make SSL PCI compliance until July 2018

noogen · noogen · commit 1dfa673201cd · 2017-08-08T19:34:03.000-05:00
diff --git a/files/etc/nginx/cdn-ips.conf b/files/etc/nginx/cdn-ips.conf
@@ -0,0 +1,76 @@
+# Local cache/proxy
+set_real_ip_from 127.0.0.1/32;
+
+# Incapsula
+set_real_ip_from 199.83.128.0/21;
+set_real_ip_from 198.143.32.0/19;
+set_real_ip_from 149.126.72.0/21;
+set_real_ip_from 103.28.248.0/22;
+set_real_ip_from 185.11.124.0/22;
+set_real_ip_from 192.230.64.0/18;
+set_real_ip_from 45.64.64.0/22;
+
+# Cloudflare
+set_real_ip_from 103.21.244.0/22;
+set_real_ip_from 103.22.200.0/22;
+set_real_ip_from 103.31.4.0/22;
+set_real_ip_from 104.16.0.0/12;
+set_real_ip_from 108.162.192.0/18;
+set_real_ip_from 141.101.64.0/18;
+set_real_ip_from 162.158.0.0/15;
+set_real_ip_from 172.64.0.0/13;
+set_real_ip_from 173.245.48.0/20;
+set_real_ip_from 188.114.96.0/20;
+set_real_ip_from 190.93.240.0/20;
+set_real_ip_from 197.234.240.0/22;
+set_real_ip_from 198.41.128.0/17;
+set_real_ip_from 199.27.128.0/21;
+
+# stackpath https://support.stackpath.com/hc/en-us/articles/224785167-IP-Blocks
+set_real_ip_from 108.161.176.0/20;
+set_real_ip_from 94.46.144.0/20;
+set_real_ip_from 146.88.128.0/20;
+set_real_ip_from 198.232.124.0/22;
+set_real_ip_from 23.111.8.0/22;
+set_real_ip_from 217.22.28.0/22;
+set_real_ip_from 64.125.76.64/27;
+set_real_ip_from 64.125.76.96/27;
+set_real_ip_from 64.125.78.96/27;
+set_real_ip_from 64.125.78.192/27;
+set_real_ip_from 151.139.0.0/19;
+set_real_ip_from 64.125.78.224/27;
+set_real_ip_from 64.125.102.32/27;
+set_real_ip_from 64.125.102.64/27;
+set_real_ip_from 64.125.102.96/27;
+set_real_ip_from 94.31.27.64/27;
+set_real_ip_from 94.31.33.128/27;
+set_real_ip_from 94.31.33.160/27;
+set_real_ip_from 94.31.33.192/27;
+set_real_ip_from 94.31.56.160/27;
+set_real_ip_from 177.54.148.0/24;
+set_real_ip_from 94.46.144.0/21;
+set_real_ip_from 185.18.207.64/26;
+set_real_ip_from 50.31.249.224/27;
+set_real_ip_from 50.31.251.32/28;
+set_real_ip_from 119.81.42.192/27;
+set_real_ip_from 119.81.104.96/28;
+set_real_ip_from 119.81.67.8/29;
+set_real_ip_from 119.81.0.104/30;
+set_real_ip_from 119.81.1.144/30;
+set_real_ip_from 27.50.77.226/32;
+set_real_ip_from 27.50.79.130/32;
+set_real_ip_from 103.66.28.0/22;
+set_real_ip_from 119.81.131.130/32;
+set_real_ip_from 119.81.131.131/32;
+set_real_ip_from 216.12.211.59/32;
+set_real_ip_from 216.12.211.60/32;
+set_real_ip_from 37.58.110.67/32;
+set_real_ip_from 37.58.110.68/32;
+set_real_ip_from 158.85.206.228/32;
+set_real_ip_from 158.85.206.231/32;
+set_real_ip_from 174.36.204.195/32;
+set_real_ip_from 174.36.204.196/32;
+set_real_ip_from 103.228.104.0/22;
+
+real_ip_header X-Forwarded-For;
+
diff --git a/files/etc/nginx/nginx.new b/files/etc/nginx/nginx.new
@@ -37,9 +37,11 @@ http {
     log_format  main                '$remote_addr - $remote_user [$time_local] "$request" '
                                     '$status $body_bytes_sent "$http_referer" '
                                     '"$http_user_agent" "$http_x_forwarded_for"';
-    log_format  simple              '-= ngx: $status $request_uri $request_time $remote_addr';
+    log_format  better              '-= ngx: $status $request_method $scheme://$host$request_uri $request_time '
+                                    '$remote_addr $body_bytes_sent "$http_referer" '
+                                    '"$http_user_agent" "$http_x_forwarded_for"';
 
-    access_log                      /var/log/nginx/access.log simple;
+    access_log                      /var/log/nginx/access.log better;
 
     # Mime settings
     include                         /etc/nginx/mime.types;
@@ -55,27 +57,9 @@ http {
     gzip_disable                    "MSIE [1-6]\.";
 
 
-    # Cloudflare https://www.cloudflare.com/ips
-    set_real_ip_from                199.27.128.0/21;
-    set_real_ip_from                173.245.48.0/20;
-    set_real_ip_from                103.21.244.0/22;
-    set_real_ip_from                103.22.200.0/22;
-    set_real_ip_from                103.31.4.0/22;
-    set_real_ip_from                141.101.64.0/18;
-    set_real_ip_from                108.162.192.0/18;
-    set_real_ip_from                190.93.240.0/20;
-    set_real_ip_from                188.114.96.0/20;
-    set_real_ip_from                197.234.240.0/22;
-    set_real_ip_from                198.41.128.0/17;
-    set_real_ip_from                162.158.0.0/15;
-    set_real_ip_from                104.16.0.0/12;
-    set_real_ip_from                172.64.0.0/13;
-    real_ip_header                  CF-Connecting-IP;
-
-
     # SSL PCI Compliance
     ssl_session_cache               shared:SSL:10m;
-    ssl_protocols                   TLSv1 TLSv1.1 TLSv1.2; # remove TLSv1 for PCI-DSS compliance
+    ssl_protocols                   TLSv1.1 TLSv1.2 TLSv1.3;
     ssl_prefer_server_ciphers       on;
     ssl_ciphers                     "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK";
 
@@ -103,6 +87,8 @@ http {
     log_subrequest                   on;
     rewrite_log                      on;
 
+    include                          /etc/nginx/cdn-ips.conf;
+    
     # Wildcard include
     include                          /etc/nginx/conf.d/*.conf;
     include                          /etc/nginx/sites-enabled/*.conf;
