From 2ef7e5c9753dd5770d09deb3545671ba0c79d5ae Mon Sep 17 00:00:00 2001
From: Marius <maerious@gmail.com>
Date: Wed, 9 Nov 2016 21:44:24 +0100
Subject: [PATCH] Generate and use custom primes for DH

---
 .infra/Freyfile.hcl     | 6 +++++-
 .infra/files/nginx.conf | 4 ++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/.infra/Freyfile.hcl b/.infra/Freyfile.hcl
index a8df4d6..e1faacb 100644
--- a/.infra/Freyfile.hcl
+++ b/.infra/Freyfile.hcl
@@ -224,6 +224,10 @@ deploy {
       name = "nginx | Create nginx configuration"
       copy = "src=./files/nginx.conf dest=/etc/nginx/sites-enabled/default"
     }
+    tasks {
+      name    = "nginx | Create DH parameters"
+      command = "openssl dhparam -out /etc/nginx/dhparams.pem 2048 creates=/etc/nginx/dhparams.pem"
+    }
   }
 }
 
@@ -237,7 +241,7 @@ restart {
     }
   }
   playbooks {
-    hosts = "nginx"
+    hosts = "tusd"
     name  = "Restart nginx"
     tasks {
       action = "service name=nginx state=restarted"
diff --git a/.infra/files/nginx.conf b/.infra/files/nginx.conf
index 36aaa0d..22d058a 100644
--- a/.infra/files/nginx.conf
+++ b/.infra/files/nginx.conf
@@ -8,6 +8,10 @@ server {
     ssl_certificate /etc/letsencrypt/live/master.tus.io/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/master.tus.io/privkey.pem;
 
+    # Load custom parameters for Diffie Hellman key exchange to avoid the usage
+    # of common primes
+    ssl_dhparam /etc/nginx/dhparams.pem;
+
     server_name master.tus.io;
 
     # certbot will place the files required for the HTTP challenge in the