Nginx updates.

Copy the mater branch from web-proxy-docker.

Nginx updates.
3da49662 · nimrod · a866f7ab · 3da49662 · 3da49662 · 3da49662
Commit 3da49662 authored 2 years ago by nimrod
--- a/nginx/Dockerfile
+++ b/nginx/Dockerfile
-FROM docker.io/library/nginx:1.21.3-alpine
+FROM docker.io/nginx:1.23.1-alpine
 # hadolint ignore=DL3018
 RUN rm -rf /etc/nginx/conf./* && \
    chmod 777 /run && \

--- a/nginx/conf.d/default.conf
+++ b/nginx/conf.d/default.conf
@@ -9,6 +9,6 @@ server {
 server {
    listen      443 ssl http2 default_server;
    listen      [::]:443 ssl http2 default_server;
-    include     snippets/ssl.conf;
+    include     snippets/ssl-legacy.conf;
    location    / { return 301 https://www.shore.co.il$request_uri; }
 }
--- a/nginx/snippets/ldap-auth.conf
+++ b/nginx/snippets/ldap-auth.conf
@@ -5,6 +5,7 @@ location = /validate {
  proxy_pass                        https://auth.shore.co.il/validate;
  proxy_http_version                1.1;
  include                           snippets/proxy-ssl.conf;
+  proxy_ssl_name                    auth.shore.co.il;
  internal;
  proxy_pass_request_body           off;
  proxy_set_header Content-Length   "";

--- a/nginx/snippets/matrix-well-known.conf
+++ b/nginx/snippets/matrix-well-known.conf
+# vim: ft=nginx
+location = /.well-known/matrix/server {
+    return 200 "{\"m.server\": \"matrix.shore.co.il:443\"}";
+}
--- a/nginx/snippets/proxy-ssl.conf
+++ b/nginx/snippets/proxy-ssl.conf
 # vim: ft=nginx
 proxy_ssl_verify                  on;
 proxy_ssl_verify_depth            3;
-proxy_ssl_name                    auth.shore.co.il;
 proxy_ssl_server_name             on;
 proxy_ssl_trusted_certificate     /etc/ssl/certs/ca-certificates.crt;
--- a/nginx/snippets/ssl-common.conf
+++ b/nginx/snippets/ssl-common.conf
+# vim: ft=nginx
+add_header                  Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+add_header                  Expect-CT "max-age=86400, enforce, report-uri=\"https://www.shore.co.il/about\"";
+include                     snippets/common-headers.conf;
+ssl_certificate             /var/ssl/site.crt;
+ssl_certificate_key         /var/ssl/site.key;
+ssl_dhparam                 /var/ssl/dhparams;
+ssl_prefer_server_ciphers   on;
+ssl_session_cache           shared:SSL:50m;
+ssl_session_timeout         5m;
+ssl_stapling                on;
+ssl_stapling_verify         on;
+ssl_trusted_certificate     /etc/ssl/ocsp.pem;
--- a/nginx/snippets/ssl-legacy.conf
+++ b/nginx/snippets/ssl-legacy.conf
+# vim: ft=nginx
+include                     snippets/ssl-common.conf;
+ssl_protocols               TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+ssl_ciphers                 !AESCCM:!kRSA:!3DES:!RC4:!DES:!MD5:!aNULL:!NULL:AESGCM+ECDH:ECDH+CHACHA20:AES256+ECDH:AES128:CHACHA20:+SHA1;
--- a/nginx/snippets/ssl-modern.conf
+++ b/nginx/snippets/ssl-modern.conf
+# vim: ft=nginx
+include                     snippets/ssl-common.conf;
+ssl_protocols               TLSv1.2 TLSv1.3;
+ssl_ciphers                 HIGH:!NULL:!AES128:!ARIA128:!CAMELLIA:!SHA1:!kRSA;