From 3da496625786dcf5a6ae66e19e243fb26d0dfb52 Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Sat, 30 Jul 2022 19:59:28 +0300
Subject: [PATCH] Nginx updates.
Copy the mater branch from web-proxy-docker.
---
nginx/Dockerfile | 2 +-
nginx/conf.d/default.conf | 2 +-
nginx/snippets/ldap-auth.conf | 1 +
nginx/snippets/matrix-well-known.conf | 4 ++++
nginx/snippets/proxy-ssl.conf | 1 -
nginx/snippets/ssl-common.conf | 13 +++++++++++++
nginx/snippets/ssl-legacy.conf | 4 ++++
nginx/snippets/ssl-modern.conf | 4 ++++
8 files changed, 28 insertions(+), 3 deletions(-)
create mode 100644 nginx/snippets/matrix-well-known.conf
create mode 100644 nginx/snippets/ssl-common.conf
create mode 100644 nginx/snippets/ssl-legacy.conf
create mode 100644 nginx/snippets/ssl-modern.conf
diff --git a/nginx/Dockerfile b/nginx/Dockerfile
index 5346f41..cfcb831 100644
--- a/nginx/Dockerfile
+++ b/nginx/Dockerfile
@@ -1,4 +1,4 @@
-FROM docker.io/library/nginx:1.21.3-alpine
+FROM docker.io/nginx:1.23.1-alpine
# hadolint ignore=DL3018
RUN rm -rf /etc/nginx/conf./* && \
chmod 777 /run && \
diff --git a/nginx/conf.d/default.conf b/nginx/conf.d/default.conf
index 2f0ef98..3fed2c0 100644
--- a/nginx/conf.d/default.conf
+++ b/nginx/conf.d/default.conf
@@ -9,6 +9,6 @@ server {
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
- include snippets/ssl.conf;
+ include snippets/ssl-legacy.conf;
location / { return 301 https://www.shore.co.il$request_uri; }
}
diff --git a/nginx/snippets/ldap-auth.conf b/nginx/snippets/ldap-auth.conf
index 0c09669..e5c51c8 100644
--- a/nginx/snippets/ldap-auth.conf
+++ b/nginx/snippets/ldap-auth.conf
@@ -5,6 +5,7 @@ location = /validate {
proxy_pass https://auth.shore.co.il/validate;
proxy_http_version 1.1;
include snippets/proxy-ssl.conf;
+ proxy_ssl_name auth.shore.co.il;
internal;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
diff --git a/nginx/snippets/matrix-well-known.conf b/nginx/snippets/matrix-well-known.conf
new file mode 100644
index 0000000..e499bb8
--- /dev/null
+++ b/nginx/snippets/matrix-well-known.conf
@@ -0,0 +1,4 @@
+# vim: ft=nginx
+location = /.well-known/matrix/server {
+ return 200 "{\"m.server\": \"matrix.shore.co.il:443\"}";
+}
diff --git a/nginx/snippets/proxy-ssl.conf b/nginx/snippets/proxy-ssl.conf
index b09e3bf..4c17a50 100644
--- a/nginx/snippets/proxy-ssl.conf
+++ b/nginx/snippets/proxy-ssl.conf
@@ -1,6 +1,5 @@
# vim: ft=nginx
proxy_ssl_verify on;
proxy_ssl_verify_depth 3;
-proxy_ssl_name auth.shore.co.il;
proxy_ssl_server_name on;
proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
diff --git a/nginx/snippets/ssl-common.conf b/nginx/snippets/ssl-common.conf
new file mode 100644
index 0000000..3f0c270
--- /dev/null
+++ b/nginx/snippets/ssl-common.conf
@@ -0,0 +1,13 @@
+# vim: ft=nginx
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+add_header Expect-CT "max-age=86400, enforce, report-uri=\"https://www.shore.co.il/about\"";
+include snippets/common-headers.conf;
+ssl_certificate /var/ssl/site.crt;
+ssl_certificate_key /var/ssl/site.key;
+ssl_dhparam /var/ssl/dhparams;
+ssl_prefer_server_ciphers on;
+ssl_session_cache shared:SSL:50m;
+ssl_session_timeout 5m;
+ssl_stapling on;
+ssl_stapling_verify on;
+ssl_trusted_certificate /etc/ssl/ocsp.pem;
diff --git a/nginx/snippets/ssl-legacy.conf b/nginx/snippets/ssl-legacy.conf
new file mode 100644
index 0000000..f03f493
--- /dev/null
+++ b/nginx/snippets/ssl-legacy.conf
@@ -0,0 +1,4 @@
+# vim: ft=nginx
+include snippets/ssl-common.conf;
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+ssl_ciphers !AESCCM:!kRSA:!3DES:!RC4:!DES:!MD5:!aNULL:!NULL:AESGCM+ECDH:ECDH+CHACHA20:AES256+ECDH:AES128:CHACHA20:+SHA1;
diff --git a/nginx/snippets/ssl-modern.conf b/nginx/snippets/ssl-modern.conf
new file mode 100644
index 0000000..ee87464
--- /dev/null
+++ b/nginx/snippets/ssl-modern.conf
@@ -0,0 +1,4 @@
+# vim: ft=nginx
+include snippets/ssl-common.conf;
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers HIGH:!NULL:!AES128:!ARIA128:!CAMELLIA:!SHA1:!kRSA;
--
GitLab