From e9274ee44376cbdcb617f7aa9622d93f6672145a Mon Sep 17 00:00:00 2001
From: Romuald du Song <romuald.dusong@deveryware.com>
Date: Thu, 14 Feb 2019 22:27:49 +0100
Subject: [PATCH] Handle yunohost admin nginx config

---
 .../templates/nginx/plain/yunohost_admin.conf | 21 +++++++++++--------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/data/templates/nginx/plain/yunohost_admin.conf b/data/templates/nginx/plain/yunohost_admin.conf
index b6fabf8e3..7992b2de9 100644
--- a/data/templates/nginx/plain/yunohost_admin.conf
+++ b/data/templates/nginx/plain/yunohost_admin.conf
@@ -20,6 +20,14 @@ server {
     ssl_session_timeout 5m;
     ssl_session_cache shared:SSL:50m;
 
+    {% if security_ciphers_compatibility == "modern" %}
+    # Ciphers with modern compatibility
+    # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=modern
+    # Uncomment the following to use modern ciphers, but remove compatibility with some old clients (android < 5.0, Internet Explorer < 10, ...)
+    ssl_protocols TLSv1.2;
+    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+    ssl_prefer_server_ciphers on;
+    {% else %}
     # As suggested by Mozilla : https://wiki.mozilla.org/Security/Server_Side_TLS and https://en.wikipedia.org/wiki/Curve25519
     ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
     ssl_prefer_server_ciphers on;
@@ -29,20 +37,15 @@ server {
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
     ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
 
-    # Ciphers with modern compatibility
-    # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=modern
-    # Uncomment the following to use modern ciphers, but remove compatibility with some old clients (android < 5.0, Internet Explorer < 10, ...)
-    #ssl_protocols TLSv1.2;
-    #ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
-
     # Uncomment the following directive after DH generation
     # > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048
     #ssl_dhparam /etc/ssl/private/dh2048.pem;
-    
+    {% endif %}
+
     # Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners
     # https://wiki.mozilla.org/Security/Guidelines/Web_Security
-    # https://observatory.mozilla.org/ 
-    more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload"; 
+    # https://observatory.mozilla.org/
+    more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload";
     more_set_headers "Referrer-Policy : 'same-origin'";
     more_set_headers "Content-Security-Policy : upgrade-insecure-requests; object-src 'none'; script-src https: 'unsafe-eval'";
     more_set_headers "X-Content-Type-Options : nosniff";