Raise SSL apache2 and nginx to intermediate

contrib/apache2/zammad.conf

@@ -1,53 +1,59 @@
 #
-# this is the apache config for zammad
+# this is an example Apache 2.4 config for Zammad
+# Please visit https://docs.zammad.org for further input on how to configure
+# your Apache to work with Zammad
+#
+# This is a NON SSL configuration, DO NOT use in production!
 #
 
 # security - prevent information disclosure about server version
 ServerTokens Prod
 
 <VirtualHost *:80>
-    # replace 'localhost' with your fqdn if you want to use zammad from remote
-    ServerName localhost
+  # replace 'localhost' with your fqdn if you want to use zammad from remote
+  ServerName localhost
+
+  ## don't loose time with IP address lookups
+  HostnameLookups Off
+
+  ## needed for named virtual hosts
+  UseCanonicalName Off
 
-    ## don't loose time with IP address lookups
-    HostnameLookups Off
+  ## configures the footer on server-generated documents
+  ServerSignature Off
 
-    ## needed for named virtual hosts
-    UseCanonicalName Off
+  ProxyRequests Off
+  ProxyPreserveHost On
 
-    ## configures the footer on server-generated documents
-    ServerSignature Off
+  <Proxy 127.0.0.1:3000>
+    Require local
+  </Proxy>
 
-    ProxyRequests Off
-    ProxyPreserveHost On
+  ProxyPass /assets !
+  ProxyPass /favicon.ico !
+  ProxyPass /apple-touch-icon.png !
+  ProxyPass /robots.txt !
 
-    <Proxy 127.0.0.1:3000>
-	Require local
-    </Proxy>
+  # legacy web socket server
+  ProxyPass /ws ws://127.0.0.1:6042/
 
-    ProxyPass /assets !
-    ProxyPass /favicon.ico !
-    ProxyPass /apple-touch-icon.png !
-    ProxyPass /robots.txt !
-    # legacy web socket server
-    ProxyPass /ws ws://127.0.0.1:6042/
-    # action cable
-    ProxyPass /cable ws://127.0.0.1:3000/cable
-    ProxyPass / http://127.0.0.1:3000/
+  # action cable
+  ProxyPass /cable ws://127.0.0.1:3000/cable
+  ProxyPass / http://127.0.0.1:3000/
 
-    # change this line in an SSO setup
-    RequestHeader unset X-Forwarded-User
+  # change this line in an SSO setup
+  RequestHeader unset X-Forwarded-User
 
-    DocumentRoot "/opt/zammad/public"
+  DocumentRoot "/opt/zammad/public"
 
-    <Directory />
-        Options FollowSymLinks
-        AllowOverride None
-    </Directory>
+  <Directory />
+    Options FollowSymLinks
+    AllowOverride None
+  </Directory>
 
-    <Directory "/opt/zammad/public">
-        Options FollowSymLinks
-	Require all granted
-    </Directory>
+  <Directory "/opt/zammad/public">
+    Options FollowSymLinks
+    Require all granted
+  </Directory>
 
 </VirtualHost>

contrib/apache2/zammad_ssl.conf

@@ -1,75 +1,79 @@
 #
-# this is an example apache 2.4 config for zammad
+# this is an example Apache 2.4 config for Zammad
 # Please visit https://docs.zammad.org for further input on how to configure
-# your apache to work with Zammad
+# your Apache to work with Zammad
 #
 
 # security - prevent information disclosure about server version
 ServerTokens Prod
 
 <VirtualHost *:80>
-    ServerName example.com
-    Redirect permanent / https://example.com/
+  ServerName example.com
+  Redirect permanent / https://example.com/
 </VirtualHost>
 
 <VirtualHost *:443>
-    SSLEngine on
-    SSLProtocol all -SSLv2 -SSLv3
-    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
-
-    SSLCertificateFile /etc/letsencrypt/live/example.com-0000/fullchain.pem
-    SSLCertificateKeyFile /etc/letsencrypt/live/example.com-0000/privkey.pem
-    SSLCertificateChainFile /etc/ssl/lets-encrypt-x3-cross-signed.pem
-    SSLOpenSSLConfCmd DHParameters /etc/ssl/dhparam.pem
-
-    # replace 'localhost' with your fqdn if you want to use zammad from remote
-    ServerName localhost
-
-    ## don't loose time with IP address lookups
-    HostnameLookups Off
-
-    ## needed for named virtual hosts
-    UseCanonicalName Off
-
-    ## configures the footer on server-generated documents
-    ServerSignature Off
-
-    ProxyRequests Off
-    ProxyPreserveHost On
-
-    <Proxy 127.0.0.1:3000>
-      Require local
-    </Proxy>
-
-    ProxyPass /assets !
-    ProxyPass /favicon.ico !
-    ProxyPass /apple-touch-icon.png !
-    ProxyPass /robots.txt !
-    # legacy web socket server
-    ProxyPass /ws ws://127.0.0.1:6042/
-    # action cable
-    ProxyPass /cable ws://127.0.0.1:3000/cable
-    ProxyPass / http://127.0.0.1:3000/
-
-    # change this line in an SSO setup
-    RequestHeader unset X-Forwarded-User
-
-    # Use settings below if proxying does not work and you receive HTTP-Errror 404
-    # if you use the settings below, make sure to comment out the above two options
-    # This may not apply to all systems, applies to openSuse
-    #ProxyPass /ws ws://127.0.0.1:6042/ "retry=1 acque=3000 timeout=600 keepalive=On"
-    #ProxyPass /cable ws://127.0.0.1:3000/cable "retry=1 acque=3000 timeout=600 keepalive=On"
-    #ProxyPass / http://127.0.0.1:3000/ "retry=1 acque=3000 timeout=600 keepalive=On"
-
-    DocumentRoot "/opt/zammad/public"
-
-    <Directory />
-        Options FollowSymLinks
-        AllowOverride None
-    </Directory>
-
-    <Directory "/opt/zammad/public">
-        Options FollowSymLinks
-	      Require all granted
-    </Directory>
+  # enable HTTP/2, if available
+  Protocols h2 http/1.1
+
+  SSLEngine on
+  SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
+  SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+  SSLHonorCipherOrder     off
+  SSLSessionTickets       off
+
+  SSLCertificateFile /etc/ssl/certs/example.com.pem
+  SSLCertificateKeyFile /etc/ssl/private/example.com.key
+  SSLCertificateChainFile /etc/ssl/certs/root-ca-plus-intermediates.pem
+  SSLOpenSSLConfCmd DHParameters /etc/ssl/dhparam.pem
+
+  # replace 'localhost' with your fqdn if you want to use zammad from remote
+  ServerName localhost
+
+  HostnameLookups Off
+  UseCanonicalName Off
+  ServerSignature Off
+
+  Header always set Strict-Transport-Security "max-age=63072000"
+
+  ProxyRequests Off
+  ProxyPreserveHost On
+
+  <Proxy 127.0.0.1:3000>
+    Require local
+  </Proxy>
+
+  ProxyPass /assets !
+  ProxyPass /favicon.ico !
+  ProxyPass /apple-touch-icon.png !
+  ProxyPass /robots.txt !
+
+  # legacy web socket server
+  ProxyPass /ws ws://127.0.0.1:6042/
+
+  # action cable
+  ProxyPass /cable ws://127.0.0.1:3000/cable
+  ProxyPass / http://127.0.0.1:3000/
+
+  # change this line in an SSO setup
+  RequestHeader unset X-Forwarded-User
+
+  # Use settings below if proxying does not work and you receive HTTP-Errror 404
+  # if you use the settings below, make sure to comment out the above two options
+  # This may not apply to all systems, applies to openSuse
+  #ProxyPass /ws ws://127.0.0.1:6042/ "retry=1 acque=3000 timeout=600 keepalive=On"
+  #ProxyPass /cable ws://127.0.0.1:3000/cable "retry=1 acque=3000 timeout=600 keepalive=On"
+  #ProxyPass / http://127.0.0.1:3000/ "retry=1 acque=3000 timeout=600 keepalive=On"
+
+  DocumentRoot "/opt/zammad/public"
+
+  <Directory />
+    Options FollowSymLinks
+    AllowOverride None
+  </Directory>
+
+  <Directory "/opt/zammad/public">
+    Options FollowSymLinks
+    Require all granted
+  </Directory>
 </VirtualHost>

contrib/nginx/zammad.conf

@@ -1,74 +1,78 @@
 #
-# this is the nginx config for zammad
+# this is an example nginx config for Zammad
+# Please visit https://docs.zammad.org for further input on how to configure
+# your nginx to work with Zammad
+#
+# This is a NON SSL configuration, DO NOT use in production!
 #
 
 upstream zammad-railsserver {
-    server 127.0.0.1:3000;
+  server 127.0.0.1:3000;
 }
 
 upstream zammad-websocket {
-    server 127.0.0.1:6042;
+  server 127.0.0.1:6042;
 }
 
 server {
-    listen 80;
-    listen [::]:80;
+  listen 80;
+  listen [::]:80;
 
-    # replace 'localhost' with your fqdn if you want to use zammad from remote
-    server_name localhost;
+  # replace 'localhost' with your fqdn if you want to use zammad from remote
+  server_name localhost;
 
-    # security - prevent information disclosure about server version
-    server_tokens off;
+  # security - prevent information disclosure about server version
+  server_tokens off;
 
-    root /opt/zammad/public;
+  root /opt/zammad/public;
 
-    access_log /var/log/nginx/zammad.access.log;
-    error_log  /var/log/nginx/zammad.error.log;
+  access_log /var/log/nginx/zammad.access.log;
+  error_log  /var/log/nginx/zammad.error.log;
 
-    client_max_body_size 50M;
+  client_max_body_size 50M;
 
-    location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico|apple-touch-icon.png) {
-        expires max;
-    }
+  location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico|apple-touch-icon.png) {
+    expires max;
+  }
 
-    # legacy web socket server
-    location /ws {
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "Upgrade";
-        proxy_set_header CLIENT_IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_read_timeout 86400;
-        proxy_pass http://zammad-websocket;
-    }
+  # legacy web socket server
+  location /ws {
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "Upgrade";
+    proxy_set_header CLIENT_IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_read_timeout 86400;
+    proxy_pass http://zammad-websocket;
+  }
 
-    # action cable
-    location /cable {
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "Upgrade";
-        proxy_set_header CLIENT_IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_read_timeout 86400;
-        proxy_pass http://zammad-railsserver;
-    }
+  # action cable
+  location /cable {
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "Upgrade";
+    proxy_set_header CLIENT_IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_read_timeout 86400;
+    proxy_pass http://zammad-railsserver;
+  }
 
-    location / {
-        proxy_set_header Host $http_host;
-        proxy_set_header CLIENT_IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
+  location / {
+    proxy_set_header Host $http_host;
+    proxy_set_header CLIENT_IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
 
-        # Change this line in an SSO setup
-        proxy_set_header X-Forwarded-User "";
+    # Change this line in an SSO setup
+    proxy_set_header X-Forwarded-User "";
 
-        proxy_read_timeout 300;
-        proxy_pass http://zammad-railsserver;
+    proxy_read_timeout 300;
+    proxy_pass http://zammad-railsserver;
 
-        gzip on;
-        gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
-        gzip_proxied any;
-    }
+    gzip on;
+    gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
+    gzip_proxied any;
+  }
 }

contrib/nginx/zammad_ssl.conf

@@ -1,11 +1,7 @@
 #
-# this is an example nginx config for using SSL with zammad
-# this can be adjusted to be used with self-signed, trusted ca and letsencrypt certs
-# this example uses letsencrypt certs. replace all occurrences of example.com with your domain
-# If using LetsEncrypt create letsencrypt certificate by: certbot certonly --webroot -w /var/www/html -d www.example.com
-# create dhparam.pem by: openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096
-# download LetsEncrypt x3 certificate by: wget -q https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem -P /etc/nginx/ssl
-# you can test your ssl configuration @ https://www.ssllabs.com/ssltest/analyze.html
+# this is an example nginx config for Zammad
+# Please visit https://docs.zammad.org for further input on how to configure
+# your nginx to work with Zammad
 #
 
 upstream zammad-railsserver {
@@ -33,7 +29,6 @@ server {
   }
 
   return 301 https://$server_name$request_uri;
-
 }
 
 
@@ -46,28 +41,24 @@ server {
   # security - prevent information disclosure about server version
   server_tokens off;
 
-  ssl_certificate /etc/nginx/ssl/example.com-fullchain.pem;
-  ssl_certificate_key /etc/nginx/ssl/example.com-privkey.pem;
-
-  ssl_protocols TLSv1.2;
-
-  ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
-
-  ssl_dhparam /etc/nginx/ssl/dhparam.pem;
-
-  ssl_prefer_server_ciphers on;
+  ssl_certificate /etc/ssl/certs/example.com.pem;
+  ssl_certificate_key /etc/ssl/private/example.com.key;
+  ssl_trusted_certificate /etc/ssl/certs/root-ca-plus-intermediates.pem;
+  ssl_dhparam /etc/ssl/dhparam.pem;
 
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+  ssl_prefer_server_ciphers off;
   ssl_session_cache shared:SSL:10m;
   ssl_session_timeout 180m;
-
+  ssl_session_tickets off;
   ssl_stapling on;
   ssl_stapling_verify on;
 
-  ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;
-
-  resolver 8.8.8.8 8.8.4.4;
+  # Use your prefered resolver - also allows external like 1.1.1.1 and 8.8.8.8
+  resolver 127.0.0.1;
 
-  add_header Strict-Transport-Security "max-age=31536000" always;
+  add_header Strict-Transport-Security "max-age=63072000" always;
 
   location = /robots.txt  {
     access_log off; log_not_found off;