[IMP]Nginx : security improvements

* Updated ciphers / protocols and other base conf ;
* Run as nginx user, no more root then fork.
This commit is contained in:
Fabien BOURGEOIS 2021-03-29 09:51:14 +02:00
parent 3f40995318
commit 578dd155fb
2 changed files with 28 additions and 9 deletions

View File

@ -3,8 +3,8 @@ MAINTAINER Yaltik - Fabien Bourgeois <fabien@yaltik.com>
# Default variables
ENV NGINX_HOST localhost 127.0.0.1
ENV NGINX_PORT 80
ENV NGINX_SSL_PORT 443
ENV NGINX_PORT 8080
ENV NGINX_SSL_PORT 8443
# Create sensible CERTS
RUN mkdir /etc/nginx/certs
@ -19,4 +19,12 @@ COPY root.conf /etc/nginx/templates/
# Dot not daemonize nginx
RUN echo 'daemon off;' >> /etc/nginx/nginx.conf
# nginx user (no root)
RUN touch /var/run/nginx.pid && \
chown -R nginx:nginx /var/run/nginx.pid && \
chown -R nginx:nginx /var/cache/nginx && \
chown -R nginx:nginx /etc/nginx/
USER nginx
CMD bash /launch.sh

View File

@ -4,19 +4,30 @@ server {
server_name ${NGINX_HOST};
ssl_certificate /etc/nginx/certs/req.pem;
ssl_certificate_key /etc/nginx/certs/cert.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # dont use SSLv3 ref: POODLE
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS; # Logjam and co
ssl_prefer_server_ciphers on; # Logjam
ssl_protocols TLSv1.2 TLSv1.3; # dont use SSLv3 ref: POODLE, nor TLSv1 / TLSv1.1
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_dhparam /etc/nginx/certs/dhparams.pem; # Logjam
ssl_session_cache shared:TLS:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_session_cache shared:TLS:10m; # About 40k sessions
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8;
# Set HSTS to 365 days
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains';
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains' always;
client_max_body_size 200M;
# resolver 127.0.0.1;
# DDoS
client_body_buffer_size 1K;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;
location / {
root /var/www/html;