mirrors/snac2
3
0
Fork 0
mirror of https://codeberg.org/grunfink/snac2.git synced 2024-11-09 19:50:26 +03:00
Code Issues Packages Projects Releases Wiki Activity

improvement(nginx): Adjust nginx template to proper SSL/TLS cipher & protocols

Browse Source 
Fixes: #97
This commit is contained in:
Florian Paul Azim Hoberg 2024-01-05 21:31:11 +01:00
parent 5e2f4e9902
commit f86f688a10
3 changed files with 39 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
examples/nginx-alpine-ssl/Dockerfile
View File

@ -3,6 +3,7 @@ RUN apk add nginx
RUN mkdir -p /run/nginx RUN mkdir -p /run/nginx
ADD default.conf /etc/nginx/http.d/default.conf ADD default.conf /etc/nginx/http.d/default.conf
ADD *.key /etc/ssl/private/ ADD *.key /etc/ssl/private/
ADD *.pem /etc/ssl/private/
ADD *.crt /etc/ssl/certs/ ADD *.crt /etc/ssl/certs/
WORKDIR /var/www/localhost/htdocs WORKDIR /var/www/localhost/htdocs
COPY entrypoint.sh /usr/local/bin COPY entrypoint.sh /usr/local/bin

25
examples/nginx-alpine-ssl/default.conf
View File

@ -3,8 +3,33 @@ server {
listen [::]:80 default_server; listen [::]:80 default_server;
listen 443 ssl http2 default_server; listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server; listen [::]:443 ssl http2 default_server;
# SSL configuration
# SSL cert/key files
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
# For production regenerate this dhparam key by running:
# $> openssl dhparam -out dhparam.pem 4096
ssl_dhparam /etc/ssl/private/dhparam.pem;
# SSL ciphers/protocols
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp521r1:secp384r1;
ssl_ciphers EECDH+AESGCM:EECDH+AES256;
# SSL misc
ssl_session_cache shared:TLS:2m;
ssl_buffer_size 4k;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]; # Cloudflare
# Set HSTS to 365 days
# Note: Activate this on production usage
#add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
location /.well-known/webfinger { location /.well-known/webfinger {
proxy_http_version 1.1; proxy_http_version 1.1;

13
examples/nginx-alpine-ssl/dhparam.pem Normal file
View File

@ -0,0 +1,13 @@
-----BEGIN DH PARAMETERS-----
MIICDAKCAgEAuuCMfojExX8aqV+rD89xCK6lu4vkYohoyQsG8yttLQ8vHwF86ams
qFO/nTL8RmEboB3AeME0QBxdSb1GlS3c3G7v87yzw3O2vb6Hv1wyS7w7BRujFdTN
nQXOOY1aON5XdMY0nhkClqVC7Ov8re++sm017YtdZxtrwZoxccNuW9cxQzMDxwx3
Hp7PR198McObTIDh8Ak9V6BLXk+jsYyvtgs2dKp+nu3D4+rG0Kg/0tbCi1zZeU4u
+YqBQlZ8lLB1DcZWDfHkfkg64ifWOf6XDCn4kpxwkHjkynJpM9I6fmMO6kkpPROY
WjUVCShbH5CjRVf+4gmuRF+cXDR3Ie/mRyU3If6tnIb4BU2VVw49y5XaEiF/jPKh
2JVPxtP/rJ6M0cHjj/TTm2XomAI7bn3bfHoUkeD93rIMiFJvPPFrHxrAEb2i5hdh
1JQ4T+4FZS+BktedFPPjrG66Tk2Y3jBXoxwtMV2dy+j39bdIPLuHEPiXrU4onI1o
7SOtqbfohJB7Wb/9fOAzaQU32Rlq7ZEeqj6ZIFf5ct3nz6JrmblAEZTne/gwKFNP
yD7N4ey+Xq9+ojn4B8DeoOObtpUHQMb4fRPY7QM0yLvpVOrN5iJDWCJ8e6BimaAq
CwXQK86fIYnMVOSAASABPjnmgV5+xU+JtMulOF4cGSo18S0wqz9/hwcCAQICAgFF
-----END DH PARAMETERS-----