mirror of
https://codeberg.org/grunfink/snac2.git
synced 2024-11-14 09:35:04 +00:00
improvement(nginx): Adjust nginx template to proper SSL/TLS cipher & protocols
Fixes: #97
This commit is contained in:
parent
5e2f4e9902
commit
f86f688a10
3 changed files with 39 additions and 0 deletions
|
@ -3,6 +3,7 @@ RUN apk add nginx
|
|||
RUN mkdir -p /run/nginx
|
||||
ADD default.conf /etc/nginx/http.d/default.conf
|
||||
ADD *.key /etc/ssl/private/
|
||||
ADD *.pem /etc/ssl/private/
|
||||
ADD *.crt /etc/ssl/certs/
|
||||
WORKDIR /var/www/localhost/htdocs
|
||||
COPY entrypoint.sh /usr/local/bin
|
||||
|
|
|
@ -3,8 +3,33 @@ server {
|
|||
listen [::]:80 default_server;
|
||||
listen 443 ssl http2 default_server;
|
||||
listen [::]:443 ssl http2 default_server;
|
||||
|
||||
# SSL configuration
|
||||
# SSL cert/key files
|
||||
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
|
||||
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
|
||||
# For production regenerate this dhparam key by running:
|
||||
# $> openssl dhparam -out dhparam.pem 4096
|
||||
ssl_dhparam /etc/ssl/private/dhparam.pem;
|
||||
|
||||
# SSL ciphers/protocols
|
||||
ssl_protocols TLSv1.3 TLSv1.2;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_ecdh_curve secp521r1:secp384r1;
|
||||
ssl_ciphers EECDH+AESGCM:EECDH+AES256;
|
||||
|
||||
# SSL misc
|
||||
ssl_session_cache shared:TLS:2m;
|
||||
ssl_buffer_size 4k;
|
||||
|
||||
# OCSP stapling
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]; # Cloudflare
|
||||
|
||||
# Set HSTS to 365 days
|
||||
# Note: Activate this on production usage
|
||||
#add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
|
||||
|
||||
location /.well-known/webfinger {
|
||||
proxy_http_version 1.1;
|
||||
|
|
13
examples/nginx-alpine-ssl/dhparam.pem
Normal file
13
examples/nginx-alpine-ssl/dhparam.pem
Normal file
|
@ -0,0 +1,13 @@
|
|||
-----BEGIN DH PARAMETERS-----
|
||||
MIICDAKCAgEAuuCMfojExX8aqV+rD89xCK6lu4vkYohoyQsG8yttLQ8vHwF86ams
|
||||
qFO/nTL8RmEboB3AeME0QBxdSb1GlS3c3G7v87yzw3O2vb6Hv1wyS7w7BRujFdTN
|
||||
nQXOOY1aON5XdMY0nhkClqVC7Ov8re++sm017YtdZxtrwZoxccNuW9cxQzMDxwx3
|
||||
Hp7PR198McObTIDh8Ak9V6BLXk+jsYyvtgs2dKp+nu3D4+rG0Kg/0tbCi1zZeU4u
|
||||
+YqBQlZ8lLB1DcZWDfHkfkg64ifWOf6XDCn4kpxwkHjkynJpM9I6fmMO6kkpPROY
|
||||
WjUVCShbH5CjRVf+4gmuRF+cXDR3Ie/mRyU3If6tnIb4BU2VVw49y5XaEiF/jPKh
|
||||
2JVPxtP/rJ6M0cHjj/TTm2XomAI7bn3bfHoUkeD93rIMiFJvPPFrHxrAEb2i5hdh
|
||||
1JQ4T+4FZS+BktedFPPjrG66Tk2Y3jBXoxwtMV2dy+j39bdIPLuHEPiXrU4onI1o
|
||||
7SOtqbfohJB7Wb/9fOAzaQU32Rlq7ZEeqj6ZIFf5ct3nz6JrmblAEZTne/gwKFNP
|
||||
yD7N4ey+Xq9+ojn4B8DeoOObtpUHQMb4fRPY7QM0yLvpVOrN5iJDWCJ8e6BimaAq
|
||||
CwXQK86fIYnMVOSAASABPjnmgV5+xU+JtMulOF4cGSo18S0wqz9/hwcCAQICAgFF
|
||||
-----END DH PARAMETERS-----
|
Loading…
Reference in a new issue