mirror of
https://codeberg.org/grunfink/snac2.git
synced 2024-11-24 14:05:05 +00:00
improvement(nginx): Adjust nginx template to proper SSL/TLS cipher & protocols
Fixes: #97
This commit is contained in:
parent
5e2f4e9902
commit
f86f688a10
3 changed files with 39 additions and 0 deletions
|
@ -3,6 +3,7 @@ RUN apk add nginx
|
||||||
RUN mkdir -p /run/nginx
|
RUN mkdir -p /run/nginx
|
||||||
ADD default.conf /etc/nginx/http.d/default.conf
|
ADD default.conf /etc/nginx/http.d/default.conf
|
||||||
ADD *.key /etc/ssl/private/
|
ADD *.key /etc/ssl/private/
|
||||||
|
ADD *.pem /etc/ssl/private/
|
||||||
ADD *.crt /etc/ssl/certs/
|
ADD *.crt /etc/ssl/certs/
|
||||||
WORKDIR /var/www/localhost/htdocs
|
WORKDIR /var/www/localhost/htdocs
|
||||||
COPY entrypoint.sh /usr/local/bin
|
COPY entrypoint.sh /usr/local/bin
|
||||||
|
|
|
@ -3,8 +3,33 @@ server {
|
||||||
listen [::]:80 default_server;
|
listen [::]:80 default_server;
|
||||||
listen 443 ssl http2 default_server;
|
listen 443 ssl http2 default_server;
|
||||||
listen [::]:443 ssl http2 default_server;
|
listen [::]:443 ssl http2 default_server;
|
||||||
|
|
||||||
|
# SSL configuration
|
||||||
|
# SSL cert/key files
|
||||||
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
|
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
|
||||||
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
|
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
|
||||||
|
# For production regenerate this dhparam key by running:
|
||||||
|
# $> openssl dhparam -out dhparam.pem 4096
|
||||||
|
ssl_dhparam /etc/ssl/private/dhparam.pem;
|
||||||
|
|
||||||
|
# SSL ciphers/protocols
|
||||||
|
ssl_protocols TLSv1.3 TLSv1.2;
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
ssl_ecdh_curve secp521r1:secp384r1;
|
||||||
|
ssl_ciphers EECDH+AESGCM:EECDH+AES256;
|
||||||
|
|
||||||
|
# SSL misc
|
||||||
|
ssl_session_cache shared:TLS:2m;
|
||||||
|
ssl_buffer_size 4k;
|
||||||
|
|
||||||
|
# OCSP stapling
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]; # Cloudflare
|
||||||
|
|
||||||
|
# Set HSTS to 365 days
|
||||||
|
# Note: Activate this on production usage
|
||||||
|
#add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
|
||||||
|
|
||||||
location /.well-known/webfinger {
|
location /.well-known/webfinger {
|
||||||
proxy_http_version 1.1;
|
proxy_http_version 1.1;
|
||||||
|
|
13
examples/nginx-alpine-ssl/dhparam.pem
Normal file
13
examples/nginx-alpine-ssl/dhparam.pem
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
-----BEGIN DH PARAMETERS-----
|
||||||
|
MIICDAKCAgEAuuCMfojExX8aqV+rD89xCK6lu4vkYohoyQsG8yttLQ8vHwF86ams
|
||||||
|
qFO/nTL8RmEboB3AeME0QBxdSb1GlS3c3G7v87yzw3O2vb6Hv1wyS7w7BRujFdTN
|
||||||
|
nQXOOY1aON5XdMY0nhkClqVC7Ov8re++sm017YtdZxtrwZoxccNuW9cxQzMDxwx3
|
||||||
|
Hp7PR198McObTIDh8Ak9V6BLXk+jsYyvtgs2dKp+nu3D4+rG0Kg/0tbCi1zZeU4u
|
||||||
|
+YqBQlZ8lLB1DcZWDfHkfkg64ifWOf6XDCn4kpxwkHjkynJpM9I6fmMO6kkpPROY
|
||||||
|
WjUVCShbH5CjRVf+4gmuRF+cXDR3Ie/mRyU3If6tnIb4BU2VVw49y5XaEiF/jPKh
|
||||||
|
2JVPxtP/rJ6M0cHjj/TTm2XomAI7bn3bfHoUkeD93rIMiFJvPPFrHxrAEb2i5hdh
|
||||||
|
1JQ4T+4FZS+BktedFPPjrG66Tk2Y3jBXoxwtMV2dy+j39bdIPLuHEPiXrU4onI1o
|
||||||
|
7SOtqbfohJB7Wb/9fOAzaQU32Rlq7ZEeqj6ZIFf5ct3nz6JrmblAEZTne/gwKFNP
|
||||||
|
yD7N4ey+Xq9+ojn4B8DeoOObtpUHQMb4fRPY7QM0yLvpVOrN5iJDWCJ8e6BimaAq
|
||||||
|
CwXQK86fIYnMVOSAASABPjnmgV5+xU+JtMulOF4cGSo18S0wqz9/hwcCAQICAgFF
|
||||||
|
-----END DH PARAMETERS-----
|
Loading…
Reference in a new issue