Add setting to configure ecdh curve

kubernetes · Mar 31, 2017 · 8e41bdd · 8e41bdd
1 parent 5d17c7c
commit 8e41bdd
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/controllers/nginx/pkg/config/config.go b/controllers/nginx/pkg/config/config.go
@@ -200,6 +200,10 @@ type Configuration struct {
 	// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers
 	SSLCiphers string `json:"ssl-ciphers,omitempty"`
 
+	// Specifies a curve for ECDHE ciphers.
+	// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ecdh_curve
+	SSLECDHCurve string `json:"ssl-ecdh-curve,omitempty"`
+
 	// The secret that contains Diffie-Hellman key to help with "Perfect Forward Secrecy"
 	// https://www.openssl.org/docs/manmaster/apps/dhparam.html
 	// https://wiki.mozilla.org/Security/Server_Side_TLS#DHE_handshake_and_dhparam
@@ -280,6 +284,7 @@ func NewDefault() Configuration {
 		ShowServerTokens:         true,
 		SSLBufferSize:            sslBufferSize,
 		SSLCiphers:               sslCiphers,
+		SSLECDHCurve:             "secp384r1",
 		SSLProtocols:             sslProtocols,
 		SSLSessionCache:          true,
 		SSLSessionCacheSize:      sslSessionCacheSize,

diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
@@ -183,6 +183,8 @@ http {
     ssl_dyn_rec_size_lo 0;
     {{ end }}
 
+    ssl_ecdh_curve {{ $cfg.SSLECDHCurve }};
+
     {{ if .CustomErrors }}
     # Custom error pages
     proxy_intercept_errors on;