Merge pull request #138 from UKHomeOffice/issue-2239

David James · web-flow · commit d38f7bfb4b70 · 2021-08-10T15:28:49.000+01:00
parameterised ssl_session_timeout
diff --git a/.drone.yml b/.drone.yml
@@ -51,6 +51,8 @@ steps:
       from_secret: docker_password
     DOCKER_REPO: artifactory-internal.digital.homeoffice.gov.uk
     DOCKER_USERNAME: docker-nginx-proxy-robot
+  depends_on:
+    - build_and_test_image
   when:
     event:
     - tag
@@ -67,6 +69,8 @@ steps:
       from_secret: docker_quay_password
     DOCKER_REPO: quay.io
     DOCKER_USERNAME: ukhomeofficedigital+nginx_proxy
+  depends_on:
+    - build_and_test_image
   when:
     event:
     - tag
diff --git a/README.md b/README.md
@@ -80,6 +80,7 @@ This is useful when testing or for development instances or when a load-balancer
 * `SERVER_KEY` - Can override where to find the server's SSL key.
 * `SSL_CIPHERS` - Change the SSL ciphers support default only AES256+EECDH:AES256+EDH:!aNULL
 * `SSL_PROTOCOLS` - Change the SSL protocols supported default only TLSv1.2
+* `SSL_SESSION_TIMEOUT` - Specifies a time during which a client may reuse the session parameters (defaults to 10min)
 * `HTTP_LISTEN_PORT` - Change the default inside the container from 10080.
 * `HTTPS_LISTEN_PORT` - Change the default inside the container from 10443.
 * `HTTPS_REDIRECT` - Toggle whether or not we force redirects to HTTPS.  Defaults to true.
diff --git a/defaults.sh b/defaults.sh
@@ -8,6 +8,7 @@ export SERVER_CERT=${SERVER_CERT:-/etc/keys/crt}
 export SERVER_KEY=${SERVER_KEY:-/etc/keys/key}
 export SSL_CIPHERS=${SSL_CIPHERS:-'AES256+EECDH:AES256+EDH:!aNULL'}
 export SSL_PROTOCOLS=${SSL_PROTOCOLS:-'TLSv1.2'}
+export SSL_SESSION_TIMEOUT=${SSL_SESSION_TIMEOUT:-'10m'}
 export HTTP_LISTEN_PORT=${HTTP_LISTEN_PORT:-10080}
 export HTTPS_LISTEN_PORT=${HTTPS_LISTEN_PORT:-10443}
 export HTTPS_REDIRECT=${HTTPS_REDIRECT:-'TRUE'}
diff --git a/go.sh b/go.sh
@@ -16,7 +16,7 @@ cat > ${NGIX_CONF_DIR}/server_certs.conf <<-EOF_CERT_CONF
     ssl_ciphers ${SSL_CIPHERS};
     ssl_prefer_server_ciphers on;
     ssl_session_cache shared:SSL:10m;
-    ssl_session_timeout 10m;
+    ssl_session_timeout ${SSL_SESSION_TIMEOUT};
     ssl_stapling on;
     ssl_dhparam ${NGIX_CONF_DIR}/dhparam.pem;
 EOF_CERT_CONF
