From 834c42bc503b3430eb8100343581ed3be396c41b Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Sun, 27 Sep 2015 17:13:11 +0000
Subject: [PATCH] move nginx-ssl to be a global configuration file rather than
 including it into each server block

---
 conf/nginx-ssl.conf | 6 +++---
 conf/nginx.conf     | 1 -
 setup/web.sh        | 3 ++-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/conf/nginx-ssl.conf b/conf/nginx-ssl.conf
index 307f0398..21cdf419 100644
--- a/conf/nginx-ssl.conf
+++ b/conf/nginx-ssl.conf
@@ -26,19 +26,19 @@
 # but with a small exception (DES-CBC3-SHA) for IE8/XP users.
 # 
 # Reference client: https://www.ssllabs.com/ssltest/analyze.html
-ssl_prefer_server_ciphers on;
+# ssl_prefer_server_ciphers on; # This is the default in Ubuntu 14.04/nginx 1.4.6 and it is an error to repeat it at the http level.
 ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
 
 # Cut out (the old, broken) SSLv3 entirely. 
 # This **excludes IE6 users** and (apparently) Yandexbot.
 # Just comment out if you need to support IE6, bless your soul.
-ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
+#ssl_protocols TLSv1.2 TLSv1.1 TLSv1; # This is the default in Ubuntu 14.04/nginx 1.4.6 and it is an error to repeat it at the http level.
 
 # Turn on session resumption, using a 10 min cache shared across nginx processes,
 # as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html
 ssl_session_cache   shared:SSL:10m;
 ssl_session_timeout 10m;
-keepalive_timeout   70;
+#keepalive_timeout   70; # in Ubuntu 14.04/nginx 1.4.6 the default is 65, so plenty good
 
 # Buffer size of 1400 bytes fits in one MTU.
 # nginx 1.5.9+ ONLY
diff --git a/conf/nginx.conf b/conf/nginx.conf
index 03d07375..34117efc 100644
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@@ -31,7 +31,6 @@ server {
 
 	ssl_certificate $SSL_CERTIFICATE;
 	ssl_certificate_key $SSL_KEY;
-	include /etc/nginx/nginx-ssl.conf;
 
 	# ADDITIONAL DIRECTIVES HERE
 }
diff --git a/setup/web.sh b/setup/web.sh
index 9f1fdfb7..6a412b98 100755
--- a/setup/web.sh
+++ b/setup/web.sh
@@ -25,8 +25,9 @@ rm -f /etc/nginx/sites-enabled/default
 # Copy in a nginx configuration file for common and best-practices
 # SSL settings from @konklone. Replace STORAGE_ROOT so it can find
 # the DH params.
+rm -f /etc/nginx/nginx-ssl.conf # we used to put it here
 sed "s#STORAGE_ROOT#$STORAGE_ROOT#" \
-	conf/nginx-ssl.conf > /etc/nginx/nginx-ssl.conf
+	conf/nginx-ssl.conf > /etc/nginx/conf.d/ssl.conf
 
 # Fix some nginx defaults.
 # The server_names_hash_bucket_size seems to prevent long domain names!