diff --git a/nginx/Dockerfile b/nginx/Dockerfile new file mode 100644 index 0000000..fc5ec73 --- /dev/null +++ b/nginx/Dockerfile @@ -0,0 +1,113 @@ +FROM alpine:edge +MAINTAINER Wonderfall + +ENV UID=991 GID=991 + +ARG NGINX_VERSION=1.11.1 +ARG GPG_NGINX="B0F4 2533 73F8 F6F5 10D4 2178 520A 9993 A1C0 52F8" +ARG BUILD_CORES + +RUN echo "@commuedge http://nl.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories \ + && NB_CORES=${BUILD_CORES-$(getconf _NPROCESSORS_CONF)} \ + && BUILD_DEPS=" \ + build-base \ + linux-headers \ + ca-certificates \ + automake \ + autoconf \ + git \ + tar \ + libtool \ + pcre-dev \ + zlib-dev \ + binutils \ + gnupg" \ + && apk -U add \ + ${BUILD_DEPS} \ + pcre \ + zlib \ + libgcc \ + libstdc++ \ + su-exec \ + openssl \ + bind-tools \ + tini@commuedge \ + && cd /tmp \ + && git clone https://github.com/bagder/libbrotli && cd libbrotli \ + && ./autogen.sh && ./configure && make -j ${NB_CORES} && make install \ + && cd /tmp \ + && git clone https://github.com/google/ngx_brotli \ + && git clone https://github.com/openresty/headers-more-nginx-module \ + && git clone https://github.com/openssl/openssl.git && cd openssl && ./config \ + && cd /tmp \ + && NGINX_TARBALL="nginx-${NGINX_VERSION}.tar.gz" \ + && wget -q http://nginx.org/download/${NGINX_TARBALL} \ + && echo "Verifying ${NGINX_TARBALL} using GPG..." \ + && wget -q http://nginx.org/download/${NGINX_TARBALL}.asc \ + && wget -q http://nginx.org/keys/mdounin.key \ + && gpg --import mdounin.key \ + && FINGERPRINT="$(LANG=C gpg --verify ${NGINX_TARBALL}.asc ${NGINX_TARBALL} 2>&1 \ + | sed -n "s#Primary key fingerprint: \(.*\)#\1#p")" \ + && if [ -z "${FINGERPRINT}" ]; then echo "Warning! Invalid GPG signature!" && exit 1; fi \ + && if [ "${FINGERPRINT}" != "${GPG_NGINX}" ]; then echo "Warning! Wrong GPG fingerprint!" && exit 1; fi \ + && echo "All seems good, now unpacking ${NGINX_TARBALL}..." \ + && tar xzf ${NGINX_TARBALL} && cd nginx-${NGINX_VERSION} \ + && wget https://raw.githubusercontent.com/felixbuenemann/sslconfig/b8ebac6a337e8e4e373dfee76e7dfac3cc6c56e6/patches/nginx_1_9_15_http2_spdy.patch -O spdy.patch \ + && patch -p1 < spdy.patch \ + && wget https://raw.githubusercontent.com/cloudflare/sslconfig/master/patches/nginx__dynamic_tls_records.patch \ + && patch -p1 < nginx__dynamic_tls_records.patch \ + && ./configure \ + --prefix=/etc/nginx \ + --sbin-path=/usr/sbin/nginx \ + --with-cc-opt='-O3 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security' \ + --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro' \ + --with-openssl=/tmp/openssl \ + --with-openssl-opt='no-ssl3 no-camellia no-dsa no-rc2 no-rc4 no-rc5 no-md2 no-md4 no-comp no-idea no-shared enable-ec_nistp_64_gcc_128 -DOPENSSL_NO_HEARTBEATS -D_FORTIFY_SOURCE=2 -fstack-protector-strong' \ + --with-http_ssl_module \ + --with-http_v2_module \ + --with-http_spdy_module \ + --with-http_gzip_static_module \ + --with-http_stub_status_module \ + --with-file-aio \ + --with-threads \ + --with-pcre-jit \ + --without-http_ssi_module \ + --without-http_scgi_module \ + --without-http_uwsgi_module \ + --without-http_geo_module \ + --without-http_autoindex_module \ + --without-http_map_module \ + --without-http_split_clients_module \ + --without-http_memcached_module \ + --without-http_empty_gif_module \ + --without-http_browser_module \ + --http-log-path=/var/log/nginx/access.log \ + --error-log-path=/var/log/nginx/error.log \ + --add-module=/tmp/headers-more-nginx-module \ + --add-module=/tmp/ngx_brotli \ + && make -j ${NB_CORES} && make install && make clean \ + && strip -s /usr/sbin/nginx \ + && apk del ${BUILD_DEPS} \ + && rm -rf /tmp/* /var/cache/apk/* /root/.gnupg + +COPY nginx.conf /etc/nginx/conf/nginx.conf +COPY run.sh /usr/local/bin/run.sh +COPY ngxpasswd /usr/local/bin/ngxpasswd +COPY ngxproxy /usr/local/bin/ngxproxy +COPY vhost_http.conf /etc/nginx/conf/vhost_http.conf +COPY vhost_https.conf /etc/nginx/conf/vhost_https.conf +COPY ssl_params /etc/nginx/conf/ssl_params +COPY headers_params /etc/nginx/conf/headers_params +COPY proxy_params /etc/nginx/conf/proxy_params + +RUN chmod +x /usr/local/bin/* + +EXPOSE 8000 4430 + +VOLUME /sites-enabled /www /conf.d /passwds /certs /var/log/nginx + +LABEL description="Secure nginx built from source." \ + openssl="BoringSSL (date of the container)." \ + nginx="nginx ${NGINX_VERSION}." + +CMD ["/sbin/tini","--","run.sh"] diff --git a/nginx/README.md b/nginx/README.md new file mode 100644 index 0000000..a3f7af2 --- /dev/null +++ b/nginx/README.md @@ -0,0 +1,51 @@ +## wonderfall/boring-nginx + +![](https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/115px-Nginx_logo.svg.png) + +#### What is this? +It is nginx statically linked against BoringSSL, with embedded Brotli support. Secured by default (no root processes, even the master one), it should be safe to use... + +#### Features +- Based on Alpine Linux. +- nginx built against **BoringSSL**. +- nginx : securely built using hardening gcc flags. +- nginx : HTTP/2 (+NPN) support. +- nginx : Brotli compression support (and configured). +- nginx : no root master process. +- nginx : AIO Threads support. +- nginx : no unnessary modules (except fastcgi). +- nginx : pcre jit enabled. +- nginx : optimized configuration. +- ngxpasswd : generates a htpasswd file easily. +- ngxproxy : generates a *proxy vhost* after asking you a few questions. + +#### Notes +It is required to chown your certs files with the right uid/pid and change the `listen` directive to 8000/4430 instead of 80/443. Linux 3.17+, and the latest Docker stable are recommended. + +#### Volumes +- **/sites-enabled** : vhosts files (*.conf) +- **/conf.d** : additional configuration files +- **/certs** : SSL/TLS certificates +- **/var/log/nginx** : nginx logs +- **/passwds** : authentication files +- **/www** : put your websites there + +#### Build-time variables +- **NGINX_VERSION** : version of nginx +- **GPG_NGINX** : fingerprint of signing key package +- **SIGNATURE** : HTTP signature of nginx, default is *secret* + +#### Environment variables +- **GID** : nginx group id *(default : 991)* +- **UID** : nginx user id *(default : 991)* + +#### How to use it? +https://github.com/hardware/mailserver/wiki/Reverse-proxy-configuration + +You can use `ngxproxy` to generate a *vhost* through an easy process : `docker exec -ti nginx ngxproxy`. `ngxpasswd` can generate htpasswd files : `docker exec -ti nginx ngxpasswd`. Both utilites are interactive so you won't feel lost. + +Some configuration files located in `/etc/nginx/conf` are already provided, you can use them with the `include` directive. + +- `ssl_params` : Provides a nice balance between compatibility and security. +- `headers_params` : HSTS (+ preload), XSS protection, etc. +- `proxy_params` : use with `proxy_pass`. diff --git a/nginx/headers_params b/nginx/headers_params new file mode 100644 index 0000000..30e1890 --- /dev/null +++ b/nginx/headers_params @@ -0,0 +1,3 @@ +add_header X-Frame-Options SAMEORIGIN; +add_header X-Content-Type-Options nosniff; +add_header X-XSS-Protection "1; mode=block"; diff --git a/nginx/nginx.conf b/nginx/nginx.conf new file mode 100644 index 0000000..9ef2078 --- /dev/null +++ b/nginx/nginx.conf @@ -0,0 +1,85 @@ +worker_processes auto; +pid /var/run/nginx.pid; +daemon off; +pcre_jit on; + +events { + worker_connections 2048; + use epoll; +} + +http { + limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m; + limit_conn limit_per_ip 128; + limit_req_zone $binary_remote_addr zone=allips:10m rate=150r/s; + limit_req zone=allips burst=150 nodelay; + + include /etc/nginx/conf/mime.types; + default_type application/octet-stream; + + access_log /var/log/nginx/access.log combined; + error_log /var/log/nginx/error.log crit; + + fastcgi_temp_path /tmp/fastcgi 1 2; + proxy_temp_path /tmp/proxy 1 2; + client_body_temp_path /tmp/client_body 1 2; + + client_body_buffer_size 10K; + client_header_buffer_size 1k; + client_max_body_size 8m; + large_client_header_buffers 2 1k; + + aio threads; + sendfile on; + keepalive_timeout 15; + keepalive_disable msie6; + keepalive_requests 100; + tcp_nopush on; + tcp_nodelay on; + server_tokens off; + + gzip on; + gzip_comp_level 5; + gzip_min_length 512; + gzip_buffers 4 8k; + gzip_proxied any; + gzip_vary on; + gzip_disable "msie6"; + gzip_types + text/css + text/javascript + text/xml + text/plain + text/x-component + application/javascript + application/x-javascript + application/json + application/xml + application/rss+xml + application/vnd.ms-fontobject + font/truetype + font/opentype + image/svg+xml; + + brotli on; + brotli_static on; + brotli_buffers 16 8k; + brotli_comp_level 6; + brotli_types + text/css + text/javascript + text/xml + text/plain + text/x-component + application/javascript + application/x-javascript + application/json + application/xml + application/rss+xml + application/vnd.ms-fontobject + font/truetype + font/opentype + image/svg+xml; + + include /sites-enabled/*.conf; +} diff --git a/nginx/ngxpasswd b/nginx/ngxpasswd new file mode 100644 index 0000000..70e5bf6 --- /dev/null +++ b/nginx/ngxpasswd @@ -0,0 +1,76 @@ +#!/bin/sh + +echo +echo "Welcome to ngxpasswd utility." +echo "We're about to create a password file." +echo + +cd /passwds || exit 1 + +while [ "$NAME" == "" ]; do + read -p "Name: " NAME +done + +if [ -f "/passwds/$NAME.htpasswd" ]; then + echo "ERROR: /passwds/$NAME.htpasswd already exists." + exit 1 +fi + +while [ "$USER" == "" ]; do + read -p "User: " USER +done + +read -p "Password (leave blank to generate one): " PASSWORD + +if [ "$PASSWORD" == "" ]; then + echo "Password was not defined, generating a random one..." + PASSWORD=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1) +elif [ ${#PASSWORD} -le 6 ]; then + echo "WARNING: Non-secure password." +fi + +echo -n $USER:$(openssl passwd -apr1 $PASSWORD) >> $NAME.htpasswd +chown $UID:$GID $NAME.htpasswd +chmod 640 $NAME.htpasswd + +echo +echo "A new password file has been saved to /passwds/$NAME.htpasswd :" +echo "- Service : $NAME" +echo "- User : $USER" +echo "- Password : $PASSWORD" +echo + +if [ -f "/sites-enabled/$NAME.conf" ] && grep -q '#auth' /sites-enabled/$NAME.conf; then + echo "vhost at /sites-enabled/$NAME.conf detected." + + while [[ "$ADD" != "y" && "$ADD" != "n" ]]; do + read -p "Add authentication to $NAME.conf? [y/n]: " ADD + done + + if [ "$ADD" == "y" ]; then + cd /etc/nginx/conf + sed -i -e 's/#auth/auth/g' -e "s//$NAME/g" /sites-enabled/$NAME.conf + echo "Automatically added, please verify. Otherwise follow these instructions." + echo + fi +fi + +echo "Paste this to your vhost in order to enable auth :" +echo " auth_basic \"Who's this?\";" +echo " auth_basic_user_file /passwds/$NAME.htpasswd;" +echo + +if [ "$ADD" == "y" ]; then + while [[ "$RELOAD" != "y" && "$RELOAD" != "n" ]]; do + read -p "Reload nginx now? [y/n]: " RELOAD + done + + if [ "$RELOAD" == "y" ]; then + su-exec $UID:$GID nginx -s reload + echo "nginx successfully reloaded." + else + echo "Restart manually nginx to enable authentication." + fi +fi + +exit 0 diff --git a/nginx/ngxproxy b/nginx/ngxproxy new file mode 100644 index 0000000..11e106a --- /dev/null +++ b/nginx/ngxproxy @@ -0,0 +1,139 @@ +#!/bin/sh + +echo +echo "Welcome to ngxproxy utility." +echo "We're about to create a new virtual host (AKA server block)." +echo + +while [ "$NAME" == "" ]; do + read -p "Name: " NAME +done + +if [ -f "/sites-enabled/$NAME.conf" ]; then + echo "ERROR: /sites-enabled/$NAME.conf already exists." + exit 1 +fi + +while [ "$DOMAIN" == "" ]; do + read -p "Domain: " DOMAIN +done + +if [ "$(dig +short $DOMAIN)" == "" ]; then + echo "WARNING: $DOMAIN couldn't be resolved: it may not work!" + echo "HINT: Is this domain correct? Did you update your DNS zone?" +fi + +read -p "Webroot (default is /): " WEBROOT + +if [ "$WEBROOT" == "" ]; then + WEBROOT="/" +elif [ "$WEBROOT" != "/" ]; then + echo "WARNING: You might have to add a proxy header to get your custom webroot working." + + while [[ "$CONFIGURE_WEBROOT" != "y" && "$CONFIGURE_WEBROOT" != "n" ]]; do + read -p "Is it required (by the app) to configure it? [y/n]: " CONFIGURE_WEBROOT + done + + if [ "$CONFIGURE_WEBROOT" == "y" ]; then + while [ "$WEBROOT_HEADER" == "" ]; do + read -p "Type the required proxy_set_header (like X-Script-Name): " WEBROOT_HEADER + done + fi +fi + +while [ "$CONTAINER" == "" ]; do + read -p "Container: " CONTAINER +done + +ping -c 1 $CONTAINER >/dev/null 2>&1 + +if [ "$?" != "0" ]; then + echo "WARNING: $CONTAINER seems to be unavailable. It may not work!" + echo "HINT: Did you correctly link the container?" +fi + +read -p "Port (default is 80): " PORT + +if [ "$PORT" == "" ]; then + PORT="80" +elif ! [ "$PORT" -eq "$PORT" ] 2>/dev/null; then + echo "ERROR: an integer value was expected." + exit 1 +elif [ "$PORT" -gt "65535" ]; then + echo "ERROR: $PORT exceeds the maximum TCP port which is 65535" + exit 1 +fi + +while [[ "$HTTPS" != "y" && "$HTTPS" != "n" ]]; do + read -p "HTTPS [y/n]: " HTTPS +done + +if [ "$HTTPS" == "y" ]; then + while [ ! -f "$CERTIFICATE_PATH" ]; do + read -p "Certificate path: " CERTIFICATE_PATH + done + + while [ ! -f "$KEY_PATH" ]; do + read -p "Certificate key path: " KEY_PATH + done + + cp -f /etc/nginx/conf/vhost_https.conf /tmp/${NAME}.conf + + sed -i \ + -e "s||$CERTIFICATE_PATH|g" \ + -e "s||$KEY_PATH|g" \ + /tmp/$NAME.conf + + while [[ "$HEADERS" != "y" && "$HEADERS" != "n" ]]; do + read -p "Secure headers [y/n]: " HEADERS + done + + if [ "$HEADERS" == "y" ]; then + sed -i 's|#include /etc/nginx/conf/headers_params|include /etc/nginx/conf/headers_params|g' /tmp/$NAME.conf + fi +else + cp -f /etc/nginx/conf/vhost_http.conf /tmp/${NAME}.conf +fi + +while [ "$MAX_BODY_SIZE" == "" ]; do + read -p "Max body size in MB (integer/n): " MAX_BODY_SIZE +done + +if ! [ "$MAX_BODY_SIZE" -eq "$MAX_BODY_SIZE" ] 2>/dev/null && [ "$MAX_BODY_SIZE" != "n" ]; then + echo "ERROR: Incorrect value." + exit 1 +fi + +if [ "$MAX_BODY_SIZE" != "n" ]; then + sed -i "s|#client_max_body_size |client_max_body_size $MAX_BODY_SIZE|g" /tmp/$NAME.conf +fi + +if [ "$CONFIGURE_WEBROOT" == "y" ]; then + sed -i "/proxy_pass/a \ \ \ \ proxy_set_header $WEBROOT_HEADER $WEBROOT;" /tmp/$NAME.conf +fi + +sed -i \ + -e "s||$DOMAIN|g" \ + -e "s||$CONTAINER|g" \ + -e "s||$PORT|g" \ + -e "s||$WEBROOT|g" \ + /tmp/$NAME.conf + +mv /tmp/$NAME.conf /sites-enabled/ + +echo +echo "Done! $NAME.conf has been generated." + +while [[ "$RELOAD" != "y" && "$RELOAD" != "n" ]]; do + read -p "Reload nginx now? [y/n]: " RELOAD +done + +if [ "$RELOAD" == "y" ]; then + su-exec $UID:$GID nginx -s reload + echo "nginx successfully reloaded." +else + echo "Restart manually nginx to enable this new vhost." +fi + +echo +exit 0 diff --git a/nginx/proxy_params b/nginx/proxy_params new file mode 100644 index 0000000..6f9827e --- /dev/null +++ b/nginx/proxy_params @@ -0,0 +1,6 @@ +proxy_set_header Host $host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Remote-Port $remote_port; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_redirect off; diff --git a/nginx/run.sh b/nginx/run.sh new file mode 100644 index 0000000..0606f33 --- /dev/null +++ b/nginx/run.sh @@ -0,0 +1,5 @@ +#!/bin/sh +touch /var/run/nginx.pid +chown -R $UID:$GID /etc/nginx /var/log/nginx /var/run/nginx.pid /sites-enabled /conf.d /certs /www /tmp +chmod -R 700 /certs +su-exec $UID:$GID nginx diff --git a/nginx/ssl_params b/nginx/ssl_params new file mode 100644 index 0000000..65f9fb2 --- /dev/null +++ b/nginx/ssl_params @@ -0,0 +1,10 @@ +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1; +ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA; +ssl_prefer_server_ciphers on; + +ssl_session_cache shared:SSL:20m; +ssl_session_timeout 15m; +ssl_session_tickets off; + +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; diff --git a/nginx/vhost_http.conf b/nginx/vhost_http.conf new file mode 100644 index 0000000..7e3a99b --- /dev/null +++ b/nginx/vhost_http.conf @@ -0,0 +1,14 @@ +server { + listen 8000; + server_name ; + + #client_max_body_size M; + + #auth_basic "Who's this?"; + #auth_basic_user_file /passwds/.htpasswd; + + location { + proxy_pass http://:; + include /etc/nginx/conf/proxy_params; + } +} diff --git a/nginx/vhost_https.conf b/nginx/vhost_https.conf new file mode 100644 index 0000000..947c106 --- /dev/null +++ b/nginx/vhost_https.conf @@ -0,0 +1,26 @@ +server { + listen 8000; + server_name ; + return 301 https://$host$request_uri; +} + +server { + listen 4430 ssl http2; + server_name ; + + ssl_certificate ; + ssl_certificate_key ; + + include /conf.d/ssl_params.conf; + include /etc/nginx/conf/headers_params; + + #client_max_body_size M; + + #auth_basic "Who's this?"; + #auth_basic_user_file /passwds/.htpasswd; + + location { + proxy_pass http://:; + include /etc/nginx/conf/proxy_params; + } +}