From f86f688a10a2db3c2264c75eb11d93e0394b9682 Mon Sep 17 00:00:00 2001 From: Florian Paul Azim Hoberg Date: Fri, 5 Jan 2024 21:31:11 +0100 Subject: [PATCH] improvement(nginx): Adjust nginx template to proper SSL/TLS cipher & protocols Fixes: #97 --- examples/nginx-alpine-ssl/Dockerfile | 1 + examples/nginx-alpine-ssl/default.conf | 25 +++++++++++++++++++++++++ examples/nginx-alpine-ssl/dhparam.pem | 13 +++++++++++++ 3 files changed, 39 insertions(+) create mode 100644 examples/nginx-alpine-ssl/dhparam.pem diff --git a/examples/nginx-alpine-ssl/Dockerfile b/examples/nginx-alpine-ssl/Dockerfile index 845405d..39128bd 100644 --- a/examples/nginx-alpine-ssl/Dockerfile +++ b/examples/nginx-alpine-ssl/Dockerfile @@ -3,6 +3,7 @@ RUN apk add nginx RUN mkdir -p /run/nginx ADD default.conf /etc/nginx/http.d/default.conf ADD *.key /etc/ssl/private/ +ADD *.pem /etc/ssl/private/ ADD *.crt /etc/ssl/certs/ WORKDIR /var/www/localhost/htdocs COPY entrypoint.sh /usr/local/bin diff --git a/examples/nginx-alpine-ssl/default.conf b/examples/nginx-alpine-ssl/default.conf index 22db0df..c3131f0 100644 --- a/examples/nginx-alpine-ssl/default.conf +++ b/examples/nginx-alpine-ssl/default.conf @@ -3,8 +3,33 @@ server { listen [::]:80 default_server; listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; + + # SSL configuration + # SSL cert/key files ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; + # For production regenerate this dhparam key by running: + # $> openssl dhparam -out dhparam.pem 4096 + ssl_dhparam /etc/ssl/private/dhparam.pem; + + # SSL ciphers/protocols + ssl_protocols TLSv1.3 TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_ecdh_curve secp521r1:secp384r1; + ssl_ciphers EECDH+AESGCM:EECDH+AES256; + + # SSL misc + ssl_session_cache shared:TLS:2m; + ssl_buffer_size 4k; + + # OCSP stapling + ssl_stapling on; + ssl_stapling_verify on; + resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]; # Cloudflare + + # Set HSTS to 365 days + # Note: Activate this on production usage + #add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always; location /.well-known/webfinger { proxy_http_version 1.1; diff --git a/examples/nginx-alpine-ssl/dhparam.pem b/examples/nginx-alpine-ssl/dhparam.pem new file mode 100644 index 0000000..3d0e5d2 --- /dev/null +++ b/examples/nginx-alpine-ssl/dhparam.pem @@ -0,0 +1,13 @@ +-----BEGIN DH PARAMETERS----- +MIICDAKCAgEAuuCMfojExX8aqV+rD89xCK6lu4vkYohoyQsG8yttLQ8vHwF86ams +qFO/nTL8RmEboB3AeME0QBxdSb1GlS3c3G7v87yzw3O2vb6Hv1wyS7w7BRujFdTN +nQXOOY1aON5XdMY0nhkClqVC7Ov8re++sm017YtdZxtrwZoxccNuW9cxQzMDxwx3 +Hp7PR198McObTIDh8Ak9V6BLXk+jsYyvtgs2dKp+nu3D4+rG0Kg/0tbCi1zZeU4u ++YqBQlZ8lLB1DcZWDfHkfkg64ifWOf6XDCn4kpxwkHjkynJpM9I6fmMO6kkpPROY +WjUVCShbH5CjRVf+4gmuRF+cXDR3Ie/mRyU3If6tnIb4BU2VVw49y5XaEiF/jPKh +2JVPxtP/rJ6M0cHjj/TTm2XomAI7bn3bfHoUkeD93rIMiFJvPPFrHxrAEb2i5hdh +1JQ4T+4FZS+BktedFPPjrG66Tk2Y3jBXoxwtMV2dy+j39bdIPLuHEPiXrU4onI1o +7SOtqbfohJB7Wb/9fOAzaQU32Rlq7ZEeqj6ZIFf5ct3nz6JrmblAEZTne/gwKFNP +yD7N4ey+Xq9+ojn4B8DeoOObtpUHQMb4fRPY7QM0yLvpVOrN5iJDWCJ8e6BimaAq +CwXQK86fIYnMVOSAASABPjnmgV5+xU+JtMulOF4cGSo18S0wqz9/hwcCAQICAgFF +-----END DH PARAMETERS-----