fixed nginx imageTLS configuration
All checks were successful
CI / Build nginx docker images (push) Successful in 21m54s
All checks were successful
CI / Build nginx docker images (push) Successful in 21m54s
This commit is contained in:
@@ -7,7 +7,7 @@ on:
|
|||||||
- '.gitea/workflows/build-nginx.yaml'
|
- '.gitea/workflows/build-nginx.yaml'
|
||||||
jobs:
|
jobs:
|
||||||
"Build nginx docker images":
|
"Build nginx docker images":
|
||||||
runs-on: woryzen
|
runs-on: hostinger
|
||||||
steps:
|
steps:
|
||||||
-
|
-
|
||||||
name: Set up Docker Buildx
|
name: Set up Docker Buildx
|
||||||
@@ -44,7 +44,7 @@ jobs:
|
|||||||
NGINX_VERSION=1.29.1
|
NGINX_VERSION=1.29.1
|
||||||
NGINX_BRANCH=vanilla
|
NGINX_BRANCH=vanilla
|
||||||
cache-from: type=registry,ref=gitea.woggioni.net/woggioni/nginx:buildx-vanilla
|
cache-from: type=registry,ref=gitea.woggioni.net/woggioni/nginx:buildx-vanilla
|
||||||
cache-to: type=registry,mode=max,compression=zstd,image-manifest=true,oci-mediatypes=true,ref=gitea.woggioni.net/woggioni/nginx:buildx-woggioni
|
cache-to: type=registry,mode=max,compression=zstd,image-manifest=true,oci-mediatypes=true,ref=gitea.woggioni.net/woggioni/nginx:buildx-vanilla
|
||||||
-
|
-
|
||||||
name: Build and push nginx custom images
|
name: Build and push nginx custom images
|
||||||
uses: docker/build-push-action@v6
|
uses: docker/build-push-action@v6
|
||||||
|
|||||||
@@ -91,12 +91,14 @@ RUN --mount=type=cache,target=/var/cache/apk \
|
|||||||
--mount=type=bind,from=build,source=/ngx_headers_more,target=/ngx_headers_more \
|
--mount=type=bind,from=build,source=/ngx_headers_more,target=/ngx_headers_more \
|
||||||
--mount=type=bind,from=build,source=/ngx_brotli,target=/ngx_brotli \
|
--mount=type=bind,from=build,source=/ngx_brotli,target=/ngx_brotli \
|
||||||
--mount=type=bind,from=build,source=/njs,target=/njs \
|
--mount=type=bind,from=build,source=/njs,target=/njs \
|
||||||
--mount=type=bind,source=install.sh,target=/install.sh \
|
--mount=type=bind,source=install.sh,target=/install.sh \
|
||||||
(cd nginx && sh /install.sh)
|
(cd nginx && sh /install.sh)
|
||||||
RUN --mount=type=cache,target=/var/cache/apk apk del .install_deps
|
RUN --mount=type=cache,target=/var/cache/apk apk del .install_deps
|
||||||
|
|
||||||
|
COPY --from=build /home/luser/libressl/openssl.cnf /etc/ssl/openssl.cnf
|
||||||
COPY conf/nginx.conf /etc/nginx/nginx.conf
|
COPY conf/nginx.conf /etc/nginx/nginx.conf
|
||||||
COPY conf/nginx.vh.no-default.conf /etc/nginx/conf.d/default.conf
|
COPY conf/nginx.vh.no-default.conf /etc/nginx/conf.d/default.conf
|
||||||
|
COPY conf/dhparam /etc/nginx/dhparam
|
||||||
|
|
||||||
LABEL description="NGINX Docker built top of LibreSSL" \
|
LABEL description="NGINX Docker built top of LibreSSL" \
|
||||||
maintainer="Walter Oggioni <oggioni.walter@gmail.com>" \
|
maintainer="Walter Oggioni <oggioni.walter@gmail.com>" \
|
||||||
|
|||||||
8
nginx/conf/dhparam
Normal file
8
nginx/conf/dhparam
Normal file
@@ -0,0 +1,8 @@
|
|||||||
|
-----BEGIN DH PARAMETERS-----
|
||||||
|
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
||||||
|
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
|
||||||
|
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
|
||||||
|
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
|
||||||
|
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
|
||||||
|
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
|
||||||
|
-----END DH PARAMETERS-----
|
||||||
@@ -40,13 +40,15 @@ http {
|
|||||||
|
|
||||||
keepalive_disable msie6;
|
keepalive_disable msie6;
|
||||||
|
|
||||||
ssl_protocols TLSv1.3;
|
# intermediate configuration
|
||||||
ssl_ecdh_curve X25519:P-521:P-384;
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-CAMELLIA256-SHA256:DHE-RSA-CAMELLIA256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA256:DHE-RSA-CAMELLIA128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA256:CAMELLIA128-SHA;
|
ssl_ecdh_curve X25519:prime256v1:secp384r1;
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||||
ssl_session_cache shared:SSL:1m;
|
ssl_prefer_server_ciphers off;
|
||||||
ssl_session_timeout 1h;
|
|
||||||
|
# see also ssl_session_ticket_key alternative to stateful session cache
|
||||||
|
ssl_session_timeout 1d;
|
||||||
|
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||||
ssl_session_tickets off;
|
ssl_session_tickets off;
|
||||||
|
|
||||||
http2 on;
|
http2 on;
|
||||||
|
|||||||
Reference in New Issue
Block a user