From b276068d293bfe5007d1f0b51b2012416e847f13 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Bu=CC=88nemann?= <buenemann@louis.info>
Date: Sun, 24 Mar 2019 16:05:17 +0100
Subject: [PATCH] fix(router) add missing ssl config in default host

this is required so that non-sni clients are not allowed to negotiate
insecure ciphers suites
---
 nginx/config.go | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/nginx/config.go b/nginx/config.go
index 5a17e82..a4f3626 100644
--- a/nginx/config.go
+++ b/nginx/config.go
@@ -187,21 +187,27 @@ http {
 	server {
 		listen 8080 default_server reuseport{{ if $routerConfig.UseProxyProtocol }} proxy_protocol{{ end }};
 		listen 6443 default_server ssl {{ if $routerConfig.HTTP2Enabled }}http2{{ end }} {{ if $routerConfig.UseProxyProtocol }}proxy_protocol{{ end }};
-        
+
 		# set header size limits
 		{{ if $routerConfig.HTTP2Enabled }} http2_max_header_size {{ $routerConfig.HTTP2MaxHeaderSize }}; {{ end }}
 		{{ if $routerConfig.HTTP2Enabled }} http2_max_field_size  {{ $routerConfig.HTTP2MaxFieldSize }};  {{ end }}
 		
 		set $app_name "router-default-vhost";
-		{{ if $routerConfig.PlatformCertificate }}
 		ssl_protocols {{ $sslConfig.Protocols }};
+		{{ if ne $sslConfig.Ciphers "" }}ssl_ciphers {{ $sslConfig.Ciphers }};{{ end }}
+		ssl_prefer_server_ciphers on;
+		{{ if $routerConfig.PlatformCertificate }}
 		ssl_certificate /opt/router/ssl/platform.crt;
 		ssl_certificate_key /opt/router/ssl/platform.key;
 		{{ else }}
-		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 		ssl_certificate /opt/router/ssl/default/default.crt;
 		ssl_certificate_key /opt/router/ssl/default/default.key;
 		{{ end }}
+		{{ if ne $sslConfig.SessionCache "" }}ssl_session_cache {{ $sslConfig.SessionCache }};
+		ssl_session_timeout {{ $sslConfig.SessionTimeout }};{{ end }}
+		ssl_session_tickets {{ if $sslConfig.UseSessionTickets }}on{{ else }}off{{ end }};
+		ssl_buffer_size {{ $sslConfig.BufferSize }};
+		{{ if ne $sslConfig.DHParam "" }}ssl_dhparam /opt/router/ssl/dhparam.pem;{{ end }}
 		{{ if ne $routerConfig.ReferrerPolicy "" }}
 		add_header Referrer-Policy {{ $routerConfig.ReferrerPolicy }};
 		{{ end }}