improvement(nginx): Adjust nginx template to proper SSL/TLS cipher & protocols

Fixes: #97
author: Florian Paul Azim Hoberg 2024-01-05 21:31:11 +0100
committer: Florian Paul Azim Hoberg 2024-01-05 21:31:11 +0100
commit: f86f688a10a2db3c2264c75eb11d93e0394b9682 (patch)
tree: 6e805558fe2a5df4267541f353e0343c2f2d5270 /examples/nginx-alpine-ssl
parent: dequeue() unlinks the file, even if it's been unable to parse it. (diff)
download: snac2-f86f688a10a2db3c2264c75eb11d93e0394b9682.tar.gz
snac2-f86f688a10a2db3c2264c75eb11d93e0394b9682.tar.xz
snac2-f86f688a10a2db3c2264c75eb11d93e0394b9682.zip
3 files changed, 39 insertions, 0 deletions
diff --git a/examples/nginx-alpine-ssl/Dockerfile b/examples/nginx-alpine-ssl/Dockerfile
index 845405d..39128bd 100644
--- a/examples/nginx-alpine-ssl/Dockerfile
+++ b/examples/nginx-alpine-ssl/Dockerfile
@@ -3,6 +3,7 @@ RUN apk add nginx
 RUN mkdir -p /run/nginx
 ADD default.conf /etc/nginx/http.d/default.conf
 ADD *.key /etc/ssl/private/
+ADD *.pem /etc/ssl/private/
 ADD *.crt /etc/ssl/certs/
 WORKDIR /var/www/localhost/htdocs
 COPY entrypoint.sh /usr/local/bin
diff --git a/examples/nginx-alpine-ssl/default.conf b/examples/nginx-alpine-ssl/default.conf
index 22db0df..c3131f0 100644
--- a/examples/nginx-alpine-ssl/default.conf
+++ b/examples/nginx-alpine-ssl/default.conf
@@ -3,8 +3,33 @@ server {
    listen [::]:80 default_server;
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
+    # SSL configuration
+    # SSL cert/key files
    ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
+    # For production regenerate this dhparam key by running:
+    # $> openssl dhparam -out dhparam.pem 4096
+    ssl_dhparam /etc/ssl/private/dhparam.pem;
+    # SSL ciphers/protocols
+    ssl_protocols TLSv1.3 TLSv1.2;
+    ssl_prefer_server_ciphers on;
+    ssl_ecdh_curve secp521r1:secp384r1;
+    ssl_ciphers EECDH+AESGCM:EECDH+AES256;
+    # SSL misc
+    ssl_session_cache shared:TLS:2m;
+    ssl_buffer_size 4k;
+    # OCSP stapling
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]; # Cloudflare
+    # Set HSTS to 365 days
+    # Note: Activate this on production usage
+    #add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
    location /.well-known/webfinger {
        proxy_http_version      1.1;
diff --git a/examples/nginx-alpine-ssl/dhparam.pem b/examples/nginx-alpine-ssl/dhparam.pem
new file mode 100644
index 0000000..3d0e5d2
--- /dev/null
+++ b/examples/nginx-alpine-ssl/dhparam.pem
@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICDAKCAgEAuuCMfojExX8aqV+rD89xCK6lu4vkYohoyQsG8yttLQ8vHwF86ams
+qFO/nTL8RmEboB3AeME0QBxdSb1GlS3c3G7v87yzw3O2vb6Hv1wyS7w7BRujFdTN
+nQXOOY1aON5XdMY0nhkClqVC7Ov8re++sm017YtdZxtrwZoxccNuW9cxQzMDxwx3
+Hp7PR198McObTIDh8Ak9V6BLXk+jsYyvtgs2dKp+nu3D4+rG0Kg/0tbCi1zZeU4u
+YqBQlZ8lLB1DcZWDfHkfkg64ifWOf6XDCn4kpxwkHjkynJpM9I6fmMO6kkpPROY
+WjUVCShbH5CjRVf+4gmuRF+cXDR3Ie/mRyU3If6tnIb4BU2VVw49y5XaEiF/jPKh
+2JVPxtP/rJ6M0cHjj/TTm2XomAI7bn3bfHoUkeD93rIMiFJvPPFrHxrAEb2i5hdh
+1JQ4T+4FZS+BktedFPPjrG66Tk2Y3jBXoxwtMV2dy+j39bdIPLuHEPiXrU4onI1o
+7SOtqbfohJB7Wb/9fOAzaQU32Rlq7ZEeqj6ZIFf5ct3nz6JrmblAEZTne/gwKFNP
+yD7N4ey+Xq9+ojn4B8DeoOObtpUHQMb4fRPY7QM0yLvpVOrN5iJDWCJ8e6BimaAq
+CwXQK86fIYnMVOSAASABPjnmgV5+xU+JtMulOF4cGSo18S0wqz9/hwcCAQICAgFF
+-----END DH PARAMETERS-----
author	Florian Paul Azim Hoberg	2024-01-05 21:31:11 +0100
committer	Florian Paul Azim Hoberg	2024-01-05 21:31:11 +0100
commit	f86f688a10a2db3c2264c75eb11d93e0394b9682 (patch)
tree	6e805558fe2a5df4267541f353e0343c2f2d5270 /examples/nginx-alpine-ssl
parent	dequeue() unlinks the file, even if it's been unable to parse it. (diff)
download	snac2-f86f688a10a2db3c2264c75eb11d93e0394b9682.tar.gz snac2-f86f688a10a2db3c2264c75eb11d93e0394b9682.tar.xz snac2-f86f688a10a2db3c2264c75eb11d93e0394b9682.zip

diff --git a/examples/nginx-alpine-ssl/Dockerfile b/examples/nginx-alpine-ssl/Dockerfile index 845405d..39128bd 100644 --- a/examples/nginx-alpine-ssl/Dockerfile +++ b/examples/nginx-alpine-ssl/Dockerfile
@@ -3,6 +3,7 @@ RUN apk add nginx
3	RUN mkdir -p /run/nginx	3	RUN mkdir -p /run/nginx
4	ADD default.conf /etc/nginx/http.d/default.conf	4	ADD default.conf /etc/nginx/http.d/default.conf
5	ADD *.key /etc/ssl/private/	5	ADD *.key /etc/ssl/private/
		6	ADD *.pem /etc/ssl/private/
6	ADD *.crt /etc/ssl/certs/	7	ADD *.crt /etc/ssl/certs/
7	WORKDIR /var/www/localhost/htdocs	8	WORKDIR /var/www/localhost/htdocs
8	COPY entrypoint.sh /usr/local/bin	9	COPY entrypoint.sh /usr/local/bin


diff --git a/examples/nginx-alpine-ssl/default.conf b/examples/nginx-alpine-ssl/default.conf index 22db0df..c3131f0 100644 --- a/examples/nginx-alpine-ssl/default.conf +++ b/examples/nginx-alpine-ssl/default.conf
@@ -3,8 +3,33 @@ server {
3	listen [::]:80 default_server;	3	listen [::]:80 default_server;
4	listen 443 ssl http2 default_server;	4	listen 443 ssl http2 default_server;
5	listen [::]:443 ssl http2 default_server;	5	listen [::]:443 ssl http2 default_server;
		6
		7	# SSL configuration
		8	# SSL cert/key files
6	ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;	9	ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
7	ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;	10	ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
		11	# For production regenerate this dhparam key by running:
		12	# $> openssl dhparam -out dhparam.pem 4096
		13	ssl_dhparam /etc/ssl/private/dhparam.pem;
		14
		15	# SSL ciphers/protocols
		16	ssl_protocols TLSv1.3 TLSv1.2;
		17	ssl_prefer_server_ciphers on;
		18	ssl_ecdh_curve secp521r1:secp384r1;
		19	ssl_ciphers EECDH+AESGCM:EECDH+AES256;
		20
		21	# SSL misc
		22	ssl_session_cache shared:TLS:2m;
		23	ssl_buffer_size 4k;
		24
		25	# OCSP stapling
		26	ssl_stapling on;
		27	ssl_stapling_verify on;
		28	resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]; # Cloudflare
		29
		30	# Set HSTS to 365 days
		31	# Note: Activate this on production usage
		32	#add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
8		33
9	location /.well-known/webfinger {	34	location /.well-known/webfinger {
10	proxy_http_version 1.1;	35	proxy_http_version 1.1;


diff --git a/examples/nginx-alpine-ssl/dhparam.pem b/examples/nginx-alpine-ssl/dhparam.pem new file mode 100644 index 0000000..3d0e5d2 --- /dev/null +++ b/examples/nginx-alpine-ssl/dhparam.pem
@@ -0,0 +1,13 @@
		1	-----BEGIN DH PARAMETERS-----
		2	MIICDAKCAgEAuuCMfojExX8aqV+rD89xCK6lu4vkYohoyQsG8yttLQ8vHwF86ams
		3	qFO/nTL8RmEboB3AeME0QBxdSb1GlS3c3G7v87yzw3O2vb6Hv1wyS7w7BRujFdTN
		4	nQXOOY1aON5XdMY0nhkClqVC7Ov8re++sm017YtdZxtrwZoxccNuW9cxQzMDxwx3
		5	Hp7PR198McObTIDh8Ak9V6BLXk+jsYyvtgs2dKp+nu3D4+rG0Kg/0tbCi1zZeU4u
		6	+YqBQlZ8lLB1DcZWDfHkfkg64ifWOf6XDCn4kpxwkHjkynJpM9I6fmMO6kkpPROY
		7	WjUVCShbH5CjRVf+4gmuRF+cXDR3Ie/mRyU3If6tnIb4BU2VVw49y5XaEiF/jPKh
		8	2JVPxtP/rJ6M0cHjj/TTm2XomAI7bn3bfHoUkeD93rIMiFJvPPFrHxrAEb2i5hdh
		9	1JQ4T+4FZS+BktedFPPjrG66Tk2Y3jBXoxwtMV2dy+j39bdIPLuHEPiXrU4onI1o
		10	7SOtqbfohJB7Wb/9fOAzaQU32Rlq7ZEeqj6ZIFf5ct3nz6JrmblAEZTne/gwKFNP
		11	yD7N4ey+Xq9+ojn4B8DeoOObtpUHQMb4fRPY7QM0yLvpVOrN5iJDWCJ8e6BimaAq
		12	CwXQK86fIYnMVOSAASABPjnmgV5+xU+JtMulOF4cGSo18S0wqz9/hwcCAQICAgFF
		13	-----END DH PARAMETERS-----