Fix subsonic nginx configuration

beaglebone.txt

@@ -2542,17 +2542,19 @@ server {
     ssl on;
     ssl_certificate /etc/ssl/certs/mydomainname.com.crt;
     ssl_certificate_key /etc/ssl/private/mydomainname.com.key;
+    ssl_dhparam /etc/ssl/certs/mydomainname.com.dhparam;
 
     ssl_session_timeout 5m;
     ssl_prefer_server_ciphers on;
+    ssl_session_cache  builtin:1000  shared:SSL:10m;
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
     ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
-    add_header Strict-Transport-Security "max-age=0;";
-    # Only uncomment one of the Strict-Transport-Security entries if you are
-    # not using a self-signed certificate
-    # add_header Strict-Transport-Security max-age=15768000; # six months
-    # use this only if all subdomains support HTTPS!
-    # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
+    add_header X-Frame-Options DENY;
+    add_header X-Content-Type-Options nosniff;
+    add_header Strict-Transport-Security max-age=15768000;
+    # if you want to be able to access the site via HTTP
+    # then replace the above with the following:
+    # add_header Strict-Transport-Security "max-age=0;";
 
     # rewrite to front controller as default rule
     location / {
@@ -2657,7 +2659,12 @@ openssl req \
   -newkey rsa:2048 \
   -keyout /etc/ssl/private/$HOSTNAME.key \
   -out /etc/ssl/certs/$HOSTNAME.crt
+
+openssl dhparam -check -text -5 1024 -out /etc/ssl/certs/$HOSTNAME.dhparam
+
 chmod 400 /etc/ssl/private/$HOSTNAME.key
+chmod 640 /etc/ssl/certs/$HOSTNAME.crt
+chmod 640 /etc/ssl/certs/$HOSTNAME.dhparam
 /etc/init.d/nginx reload
 
 # add the public certificate to a separate directory
@@ -4998,17 +5005,18 @@ server {
     ssl on;
     ssl_certificate /etc/ssl/certs/mypumpiodomainname.com.bundle.crt;
     ssl_certificate_key /etc/ssl/private/mypumpiodomainname.com.key;
+    ssl_dhparam /etc/ssl/certs/mypumpiodomainname.com.dhparam;
 
     ssl_session_timeout 5m;
     ssl_prefer_server_ciphers on;
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
     ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
-    add_header Strict-Transport-Security "max-age=0;";
-    # Only uncomment one of the Strict-Transport-Security entries if you are
-    # not using a self-signed certificate
-    # add_header Strict-Transport-Security max-age=15768000; # six months
-    # use this only if all subdomains support HTTPS!
-    # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
+    add_header X-Frame-Options DENY;
+    add_header X-Content-Type-Options nosniff;
+    add_header Strict-Transport-Security max-age=15768000;
+    # if you want to be able to access the site via HTTP
+    # then replace the above with the following:
+    # add_header Strict-Transport-Security "max-age=0;";
 
     client_max_body_size 6m;
 
@@ -5541,17 +5549,18 @@ server {
     ssl on;
     ssl_certificate /etc/ssl/certs/myownclouddomainname.com.crt;
     ssl_certificate_key /etc/ssl/private/myownclouddomainname.com.key;
+    ssl_dhparam /etc/ssl/certs/myownclouddomainname.com.dhparam;
 
     ssl_session_timeout 5m;
     ssl_prefer_server_ciphers on;
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
     ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
-    add_header Strict-Transport-Security "max-age=0;";
-    # Only uncomment one of the Strict-Transport-Security entries if you are
-    # not using a self-signed certificate
-    # add_header Strict-Transport-Security max-age=15768000; # six months
-    # use this only if all subdomains support HTTPS!
-    # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
+    add_header X-Frame-Options DENY;
+    add_header X-Content-Type-Options nosniff;
+    add_header Strict-Transport-Security max-age=15768000;
+    # if you want to be able to access the site via HTTP
+    # then replace the above with the following:
+    # add_header Strict-Transport-Security "max-age=0;";
 
     # make sure webfinger and other well known services aren't blocked
     # by denying dot files and rewrite request to the front controller
@@ -7204,18 +7213,13 @@ Delete all existing contents then add the following:
 #+BEGIN_SRC: bash
 server {
     listen 80;
-    server_name tunes.us.to;
+    server_name mysubsonicdomainname.com;
     rewrite ^ https://$server_name$request_uri? permanent;
 }
 
-map $http_upgrade $connection_upgrade {
-    default upgrade;
-    ''      close;
-}
-
 server {
     listen 443;
-    server_name tunes.us.to;
+    server_name mysubsonicdomainname.com;
     index index.html index.htm;
 
     error_log  /var/www/mysubsonicdomainname.com/error.log debug;
@@ -7223,18 +7227,17 @@ server {
     ssl on;
     ssl_certificate /etc/ssl/certs/mysubsonicdomainname.com.crt;
     ssl_certificate_key /etc/ssl/private/mysubsonicdomainname.com.key;
+    ssl_dhparam /etc/ssl/certs/mysubsonicdomainname.com.dhparam;
 
     ssl_session_timeout 5m;
     ssl_prefer_server_ciphers on;
+    ssl_session_cache  builtin:1000  shared:SSL:10m;
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
     ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
-    #add_header Strict-Transport-Security max-age=0; # six months
+    add_header Strict-Transport-Security "max-age=0;";
 
     client_max_body_size 20M;
 
-    keepalive_timeout 75 75;
-    gzip_vary off;
-
     location / {
         proxy_pass http://localhost:4040/;
         proxy_redirect     http://             https://;
@@ -8040,7 +8043,7 @@ editor /etc/nginx/sites-available/$HOSTNAME
 Add the following to the section which starts with *listen 443*
 
 #+BEGIN_SRC: bash
-    ssl_certificate /etc/ssl/certs/mydomainname.com_bundle.crt;
+    ssl_certificate /etc/ssl/certs/mydomainname.com.bundle.crt;
 #+END_SRC
 
 Save and exit, then restart the web server.