web: split TLS configuration and make it stronger

Resources:

- https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
- https://weakdh.org/sysadmin.html

web/rootfs/defaults/default

@@ -2,11 +2,10 @@ server {
 	listen 80 default_server;
 	listen 443 ssl;
 
-	ssl_certificate /config/keys/cert.crt;
-	ssl_certificate_key /config/keys/cert.key;
-
 	server_name _;
 
+	include /config/nginx/ssl.conf;
+
 	client_max_body_size 0;
 
 	root /usr/share/jitsi-meet;

web/rootfs/defaults/ssl.conf

@@ -0,0 +1,16 @@
+# session settings
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:50m;
+ssl_session_tickets off;
+
+# Diffie-Hellman parameter for DHE cipher suites
+ssl_dhparam /config/nginx/dhparams.pem;
+
+# ssl certs
+ssl_certificate /config/keys/cert.crt;
+ssl_certificate_key /config/keys/cert.key;
+
+# protocols
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_prefer_server_ciphers on;
+ssl_ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS;

web/rootfs/etc/cont-init.d/10-config

@@ -12,6 +12,14 @@ if [[ ! -f /config/nginx/nginx.conf ]]; then
     cp /defaults/nginx.conf /config/nginx/nginx.conf
 fi
 
+if [[ ! -f /config/nginx/ssl.conf ]]; then
+    cp /defaults/ssl.conf /config/nginx/ssl.conf
+fi
+
+if [ ! -f "/config/nginx/dhparams.pem" ]; then
+    openssl dhparam -out /config/nginx/dhparams.pem 2048
+fi
+
 if [[ ! -f /config/nginx/site-confs/default ]]; then
     tpl /defaults/default > /config/nginx/site-confs/default
 fi