From 78bceb7d603aa1999630bcad48e0bf8985b686ae Mon Sep 17 00:00:00 2001 From: Fabien BOURGEOIS Date: Mon, 29 Mar 2021 20:13:54 +0200 Subject: [PATCH] [IMP]Nginx image : ssl protocols and ciphers configurables --- nginx/Dockerfile | 6 ++++-- nginx/root.conf | 4 ++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/nginx/Dockerfile b/nginx/Dockerfile index be7f1e7..4a5d47f 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -5,8 +5,10 @@ MAINTAINER Yaltik - Fabien Bourgeois ENV NGINX_HOST localhost 127.0.0.1 ENV NGINX_PORT 8080 ENV NGINX_SSL_PORT 8443 -ENV CERTIFICATE_PATH /etc/nginx/certs/req.pem; -ENV CERTIFICATE_KEY_PATH /etc/nginx/certs/cert.key; +ENV CERTIFICATE_PATH /etc/nginx/certs/req.pem +ENV CERTIFICATE_KEY_PATH /etc/nginx/certs/cert.key +ENV SSL_PROTOCOLS TLSv1.2 TLSv1.3 +ENV SSL_CIPHERS ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 # Create sensible CERTS RUN mkdir /etc/nginx/certs diff --git a/nginx/root.conf b/nginx/root.conf index 79f6aa3..11687a1 100644 --- a/nginx/root.conf +++ b/nginx/root.conf @@ -5,8 +5,8 @@ server { ssl_certificate ${CERTIFICATE_PATH}; ssl_certificate_key ${CERTIFICATE_KEY_PATH}; - ssl_protocols TLSv1.2 TLSv1.3; # don’t use SSLv3 ref: POODLE, nor TLSv1 / TLSv1.1 - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_protocols ${SSL_PROTOCOLS}; + ssl_ciphers ${SSL_CIPHERS}; ssl_prefer_server_ciphers off; ssl_dhparam /etc/nginx/certs/dhparams.pem; # Logjam