@ http {
  {{- if (eq $cfg.TLSTermination "") }}
     listen          80;
  {{- else }}
+    listen          80 ssl;
     listen          443 ssl;
  {{ end -}}
+ 
+server_name     {{$cfg.Host}};
+ {{- if and (ne $cfg.Host "") (or (eq $cfg.TLSTermination "edge") (eq $cfg.TLSTermination "reencrypt")) (eq $cfg.InsecureEdgeTerminationPolicy "Allow") }}
+  {{ $cert := index $cfg.Certificates $cfg.Host -}}
+  {{ if ne $cert.Contents "" }}
+    ssl on;
+    ssl_certificate     {{$workingDir}}/certs/{{$cfgIdx}}.pem;
+    ssl_certificate_key {{$workingDir}}/certs/{{$cfgIdx}}.pem;
+    ssl_session_timeout  5m;
+    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM:!LOW:!EXP;
+    ssl_prefer_server_ciphers   on;
+  {{ end -}}
 
-    server_name     {{$cfg.Host}};
- {{- if and (ne $cfg.Host "") (or (eq $cfg.TLSTermination "edge") (eq $cfg.TLSTermination "reencrypt")) -}}
+ {{- else if and (ne $cfg.Host "") (or (eq $cfg.TLSTermination "edge") (eq $cfg.TLSTermination "reencrypt")) (eq $cfg.InsecureEdgeTerminationPolicy "Redirect") }}
+ {{/*- else if (eq $cfg.InsecureEdgeTerminationPolicy "Redirect") */}}
   {{ $cert := index $cfg.Certificates $cfg.Host -}}
   {{ if ne $cert.Contents "" }}
+    ssl on;
     ssl_certificate     {{$workingDir}}/certs/{{$cfgIdx}}.pem;
     ssl_certificate_key {{$workingDir}}/certs/{{$cfgIdx}}.pem;
+    ssl_session_timeout  5m;
+    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM:!LOW:!EXP;
+    ssl_prefer_server_ciphers   on;
+    if ($scheme = http) {
+        return   301 https://$host$request_uri;
+    }
   {{ end -}}
  {{ end -}}
+ 
     access_log      /var/lib/nginx/logs/be_{{$cfgIdx}}.log main;
 
     location / {
