diff --git a/util/Setup/Context.cs b/util/Setup/Context.cs index 63593ad067..40c250d145 100644 --- a/util/Setup/Context.cs +++ b/util/Setup/Context.cs @@ -150,6 +150,7 @@ namespace Bit.Setup { [Description("Note: After making changes to this file you need to run the `rebuild` or `update`\n" + "command for them to be applied.\n\n" + + "Full URL for accessing the installation from a browser. (Required)")] public string Url { get; set; } = "https://localhost"; @@ -180,6 +181,14 @@ namespace Bit.Setup [Description("Configure Nginx for SSL.")] public bool Ssl { get; set; } = true; + [Description("SSL versions used by Nginx (ssl_protocols). Leave empty for recommended default.\n" + + "Learn more: https://wiki.mozilla.org/Security/Server_Side_TLS")] + public string SslVersions { get; set; } + + [Description("SSL ciphersuites used by Nginx (ssl_ciphers). Leave empty for recommended default.\n" + + "Learn more: https://wiki.mozilla.org/Security/Server_Side_TLS")] + public string SslCiphersuites { get; set; } + [Description("Installation uses a managed Let's Encrypt certificate.")] public bool SslManagedLetsEncrypt { get; set; } diff --git a/util/Setup/NginxConfigBuilder.cs b/util/Setup/NginxConfigBuilder.cs index 4d49e7fd9e..8537119808 100644 --- a/util/Setup/NginxConfigBuilder.cs +++ b/util/Setup/NginxConfigBuilder.cs @@ -6,10 +6,6 @@ namespace Bit.Setup public class NginxConfigBuilder { private const string ConfFile = "/bitwarden/nginx/default.conf"; - private const string SslCiphers = - "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:" + - "ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:" + - "ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"; private const string ContentSecurityPolicy = "default-src 'self'; style-src 'self' 'unsafe-inline'; " + "img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; " + @@ -98,6 +94,27 @@ namespace Bit.Setup DiffieHellmanPath = context.Config.SslDiffieHellmanPath; } } + + if(!string.IsNullOrWhiteSpace(context.Config.SslCiphersuites)) + { + SslCiphers = context.Config.SslCiphersuites; + } + else + { + SslCiphers = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:" + + "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:" + + "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:" + + "ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"; + } + + if(!string.IsNullOrWhiteSpace(context.Config.SslVersions)) + { + SslProtocols = context.Config.SslVersions; + } + else + { + SslProtocols = "TLSv1.2"; + } } public bool Ssl { get; set; } @@ -107,8 +124,9 @@ namespace Bit.Setup public string KeyPath { get; set; } public string CaPath { get; set; } public string DiffieHellmanPath { get; set; } + public string SslCiphers { get; set; } + public string SslProtocols { get; set; } public string ContentSecurityPolicy => string.Format(NginxConfigBuilder.ContentSecurityPolicy, Domain); - public string SslCiphers => NginxConfigBuilder.SslCiphers; } } } diff --git a/util/Setup/Templates/NginxConfig.hbs b/util/Setup/Templates/NginxConfig.hbs index 41ea06f0f1..0b2634f525 100644 --- a/util/Setup/Templates/NginxConfig.hbs +++ b/util/Setup/Templates/NginxConfig.hbs @@ -28,9 +28,7 @@ server { ssl_dhparam {{{DiffieHellmanPath}}}; {{/if}} - # SSL protocol TLSv1.2 is allowed. Disabled SSLv3, TLSv1, and TLSv1.1 - ssl_protocols TLSv1.2; - # Enable most secure cipher suites only. + ssl_protocols {{{SslProtocols}}}; ssl_ciphers "{{{SslCiphers}}}"; # Enables server-side protection from BEAST attacks ssl_prefer_server_ciphers on;