From 89ddc16d0ceeb9122caaf332774e78708985bc79 Mon Sep 17 00:00:00 2001 From: patrickdk Date: Sun, 30 May 2021 17:02:42 -0400 Subject: [PATCH 1/6] Add newer SSL template configurations --- nginx.tmpl | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/nginx.tmpl b/nginx.tmpl index 66f346c..23891bf 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -42,6 +42,30 @@ ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA'; ssl_prefer_server_ciphers on; + {{ else if eq .ssl_policy "AWS-FS-1-2-Res-2020-10" }} + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384'; + ssl_prefer_server_ciphers on; + {{ else if eq .ssl_policy "AWS-FS-1-2-Res-2019-08" }} + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384'; + ssl_prefer_server_ciphers on; + {{ else if eq .ssl_policy "AWS-FS-1-2-2019-08" }} + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA'; + ssl_prefer_server_ciphers on; + {{ else if eq .ssl_policy "AWS-FS-1-1-2019-08" }} + ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA'; + ssl_prefer_server_ciphers on; + {{ else if eq .ssl_policy "AWS-FS-2018-06" }} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA'; + ssl_prefer_server_ciphers on; + {{ else if eq .ssl_policy "AWS-TLS-1-2-Ext-2018-06" }} + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA'; + ssl_prefer_server_ciphers on; {{ else if eq .ssl_policy "AWS-TLS-1-2-2017-01" }} ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256'; From 3aa2f531d9b65ece8593e9096aa9d2c5fff2cbe3 Mon Sep 17 00:00:00 2001 From: patrickdk Date: Sun, 30 May 2021 17:05:42 -0400 Subject: [PATCH 2/6] Add support for client certificates --- nginx.tmpl | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/nginx.tmpl b/nginx.tmpl index 23891bf..280b5a0 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -276,6 +276,12 @@ upstream {{ $upstream_name }} { {{ if $is_https }} +{{ $clientCA := trim (or (first (groupByKeys $containers "Env.CLIENT_CA")) (printf "%s.client" $vhostCert)) }} +{{ $verifyClient := trim (or (first (groupByKeys $containers "Env.VERIFY_CLIENT")) "optional") }} +{{ $verifyDepth := trim (or (first (groupByKeys $containers "Env.VERIFY_DEPTH")) "2") }} + +{{ $is_client_verify := (and (ne $clientCA "") (ne $verifyClient "") (ne $verifyDepth "") (exists (printf "/etc/nginx/certs/%s.pem" $clientCA))) }} + {{ if eq $https_method "redirect" }} server { server_name {{ $host }}; @@ -343,6 +349,12 @@ server { add_header Strict-Transport-Security "{{ trim $hsts }}" always; {{ end }} + {{ if $is_client_verify }} + ssl_client_certificate {{ printf "/etc/nginx/certs/%s.pem" $clientCA }}; + ssl_verify_client {{ (printf "%s" $verifyClient) }}; + ssl_verify_depth {{ (printf "%s" $verifyDepth) }}; + {{ end }} + {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} include {{ printf "/etc/nginx/vhost.d/%s" $host }}; {{ else if (exists "/etc/nginx/vhost.d/default") }} From c94f486e3e179b9021fe1e1b500ed7bc51afd08b Mon Sep 17 00:00:00 2001 From: patrickdk Date: Sun, 30 May 2021 17:28:16 -0400 Subject: [PATCH 3/6] Add quic protocol support, fix port 80 reference to external_http_port --- nginx.tmpl | 39 ++++++++++++++++++++++++++++++++------- 1 file changed, 32 insertions(+), 7 deletions(-) diff --git a/nginx.tmpl b/nginx.tmpl index 280b5a0..8808730 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -166,6 +166,10 @@ proxy_set_header Proxy ""; {{ $access_log := (or (and (not $.Env.DISABLE_ACCESS_LOGS) "access_log /var/log/nginx/access.log vhost;") "") }} {{ $enable_ipv6 := eq (or ($.Env.ENABLE_IPV6) "") "true" }} +{{ $http2 := (or (and (not $.Env.DISABLE_HTTP2) "http2") "") }} +{{ $enable_http3 := eq (or ($.Env.ENABLE_HTTP3) "") "true" }} +{{ $alt_svc := or ($.Env.ALT_SVC) "h3-28=\":" $external_https_port "\"; ma=86400, h3-29=\":" $external_https_port "\"; ma=86400" }} + server { server_name _; # This is just an invalid value which will never trigger on a real hostname. server_tokens off; @@ -181,13 +185,20 @@ server { server { server_name _; # This is just an invalid value which will never trigger on a real hostname. server_tokens off; - listen {{ $external_https_port }} ssl http2; + {{ if $enable_http3 }}listen {{ $external_https_port }} quic reuseport;{{ end }} + listen {{ $external_https_port }} ssl {{ $http2 }}; {{ if $enable_ipv6 }} - listen [::]:{{ $external_https_port }} ssl http2; + {{ if $enable_http3 }}listen [::]:{{ $external_https_port }} quic reuseport;{{ end }} + listen [::]:{{ $external_https_port }} ssl {{ $http2 }}; {{ end }} {{ $access_log }} return 503; + {{ if $enable_http3 }} + # Add Alt-Svc header to negotiate HTTP/3. + add_header alt-svc '{{ $alt_svc }}'; + {{ end }} + ssl_session_cache shared:SSL:50m; ssl_session_tickets off; ssl_certificate /etc/nginx/certs/default.crt; @@ -315,12 +326,19 @@ server { {{ if $server_tokens }} server_tokens {{ $server_tokens }}; {{ end }} - listen {{ $external_https_port }} ssl http2 {{ $default_server }}; + {{ if $enable_http3 }}listen {{ $external_https_port }} quic {{ $default_server }};{{ end }} + listen {{ $external_https_port }} ssl {{ $http2 }} {{ $default_server }}; {{ if $enable_ipv6 }} - listen [::]:{{ $external_https_port }} ssl http2 {{ $default_server }}; + {{ if $enable_http3 }}listen [::]:{{ $external_https_port }} quic {{ $default_server }};{{ end }} + listen [::]:{{ $external_https_port }} ssl {{ $http2 }} {{ $default_server }}; {{ end }} {{ $access_log }} + {{ if $enable_http3 }} + # Add Alt-Svc header to negotiate HTTP/3. + add_header alt-svc '{{ $alt_svc }}'; + {{ end }} + {{ if eq $network_tag "internal" }} # Only allow traffic from internal clients include /etc/nginx/network_internal.conf; @@ -398,7 +416,7 @@ server { {{ end }} listen {{ $external_http_port }} {{ $default_server }}; {{ if $enable_ipv6 }} - listen [::]:80 {{ $default_server }}; + listen [::]:{{ $external_http_port }} {{ $default_server }}; {{ end }} {{ $access_log }} @@ -444,13 +462,20 @@ server { {{ if $server_tokens }} server_tokens {{ $server_tokens }}; {{ end }} - listen {{ $external_https_port }} ssl http2 {{ $default_server }}; + {{ if $enable_http3 }}listen {{ $external_https_port }} quic {{ $default_server }};{{ end }} + listen {{ $external_https_port }} ssl {{ $http2 }} {{ $default_server }}; {{ if $enable_ipv6 }} - listen [::]:{{ $external_https_port }} ssl http2 {{ $default_server }}; + {{ if $enable_http3 }}listen [::]:{{ $external_https_port }} quic {{ $default_server }};{{ end }} + listen [::]:{{ $external_https_port }} ssl {{ $http2 }} {{ $default_server }}; {{ end }} {{ $access_log }} return 500; + {{ if $enable_http3 }} + # Add Alt-Svc header to negotiate HTTP/3. + add_header alt-svc '{{ $alt_svc }}'; + {{ end }} + ssl_certificate /etc/nginx/certs/default.crt; ssl_certificate_key /etc/nginx/certs/default.key; } From 73f3f241a0bdce36695405f7ed65869d33be5f93 Mon Sep 17 00:00:00 2001 From: patrickdk Date: Sun, 30 May 2021 17:42:37 -0400 Subject: [PATCH 4/6] Fix alt-svc --- nginx.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx.tmpl b/nginx.tmpl index 8808730..b22b628 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -168,7 +168,7 @@ proxy_set_header Proxy ""; {{ $enable_ipv6 := eq (or ($.Env.ENABLE_IPV6) "") "true" }} {{ $http2 := (or (and (not $.Env.DISABLE_HTTP2) "http2") "") }} {{ $enable_http3 := eq (or ($.Env.ENABLE_HTTP3) "") "true" }} -{{ $alt_svc := or ($.Env.ALT_SVC) "h3-28=\":" $external_https_port "\"; ma=86400, h3-29=\":" $external_https_port "\"; ma=86400" }} +{{ $alt_svc := or ($.Env.ALT_SVC) (print "h3-28=\":" $external_https_port "\"; ma=86400, h3-29=\":" $external_https_port "\"; ma=86400") }} server { server_name _; # This is just an invalid value which will never trigger on a real hostname. From 113f2501d2b092d42a062a0760baf227329899aa Mon Sep 17 00:00:00 2001 From: patrickdk Date: Mon, 31 May 2021 19:26:48 -0400 Subject: [PATCH 5/6] Add documentation, add support for nginx offical http3 tag vs experimental quic tag --- README.md | 30 +++++++++++++++++++++++++++++- nginx.tmpl | 21 +++++++++++---------- 2 files changed, 40 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index a03b5e2..9dca7af 100644 --- a/README.md +++ b/README.md @@ -287,7 +287,7 @@ OpenSSL 1.1.1, Opera 57, and Safari 12.1. Note that this profile is **not** com Other policies available through the `SSL_POLICY` environment variable are [`Mozilla-Old`](https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility) and the [AWS ELB Security Policies](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html) -`AWS-TLS-1-2-2017-01`, `AWS-TLS-1-1-2017-01`, `AWS-2016-08`, `AWS-2015-05`, `AWS-2015-03` and `AWS-2015-02`. +`AWS-FS-1-2-Res-2020-10`, `AWS-FS-1-2-Res-2019-08`, `AWS-FS-1-2-2019-08`, `AWS-FS-1-1-2019-08`, `AWS-FS-2018-06`, `AWS-TLS-1-2-Ext-2018-06`, `AWS-TLS-1-2-2017-01`, `AWS-TLS-1-1-2017-01`, `AWS-2016-08`, `AWS-2015-05`, `AWS-2015-03` and `AWS-2015-02`. Note that the `Mozilla-Old` policy should use a 1024 bits DH key for compatibility but this container generates a 4096 bits key. The [Diffie-Hellman Groups](#diffie-hellman-groups) section details different methods of bypassing @@ -321,6 +321,27 @@ is enabled with `max-age=31536000` for HTTPS sites. You can disable HSTS with t even if they type in `http://` manually. The only way to get to an HTTP site after receiving an HSTS response is to clear your browser's HSTS cache. +### HTTP/2 and HTTP/3 support + +The default is to have HTTP/2 support enabled, as it is compiled into nginx. There is currently not native +support for HTTP/3 in nginx, so a custom nginx container would be needed to provide that currently. +An example container that works with HTTP/3 support currently is: ranadeeppolavarapu/nginx-http3 + +HTTP/2 provides multi-channel streaming and compression over a single connection, causing performance improvements, +less latency request times. But it suffers from the flaws of TCP due to packet loss, and this gets compounded +due to streaming many requests over a single connection. Any lost packets on the connection will cause delays +and stalls to all other requests that where made on that same connection. +More reading: [HTTP/2 Issues](https://www.twilio.com/blog/2017/10/http2-issues.html), [Comparing HTTP/3 vs HTTP/2](https://blog.cloudflare.com/http-3-vs-http-2/) + +If you need to disable HTTP/2 support, you can include the environment variable `DISABLE_HTTP2=true` + +If you are using an HTTP/3 (quic) enabled version of nginx you can pass `ENABLE_HTTP3=true`, and optionally +also also set `ALT_SVC` set to a custom alt-svc header, with the default currently set to h3-28 and h3-29. +When enabling HTTP/3 support, you will have to make sure you open up the udp port to it, according to your nginx +image used, normally 443/udp +If you are not using the nginx HTTP/3 preview build, you will likely need to use `ENABLE_HTTP3=quic` to use the +quic tag on the listen line in nginx instead of the http3 tag + ### Basic Authentication Support In order to be able to secure your virtual host, you have to create a file named as its equivalent VIRTUAL_HOST variable on directory @@ -336,6 +357,13 @@ $ docker run -d -p 80:80 -p 443:443 \ You'll need apache2-utils on the machine where you plan to create the htpasswd file. Follow these [instructions](http://httpd.apache.org/docs/2.2/programs/htpasswd.html) +### Client Certificates Support + +Client certificates can be supported by defining the following environment variables: +`CLIENT_CA` to be set to the certificate to validate the clients against +`VERIFY_CLIENT` can be set to `on` to verify clients, `off` to ignore the client certificates, or `optional` the default to request but not verify +`VERIFY_DEPTH` to the depth to verify the client certificate + ### Custom Nginx Configuration If you need to configure Nginx beyond what is possible using environment variables, you can provide custom configuration files on either a proxy-wide or per-`VIRTUAL_HOST` basis. diff --git a/nginx.tmpl b/nginx.tmpl index b22b628..95fcf7a 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -167,7 +167,8 @@ proxy_set_header Proxy ""; {{ $enable_ipv6 := eq (or ($.Env.ENABLE_IPV6) "") "true" }} {{ $http2 := (or (and (not $.Env.DISABLE_HTTP2) "http2") "") }} -{{ $enable_http3 := eq (or ($.Env.ENABLE_HTTP3) "") "true" }} +{{ $enable_http3 := (or (eq (or ($.Env.ENABLE_HTTP3) "") "true") (eq (or ($.Env.ENABLE_HTTP3) "") "quic")) }} +{{ $http3 := (or (and (eq (or ($.Env.ENABLE_HTTP3) "") "quic") "quic") "http3") }} {{ $alt_svc := or ($.Env.ALT_SVC) (print "h3-28=\":" $external_https_port "\"; ma=86400, h3-29=\":" $external_https_port "\"; ma=86400") }} server { @@ -185,10 +186,10 @@ server { server { server_name _; # This is just an invalid value which will never trigger on a real hostname. server_tokens off; - {{ if $enable_http3 }}listen {{ $external_https_port }} quic reuseport;{{ end }} + {{ if $enable_http3 }}listen {{ $external_https_port }} {{ $http3 }} reuseport;{{ end }} listen {{ $external_https_port }} ssl {{ $http2 }}; {{ if $enable_ipv6 }} - {{ if $enable_http3 }}listen [::]:{{ $external_https_port }} quic reuseport;{{ end }} + {{ if $enable_http3 }}listen [::]:{{ $external_https_port }} {{ $http3 }} reuseport;{{ end }} listen [::]:{{ $external_https_port }} ssl {{ $http2 }}; {{ end }} {{ $access_log }} @@ -196,7 +197,7 @@ server { {{ if $enable_http3 }} # Add Alt-Svc header to negotiate HTTP/3. - add_header alt-svc '{{ $alt_svc }}'; + add_header Alt-Svc '{{ $alt_svc }}'; {{ end }} ssl_session_cache shared:SSL:50m; @@ -326,17 +327,17 @@ server { {{ if $server_tokens }} server_tokens {{ $server_tokens }}; {{ end }} - {{ if $enable_http3 }}listen {{ $external_https_port }} quic {{ $default_server }};{{ end }} + {{ if $enable_http3 }}listen {{ $external_https_port }} {{ $http3 }} {{ $default_server }};{{ end }} listen {{ $external_https_port }} ssl {{ $http2 }} {{ $default_server }}; {{ if $enable_ipv6 }} - {{ if $enable_http3 }}listen [::]:{{ $external_https_port }} quic {{ $default_server }};{{ end }} + {{ if $enable_http3 }}listen [::]:{{ $external_https_port }} {{ $http3 }} {{ $default_server }};{{ end }} listen [::]:{{ $external_https_port }} ssl {{ $http2 }} {{ $default_server }}; {{ end }} {{ $access_log }} {{ if $enable_http3 }} # Add Alt-Svc header to negotiate HTTP/3. - add_header alt-svc '{{ $alt_svc }}'; + add_header Alt-Svc '{{ $alt_svc }}'; {{ end }} {{ if eq $network_tag "internal" }} @@ -462,10 +463,10 @@ server { {{ if $server_tokens }} server_tokens {{ $server_tokens }}; {{ end }} - {{ if $enable_http3 }}listen {{ $external_https_port }} quic {{ $default_server }};{{ end }} + {{ if $enable_http3 }}listen {{ $external_https_port }} {{ $http3 }} {{ $default_server }};{{ end }} listen {{ $external_https_port }} ssl {{ $http2 }} {{ $default_server }}; {{ if $enable_ipv6 }} - {{ if $enable_http3 }}listen [::]:{{ $external_https_port }} quic {{ $default_server }};{{ end }} + {{ if $enable_http3 }}listen [::]:{{ $external_https_port }} {{ $http3 }} {{ $default_server }};{{ end }} listen [::]:{{ $external_https_port }} ssl {{ $http2 }} {{ $default_server }}; {{ end }} {{ $access_log }} @@ -473,7 +474,7 @@ server { {{ if $enable_http3 }} # Add Alt-Svc header to negotiate HTTP/3. - add_header alt-svc '{{ $alt_svc }}'; + add_header Alt-Svc '{{ $alt_svc }}'; {{ end }} ssl_certificate /etc/nginx/certs/default.crt; From 11cd02cb546c26257ca8621709a6bff5e69d7f00 Mon Sep 17 00:00:00 2001 From: patrickdk Date: Wed, 2 Jun 2021 12:05:15 -0400 Subject: [PATCH 6/6] Pulled client certificate veriification. --- README.md | 7 ------- nginx.tmpl | 12 ------------ 2 files changed, 19 deletions(-) diff --git a/README.md b/README.md index 9dca7af..249d16a 100644 --- a/README.md +++ b/README.md @@ -357,13 +357,6 @@ $ docker run -d -p 80:80 -p 443:443 \ You'll need apache2-utils on the machine where you plan to create the htpasswd file. Follow these [instructions](http://httpd.apache.org/docs/2.2/programs/htpasswd.html) -### Client Certificates Support - -Client certificates can be supported by defining the following environment variables: -`CLIENT_CA` to be set to the certificate to validate the clients against -`VERIFY_CLIENT` can be set to `on` to verify clients, `off` to ignore the client certificates, or `optional` the default to request but not verify -`VERIFY_DEPTH` to the depth to verify the client certificate - ### Custom Nginx Configuration If you need to configure Nginx beyond what is possible using environment variables, you can provide custom configuration files on either a proxy-wide or per-`VIRTUAL_HOST` basis. diff --git a/nginx.tmpl b/nginx.tmpl index 95fcf7a..6ff688f 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -288,12 +288,6 @@ upstream {{ $upstream_name }} { {{ if $is_https }} -{{ $clientCA := trim (or (first (groupByKeys $containers "Env.CLIENT_CA")) (printf "%s.client" $vhostCert)) }} -{{ $verifyClient := trim (or (first (groupByKeys $containers "Env.VERIFY_CLIENT")) "optional") }} -{{ $verifyDepth := trim (or (first (groupByKeys $containers "Env.VERIFY_DEPTH")) "2") }} - -{{ $is_client_verify := (and (ne $clientCA "") (ne $verifyClient "") (ne $verifyDepth "") (exists (printf "/etc/nginx/certs/%s.pem" $clientCA))) }} - {{ if eq $https_method "redirect" }} server { server_name {{ $host }}; @@ -368,12 +362,6 @@ server { add_header Strict-Transport-Security "{{ trim $hsts }}" always; {{ end }} - {{ if $is_client_verify }} - ssl_client_certificate {{ printf "/etc/nginx/certs/%s.pem" $clientCA }}; - ssl_verify_client {{ (printf "%s" $verifyClient) }}; - ssl_verify_depth {{ (printf "%s" $verifyDepth) }}; - {{ end }} - {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} include {{ printf "/etc/nginx/vhost.d/%s" $host }}; {{ else if (exists "/etc/nginx/vhost.d/default") }}