From 0cc71fad49bbacefe6e3b1bb8381f164fedb84b5 Mon Sep 17 00:00:00 2001 From: Steve Kamerman Date: Sat, 1 Oct 2016 10:42:58 -0400 Subject: [PATCH 1/3] Add dynamically-computed DNS resolvers to nginx (for PR #574) --- docker-entrypoint.sh | 6 ++++++ nginx.tmpl | 10 ++++++++++ 2 files changed, 16 insertions(+) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index a413877..ed2e882 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -18,6 +18,12 @@ fi # Note: if $DHPARAM_BITS is not defined, generate-dhparam.sh will use 2048 as a default /app/generate-dhparam.sh $DHPARAM_BITS +# Compute the DNS resolvers for use in the templates +export RESOLVERS=$(awk '$1 == "nameserver" {print $2}' ORS=' ' /etc/resolv.conf | sed 's/ *$//g') +if [ "x$RESOLVERS" = "x" ]; then + echo "Warning: unable to determine DNS resolvers for nginx" >&2 +fi + # If the user has run the default command and the socket doesn't exist, fail if [ "$socketMissing" = 1 -a "$1" = forego -a "$2" = start -a "$3" = '-r' ]; then exit 1 diff --git a/nginx.tmpl b/nginx.tmpl index f23e627..2ef7646 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -58,6 +58,10 @@ log_format vhost '$host $remote_addr - $remote_user [$time_local] ' access_log off; +{{ if ne $.Env.RESOLVERS "" }} +resolver {{ $.Env.RESOLVERS }}; +{{ end }} + {{ if (exists "/etc/nginx/proxy.conf") }} include /etc/nginx/proxy.conf; {{ else }} @@ -198,6 +202,12 @@ server { ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }}; {{ end }} + {{ if (exists (printf "/etc/nginx/certs/%s.chain.crt" $cert)) }} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.crt" $cert }}; + {{ end }} + {{ if (ne $https_method "noredirect") }} add_header Strict-Transport-Security "max-age=31536000"; {{ end }} From dfe7677eb54e12146b0cc322946d6ec66b7f43e0 Mon Sep 17 00:00:00 2001 From: Teoh Han Hui Date: Mon, 19 Sep 2016 15:23:46 +0800 Subject: [PATCH 2/3] Enable OCSP stapling if certificate trust chain is provided Previously disabled in 080a5157e6b1de3637e339a7cf54105f0316cfa7 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c3f7643..a3b490c 100644 --- a/README.md +++ b/README.md @@ -206,7 +206,7 @@ and `CERT_NAME=shared` will then use this shared cert. The SSL cipher configuration is based on the [Mozilla nginx intermediate profile](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx) which should provide compatibility with clients back to Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7. Note that the DES-based TLS ciphers were removed for security. -The configuration also enables HSTS, PFS, and SSL session caches. Currently TLS 1.0, 1.1 and 1.2 +The configuration also enables HSTS, PFS, OCSP stapling and SSL session caches. Currently TLS 1.0, 1.1 and 1.2 are supported. TLS 1.0 is deprecated but its end of life is not until June 30, 2018. It is being included because the following browsers will stop working when it is removed: Chrome < 22, Firefox < 27, IE < 11, Safari < 7, iOS < 5, Android Browser < 5. From 065dd7f1ea51f9a908c26dca840ff0a3d6cba606 Mon Sep 17 00:00:00 2001 From: Teoh Han Hui Date: Mon, 6 Feb 2017 18:20:54 +0800 Subject: [PATCH 3/3] Fix build --- docker-entrypoint.sh | 1 + nginx.tmpl | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index ed2e882..2afd5bf 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -22,6 +22,7 @@ fi export RESOLVERS=$(awk '$1 == "nameserver" {print $2}' ORS=' ' /etc/resolv.conf | sed 's/ *$//g') if [ "x$RESOLVERS" = "x" ]; then echo "Warning: unable to determine DNS resolvers for nginx" >&2 + unset RESOLVERS fi # If the user has run the default command and the socket doesn't exist, fail diff --git a/nginx.tmpl b/nginx.tmpl index 2ef7646..09a709c 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -58,7 +58,7 @@ log_format vhost '$host $remote_addr - $remote_user [$time_local] ' access_log off; -{{ if ne $.Env.RESOLVERS "" }} +{{ if $.Env.RESOLVERS }} resolver {{ $.Env.RESOLVERS }}; {{ end }}