fossilfranv/nginx-proxy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge 11cd02cb54 into 0e3844ad1e

Browse Source
This commit is contained in:
Patrick Domack 2021-08-13 09:00:58 -03:00 committed by GitHub
commit fef7a6ca32
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 79 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
README.md
View File

@ -295,7 +295,7 @@ OpenSSL 1.1.1, Opera 57, and Safari 12.1. Note that this profile is **not** com
Other policies available through the `SSL_POLICY` environment variable are [`Mozilla-Old`](https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility)
and the [AWS ELB Security Policies](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html)
`AWS-TLS-1-2-2017-01`, `AWS-TLS-1-1-2017-01`, `AWS-2016-08`, `AWS-2015-05`, `AWS-2015-03` and `AWS-2015-02`.
`AWS-FS-1-2-Res-2020-10`, `AWS-FS-1-2-Res-2019-08`, `AWS-FS-1-2-2019-08`, `AWS-FS-1-1-2019-08`, `AWS-FS-2018-06`, `AWS-TLS-1-2-Ext-2018-06`, `AWS-TLS-1-2-2017-01`, `AWS-TLS-1-1-2017-01`, `AWS-2016-08`, `AWS-2015-05`, `AWS-2015-03` and `AWS-2015-02`.
Note that the `Mozilla-Old` policy should use a 1024 bits DH key for compatibility but this container generates
a 4096 bits key. The [Diffie-Hellman Groups](#diffie-hellman-groups) section details different methods of bypassing
@ -329,6 +329,27 @@ is enabled with `max-age=31536000` for HTTPS sites. You can disable HSTS with t
even if they type in `http://` manually. The only way to get to an HTTP site after receiving an HSTS
response is to clear your browser's HSTS cache.
### HTTP/2 and HTTP/3 support
The default is to have HTTP/2 support enabled, as it is compiled into nginx. There is currently not native
support for HTTP/3 in nginx, so a custom nginx container would be needed to provide that currently.
An example container that works with HTTP/3 support currently is: ranadeeppolavarapu/nginx-http3
HTTP/2 provides multi-channel streaming and compression over a single connection, causing performance improvements,
less latency request times. But it suffers from the flaws of TCP due to packet loss, and this gets compounded
due to streaming many requests over a single connection. Any lost packets on the connection will cause delays
and stalls to all other requests that where made on that same connection.
More reading: [HTTP/2 Issues](https://www.twilio.com/blog/2017/10/http2-issues.html), [Comparing HTTP/3 vs HTTP/2](https://blog.cloudflare.com/http-3-vs-http-2/)
If you need to disable HTTP/2 support, you can include the environment variable `DISABLE_HTTP2=true`
If you are using an HTTP/3 (quic) enabled version of nginx you can pass `ENABLE_HTTP3=true`, and optionally
also also set `ALT_SVC` set to a custom alt-svc header, with the default currently set to h3-28 and h3-29.
When enabling HTTP/3 support, you will have to make sure you open up the udp port to it, according to your nginx
image used, normally 443/udp
If you are not using the nginx HTTP/3 preview build, you will likely need to use `ENABLE_HTTP3=quic` to use the
quic tag on the listen line in nginx instead of the http3 tag
### Basic Authentication Support
In order to be able to secure your virtual host, you have to create a file named as its equivalent VIRTUAL_HOST variable on directory

64
nginx.tmpl
View File

@ -20,6 +20,30 @@
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
{{ else if eq .ssl_policy "AWS-FS-1-2-Res-2020-10" }}
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
{{ else if eq .ssl_policy "AWS-FS-1-2-Res-2019-08" }}
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384';
ssl_prefer_server_ciphers on;
{{ else if eq .ssl_policy "AWS-FS-1-2-2019-08" }}
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA';
ssl_prefer_server_ciphers on;
{{ else if eq .ssl_policy "AWS-FS-1-1-2019-08" }}
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA';
ssl_prefer_server_ciphers on;
{{ else if eq .ssl_policy "AWS-FS-2018-06" }}
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA';
ssl_prefer_server_ciphers on;
{{ else if eq .ssl_policy "AWS-TLS-1-2-Ext-2018-06" }}
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
ssl_prefer_server_ciphers on;
{{ else if eq .ssl_policy "AWS-TLS-1-2-2017-01" }}
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256';
@ -121,6 +145,11 @@ proxy_set_header Proxy "";
{{ $access_log := (or (and (not $.Env.DISABLE_ACCESS_LOGS) "access_log /var/log/nginx/access.log vhost;") "") }}
{{ $enable_ipv6 := eq (or ($.Env.ENABLE_IPV6) "") "true" }}
{{ $http2 := (or (and (not $.Env.DISABLE_HTTP2) "http2") "") }}
{{ $enable_http3 := (or (eq (or ($.Env.ENABLE_HTTP3) "") "true") (eq (or ($.Env.ENABLE_HTTP3) "") "quic")) }}
{{ $http3 := (or (and (eq (or ($.Env.ENABLE_HTTP3) "") "quic") "quic") "http3") }}
{{ $alt_svc := or ($.Env.ALT_SVC) (print "h3-28=\":" $external_https_port "\"; ma=86400, h3-29=\":" $external_https_port "\"; ma=86400") }}
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
server_tokens off;
@ -136,13 +165,20 @@ server {
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
server_tokens off;
listen {{ $external_https_port }} ssl http2;
{{ if $enable_http3 }}listen {{ $external_https_port }} {{ $http3 }} reuseport;{{ end }}
listen {{ $external_https_port }} ssl {{ $http2 }};
{{ if $enable_ipv6 }}
listen [::]:{{ $external_https_port }} ssl http2;
{{ if $enable_http3 }}listen [::]:{{ $external_https_port }} {{ $http3 }} reuseport;{{ end }}
listen [::]:{{ $external_https_port }} ssl {{ $http2 }};
{{ end }}
{{ $access_log }}
return 503;
{{ if $enable_http3 }}
# Add Alt-Svc header to negotiate HTTP/3.
add_header Alt-Svc '{{ $alt_svc }}';
{{ end }}
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/default.crt;
@ -290,12 +326,19 @@ server {
{{ if $server_tokens }}
server_tokens {{ $server_tokens }};
{{ end }}
listen {{ $external_https_port }} ssl http2 {{ $default_server }};
{{ if $enable_http3 }}listen {{ $external_https_port }} {{ $http3 }} {{ $default_server }};{{ end }}
listen {{ $external_https_port }} ssl {{ $http2 }} {{ $default_server }};
{{ if $enable_ipv6 }}
listen [::]:{{ $external_https_port }} ssl http2 {{ $default_server }};
{{ if $enable_http3 }}listen [::]:{{ $external_https_port }} {{ $http3 }} {{ $default_server }};{{ end }}
listen [::]:{{ $external_https_port }} ssl {{ $http2 }} {{ $default_server }};
{{ end }}
{{ $access_log }}
{{ if $enable_http3 }}
# Add Alt-Svc header to negotiate HTTP/3.
add_header Alt-Svc '{{ $alt_svc }}';
{{ end }}
{{ if eq $network_tag "internal" }}
# Only allow traffic from internal clients
include /etc/nginx/network_internal.conf;
@ -367,7 +410,7 @@ server {
{{ end }}
listen {{ $external_http_port }} {{ $default_server }};
{{ if $enable_ipv6 }}
listen [::]:80 {{ $default_server }};
listen [::]:{{ $external_http_port }} {{ $default_server }};
{{ end }}
{{ $access_log }}
@ -413,13 +456,20 @@ server {
{{ if $server_tokens }}
server_tokens {{ $server_tokens }};
{{ end }}
listen {{ $external_https_port }} ssl http2 {{ $default_server }};
{{ if $enable_http3 }}listen {{ $external_https_port }} {{ $http3 }} {{ $default_server }};{{ end }}
listen {{ $external_https_port }} ssl {{ $http2 }} {{ $default_server }};
{{ if $enable_ipv6 }}
listen [::]:{{ $external_https_port }} ssl http2 {{ $default_server }};
{{ if $enable_http3 }}listen [::]:{{ $external_https_port }} {{ $http3 }} {{ $default_server }};{{ end }}
listen [::]:{{ $external_https_port }} ssl {{ $http2 }} {{ $default_server }};
{{ end }}
{{ $access_log }}
return 500;
{{ if $enable_http3 }}
# Add Alt-Svc header to negotiate HTTP/3.
add_header Alt-Svc '{{ $alt_svc }}';
{{ end }}
ssl_certificate /etc/nginx/certs/default.crt;
ssl_certificate_key /etc/nginx/certs/default.key;
}