From 8cd712b9ed3e6e6a9e2e61332f6c1faa2d4e41ad Mon Sep 17 00:00:00 2001
From: Konstantin Komelin <konstantin.komelin@gmail.com>
Date: Wed, 15 Oct 2014 15:33:38 +0400
Subject: [PATCH 1/2] Disabled SSLv3 to fix POODLE vulnerability.

https://www.digicert.com/ssl-support/nginx-disabling-ssl-v3.htm
---
 sites-available/example.com.conf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sites-available/example.com.conf b/sites-available/example.com.conf
index 87775d81..35d58b34 100644
--- a/sites-available/example.com.conf
+++ b/sites-available/example.com.conf
@@ -171,6 +171,9 @@ server {
     ssl_certificate /etc/ssl/certs/example-cert.pem;
     ssl_certificate_key /etc/ssl/private/example.key;
 
+    # Disable SSL v3 protocol to fix POODLE bug.
+    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
+
     ## Strict Transport Security header for enhanced security. See
     ## http://www.chromium.org/sts. I've set it to 2 hours; set it to
     ## whichever age you want.

From ce8a9636acf6668a162efd707a81079f3919de73 Mon Sep 17 00:00:00 2001
From: Colan Schwartz <colans@users.noreply.github.com>
Date: Mon, 20 Apr 2015 16:36:02 -0400
Subject: [PATCH 2/2] Issue #212 by colans: Move header-adding to nginx.conf to
 avoid losing headers.

---
 apps/drupal/microcache_fcgi.conf | 21 +--------------------
 nginx.conf                       |  8 ++++++++
 sites-available/example.com.conf |  7 +++++--
 3 files changed, 14 insertions(+), 22 deletions(-)

diff --git a/apps/drupal/microcache_fcgi.conf b/apps/drupal/microcache_fcgi.conf
index ea4e3f77..e7e8184c 100644
--- a/apps/drupal/microcache_fcgi.conf
+++ b/apps/drupal/microcache_fcgi.conf
@@ -23,29 +23,10 @@ fastcgi_ignore_headers Cache-Control Expires;
 ## Bypass the cache.
 fastcgi_cache_bypass $no_cache;
 fastcgi_no_cache $no_cache;
-## Add a cache miss/hit status header.
-add_header X-Micro-Cache $upstream_cache_status;
+
 ## To avoid any interaction with the cache control headers we expire
 ## everything on this location immediately.
 expires epoch;
-## Enable clickjacking protection in modern browsers. Available in
-## IE8 also. See
-## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
-## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12).
-## Uncomment the line below if you're not using media streaming.
-## For sites *not* using frames uncomment the line below.
-#add_header X-Frame-Options DENY;
-## For sites *using* frames uncomment the line below.
-#add_header X-Frame-Options SAMEORIGIN;
-
-## Block MIME type sniffing on IE.
-add_header X-Content-Options nosniff;
-
-## Strict Transport Security header for enhanced security. See
-## http://www.chromium.org/sts. I've set it to 2 hours; set it to
-## whichever age you want.
-## Uncomment the line below if you're using HTTPS.
-#add_header Strict-Transport-Security max-age=7200;
 
 ## If you're using a Nginx version greater than 1.1.11 then uncomment
 ## the line below. See:
diff --git a/nginx.conf b/nginx.conf
index 2da6d130..67899376 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -163,9 +163,17 @@ http {
     ## line below.
     add_header X-Frame-Options DENY;
 
+    ## Enable this if using HTTPS. See sites-available/example.com.conf
+    ## for details.
+    #add_header Strict-Transport-Security "max-age=7200";
+
     ## Block MIME type sniffing on IE.
     add_header X-Content-Options nosniff;
 
+    ## Add a cache miss/hit status header. This can be disabled if not including
+    ## any of the apps/drupal/microcache* files.
+    add_header X-Micro-Cache $upstream_cache_status;
+
     ## Include the upstream servers for PHP FastCGI handling config.
     ## This one uses the FCGI process listening on TCP sockets.
     include upstream_phpcgi_tcp.conf;
diff --git a/sites-available/example.com.conf b/sites-available/example.com.conf
index 87775d81..04923cd0 100644
--- a/sites-available/example.com.conf
+++ b/sites-available/example.com.conf
@@ -173,8 +173,11 @@ server {
 
     ## Strict Transport Security header for enhanced security. See
     ## http://www.chromium.org/sts. I've set it to 2 hours; set it to
-    ## whichever age you want.
-    add_header Strict-Transport-Security "max-age=7200";
+    ## whichever age you want. However, we can't set this here because adding
+    ## a header will drop all other headers set earlier. See
+    ## http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
+    ## for details.  Instead, uncomment this in nginx.conf.
+    ## add_header Strict-Transport-Security "max-age=7200";
 
     root /var/www/sites/example.com;
     index index.php;