[IMP]Nginx : security improvements
* Updated ciphers / protocols and other base conf ; * Run as nginx user, no more root then fork.
This commit is contained in:
parent
3f40995318
commit
578dd155fb
@ -3,8 +3,8 @@ MAINTAINER Yaltik - Fabien Bourgeois <fabien@yaltik.com>
|
|||||||
|
|
||||||
# Default variables
|
# Default variables
|
||||||
ENV NGINX_HOST localhost 127.0.0.1
|
ENV NGINX_HOST localhost 127.0.0.1
|
||||||
ENV NGINX_PORT 80
|
ENV NGINX_PORT 8080
|
||||||
ENV NGINX_SSL_PORT 443
|
ENV NGINX_SSL_PORT 8443
|
||||||
|
|
||||||
# Create sensible CERTS
|
# Create sensible CERTS
|
||||||
RUN mkdir /etc/nginx/certs
|
RUN mkdir /etc/nginx/certs
|
||||||
@ -19,4 +19,12 @@ COPY root.conf /etc/nginx/templates/
|
|||||||
# Dot not daemonize nginx
|
# Dot not daemonize nginx
|
||||||
RUN echo 'daemon off;' >> /etc/nginx/nginx.conf
|
RUN echo 'daemon off;' >> /etc/nginx/nginx.conf
|
||||||
|
|
||||||
|
# nginx user (no root)
|
||||||
|
RUN touch /var/run/nginx.pid && \
|
||||||
|
chown -R nginx:nginx /var/run/nginx.pid && \
|
||||||
|
chown -R nginx:nginx /var/cache/nginx && \
|
||||||
|
chown -R nginx:nginx /etc/nginx/
|
||||||
|
|
||||||
|
USER nginx
|
||||||
|
|
||||||
CMD bash /launch.sh
|
CMD bash /launch.sh
|
||||||
|
@ -4,19 +4,30 @@ server {
|
|||||||
server_name ${NGINX_HOST};
|
server_name ${NGINX_HOST};
|
||||||
ssl_certificate /etc/nginx/certs/req.pem;
|
ssl_certificate /etc/nginx/certs/req.pem;
|
||||||
ssl_certificate_key /etc/nginx/certs/cert.key;
|
ssl_certificate_key /etc/nginx/certs/cert.key;
|
||||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE
|
|
||||||
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS; # Logjam and co
|
ssl_protocols TLSv1.2 TLSv1.3; # don’t use SSLv3 ref: POODLE, nor TLSv1 / TLSv1.1
|
||||||
ssl_prefer_server_ciphers on; # Logjam
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||||
|
ssl_prefer_server_ciphers off;
|
||||||
|
|
||||||
ssl_dhparam /etc/nginx/certs/dhparams.pem; # Logjam
|
ssl_dhparam /etc/nginx/certs/dhparams.pem; # Logjam
|
||||||
ssl_session_cache shared:TLS:10m;
|
|
||||||
|
ssl_session_timeout 1d;
|
||||||
|
ssl_session_tickets off;
|
||||||
|
ssl_session_cache shared:TLS:10m; # About 40k sessions
|
||||||
|
|
||||||
# OCSP stapling
|
# OCSP stapling
|
||||||
ssl_stapling on;
|
ssl_stapling on;
|
||||||
ssl_stapling_verify on;
|
ssl_stapling_verify on;
|
||||||
resolver 8.8.8.8;
|
|
||||||
# Set HSTS to 365 days
|
# Set HSTS to 365 days
|
||||||
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains';
|
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains' always;
|
||||||
|
|
||||||
client_max_body_size 200M;
|
# resolver 127.0.0.1;
|
||||||
|
|
||||||
|
# DDoS
|
||||||
|
client_body_buffer_size 1K;
|
||||||
|
client_header_buffer_size 1k;
|
||||||
|
client_max_body_size 1k;
|
||||||
|
large_client_header_buffers 2 1k;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
root /var/www/html;
|
root /var/www/html;
|
||||||
|
Loading…
Reference in New Issue
Block a user