From 3803888be654ac5108626656a81d691298a32b83 Mon Sep 17 00:00:00 2001
From: Ossi Salmi <osalmi@iki.fi>
Date: Thu, 10 Mar 2016 14:02:55 +0200
Subject: [PATCH] abusesa: Use Mozilla's modern ciphersuites in services nginx
 config

---
 abusesa/manifests/services.pp             | 2 ++
 abusesa/templates/services/nginx.conf.erb | 6 ++++++
 2 files changed, 8 insertions(+)

diff --git a/abusesa/manifests/services.pp b/abusesa/manifests/services.pp
index 6ff6dd5..f05c959 100644
--- a/abusesa/manifests/services.pp
+++ b/abusesa/manifests/services.pp
@@ -51,6 +51,8 @@ class abusesa::services(
     content => "umask 007\n",
   }
 
+  include ssl::ciphersuites
+
   nginx::config { 'abusesa.conf':
     content => template('abusesa/services/nginx.conf.erb'),
   }
diff --git a/abusesa/templates/services/nginx.conf.erb b/abusesa/templates/services/nginx.conf.erb
index ca5b15f..5164c10 100644
--- a/abusesa/templates/services/nginx.conf.erb
+++ b/abusesa/templates/services/nginx.conf.erb
@@ -13,6 +13,12 @@ server {
     ssl_certificate_key <%= @puppet_ssldir %>/private_keys/<%= @homename %>.pem;
     ssl_client_certificate <%= @puppet_ssldir %>/certs/ca.pem;
 
+    ssl_protocols TLSv1.2;
+    ssl_ciphers <%= scope.lookupvar('ssl::ciphersuites::mozilla_modern_ciphersuites') %>;
+    ssl_prefer_server_ciphers on;
+
+    add_header Strict-Transport-Security max-age=15768000;
+
     proxy_buffering off;
 
 <% if @allow_dn -%>