[IMP]Nginx : security improvements
* Updated ciphers / protocols and other base conf ; * Run as nginx user, no more root then fork.
This commit is contained in:
parent
3f40995318
commit
578dd155fb
|
|
@ -3,8 +3,8 @@ MAINTAINER Yaltik - Fabien Bourgeois <fabien@yaltik.com>
|
|||
|
||||
# Default variables
|
||||
ENV NGINX_HOST localhost 127.0.0.1
|
||||
ENV NGINX_PORT 80
|
||||
ENV NGINX_SSL_PORT 443
|
||||
ENV NGINX_PORT 8080
|
||||
ENV NGINX_SSL_PORT 8443
|
||||
|
||||
# Create sensible CERTS
|
||||
RUN mkdir /etc/nginx/certs
|
||||
|
|
@ -19,4 +19,12 @@ COPY root.conf /etc/nginx/templates/
|
|||
# Dot not daemonize nginx
|
||||
RUN echo 'daemon off;' >> /etc/nginx/nginx.conf
|
||||
|
||||
# nginx user (no root)
|
||||
RUN touch /var/run/nginx.pid && \
|
||||
chown -R nginx:nginx /var/run/nginx.pid && \
|
||||
chown -R nginx:nginx /var/cache/nginx && \
|
||||
chown -R nginx:nginx /etc/nginx/
|
||||
|
||||
USER nginx
|
||||
|
||||
CMD bash /launch.sh
|
||||
|
|
|
|||
|
|
@ -4,19 +4,30 @@ server {
|
|||
server_name ${NGINX_HOST};
|
||||
ssl_certificate /etc/nginx/certs/req.pem;
|
||||
ssl_certificate_key /etc/nginx/certs/cert.key;
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE
|
||||
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS; # Logjam and co
|
||||
ssl_prefer_server_ciphers on; # Logjam
|
||||
|
||||
ssl_protocols TLSv1.2 TLSv1.3; # don’t use SSLv3 ref: POODLE, nor TLSv1 / TLSv1.1
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||
ssl_prefer_server_ciphers off;
|
||||
|
||||
ssl_dhparam /etc/nginx/certs/dhparams.pem; # Logjam
|
||||
ssl_session_cache shared:TLS:10m;
|
||||
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_tickets off;
|
||||
ssl_session_cache shared:TLS:10m; # About 40k sessions
|
||||
|
||||
# OCSP stapling
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
resolver 8.8.8.8;
|
||||
# Set HSTS to 365 days
|
||||
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains';
|
||||
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains' always;
|
||||
|
||||
client_max_body_size 200M;
|
||||
# resolver 127.0.0.1;
|
||||
|
||||
# DDoS
|
||||
client_body_buffer_size 1K;
|
||||
client_header_buffer_size 1k;
|
||||
client_max_body_size 1k;
|
||||
large_client_header_buffers 2 1k;
|
||||
|
||||
location / {
|
||||
root /var/www/html;
|
||||
|
|
|
|||
Loading…
Reference in New Issue