diff --git a/.gitea/workflows/build-nginx.yaml b/.gitea/workflows/build-nginx.yaml index a90834e..0c0536f 100644 --- a/.gitea/workflows/build-nginx.yaml +++ b/.gitea/workflows/build-nginx.yaml @@ -7,7 +7,7 @@ on: - '.gitea/workflows/build-nginx.yaml' jobs: "Build nginx docker images": - runs-on: woryzen + runs-on: hostinger steps: - name: Set up Docker Buildx @@ -44,7 +44,7 @@ jobs: NGINX_VERSION=1.29.1 NGINX_BRANCH=vanilla cache-from: type=registry,ref=gitea.woggioni.net/woggioni/nginx:buildx-vanilla - cache-to: type=registry,mode=max,compression=zstd,image-manifest=true,oci-mediatypes=true,ref=gitea.woggioni.net/woggioni/nginx:buildx-woggioni + cache-to: type=registry,mode=max,compression=zstd,image-manifest=true,oci-mediatypes=true,ref=gitea.woggioni.net/woggioni/nginx:buildx-vanilla - name: Build and push nginx custom images uses: docker/build-push-action@v6 diff --git a/nginx/Dockerfile b/nginx/Dockerfile index 693161f..0c7e519 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -91,12 +91,14 @@ RUN --mount=type=cache,target=/var/cache/apk \ --mount=type=bind,from=build,source=/ngx_headers_more,target=/ngx_headers_more \ --mount=type=bind,from=build,source=/ngx_brotli,target=/ngx_brotli \ --mount=type=bind,from=build,source=/njs,target=/njs \ - --mount=type=bind,source=install.sh,target=/install.sh \ + --mount=type=bind,source=install.sh,target=/install.sh \ (cd nginx && sh /install.sh) RUN --mount=type=cache,target=/var/cache/apk apk del .install_deps +COPY --from=build /home/luser/libressl/openssl.cnf /etc/ssl/openssl.cnf COPY conf/nginx.conf /etc/nginx/nginx.conf COPY conf/nginx.vh.no-default.conf /etc/nginx/conf.d/default.conf +COPY conf/dhparam /etc/nginx/dhparam LABEL description="NGINX Docker built top of LibreSSL" \ maintainer="Walter Oggioni " \ diff --git a/nginx/conf/dhparam b/nginx/conf/dhparam new file mode 100644 index 0000000..088f967 --- /dev/null +++ b/nginx/conf/dhparam @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- \ No newline at end of file diff --git a/nginx/conf/nginx.conf b/nginx/conf/nginx.conf index d11bc55..e9f7c32 100644 --- a/nginx/conf/nginx.conf +++ b/nginx/conf/nginx.conf @@ -40,13 +40,15 @@ http { keepalive_disable msie6; - ssl_protocols TLSv1.3; - ssl_ecdh_curve X25519:P-521:P-384; - ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-CAMELLIA256-SHA256:DHE-RSA-CAMELLIA256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA256:DHE-RSA-CAMELLIA128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA256:CAMELLIA128-SHA; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 1h; - + # intermediate configuration + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ecdh_curve X25519:prime256v1:secp384r1; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + # see also ssl_session_ticket_key alternative to stateful session cache + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; http2 on;