CatalogueRevamping
/
docker-ckan
14
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

harden NGINX config

This commit is contained in:
Brett 2023-06-02 10:34:36 +02:00
parent 4b5dbeacdd
commit a702914f20
3 changed files with 94 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
nginx/Dockerfile
View File

@ -2,11 +2,24 @@ FROM nginx:stable-alpine
ENV NGINX_DIR=/etc/nginx
RUN apk update --no-cache && \
apk upgrade --no-cache && \
apk add --no-cache openssl
COPY setup/nginx.conf ${NGINX_DIR}/nginx.conf
COPY setup/index.html /usr/share/nginx/html/index.html
COPY setup/default.conf ${NGINX_DIR}/conf.d/
RUN mkdir -p ${NGINX_DIR}/certs
COPY setup/ckan-local.* ${NGINX_DIR}/certs/
EXPOSE 81
EXPOSE 81
ENTRYPOINT \
openssl req \
-subj '/C=DE/ST=Berlin/L=Berlin/O=None/CN=localhost' \
-x509 -newkey rsa:4096 \
-nodes -keyout /etc/nginx/ssl/default_key.pem \
-keyout ${NGINX_DIR}/certs/ckan-local.key \
-out ${NGINX_DIR}/certs/ckan-local.crt \
-days 365 && \
nginx -g 'daemon off;'

24
nginx/setup/default.conf
View File

@ -6,6 +6,18 @@ server {
server_name localhost;
ssl_certificate /etc/nginx/certs/ckan-local.crt;
ssl_certificate_key /etc/nginx/certs/ckan-local.key;
# TLS 1.2 & 1.3 only
ssl_protocols TLSv1.2 TLSv1.3;
# Disable weak ciphers
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
# SSL sessions
ssl_session_timeout 1d;
# ssl_session_cache dfine in stream and http
ssl_session_tickets off;
#access_log /var/log/nginx/host.access.log main;
@ -20,13 +32,15 @@ server {
proxy_cache_key $host$scheme$proxy_host$request_uri;
}
error_page 404 /404.html;
error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 /error.html;
# redirect server error pages to the static page /50x.html
# redirect server error pages to the static page /error.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
location = /error.html {
ssi on;
internal;
auth_basic off;
root /usr/share/nginx/html;
}
}

64
nginx/setup/nginx.conf
View File

@ -22,14 +22,70 @@ http {
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
tcp_nopush on;
tcp_nodelay on;
types_hash_max_size 2048;
keepalive_timeout 65;
#gzip on;
# Don't expose Nginx version
server_tokens off;
# Prevent clickjacking attacks
add_header X-Frame-Options "SAMEORIGIN";
# Mitigate Cross-Site scripting attack
add_header X-XSS-Protection "1; mode=block";
# Enable gzip encryption
gzip on;
proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=cache:30m max_size=250m;
proxy_temp_path /tmp/nginx_proxy 1 2;
include /etc/nginx/conf.d/*.conf;
}
# Error status text
map $status $status_text {
400 'Bad Request';
401 'Unauthorized';
402 'Payment Required';
403 'Forbidden';
404 'Not Found';
405 'Method Not Allowed';
406 'Not Acceptable';
407 'Proxy Authentication Required';
408 'Request Timeout';
409 'Conflict';
410 'Gone';
411 'Length Required';
412 'Precondition Failed';
413 'Payload Too Large';
414 'URI Too Long';
415 'Unsupported Media Type';
416 'Range Not Satisfiable';
417 'Expectation Failed';
418 'I\'m a teapot';
421 'Misdirected Request';
422 'Unprocessable Entity';
423 'Locked';
424 'Failed Dependency';
425 'Too Early';
426 'Upgrade Required';
428 'Precondition Required';
429 'Too Many Requests';
431 'Request Header Fields Too Large';
451 'Unavailable For Legal Reasons';
500 'Internal Server Error';
501 'Not Implemented';
502 'Bad Gateway';
503 'Service Unavailable';
504 'Gateway Timeout';
505 'HTTP Version Not Supported';
506 'Variant Also Negotiates';
507 'Insufficient Storage';
508 'Loop Detected';
510 'Not Extended';
511 'Network Authentication Required';
default 'Something is wrong';
}
}