add boring-nginx, based on reverse

2025-04-20 04:19:18 +00:00 · 2016-05-29 02:09:20 +02:00 · 2016-05-29 02:09:20 +02:00 · dcc4266fcc
commit dcc4266fcc
parent b3eb048d54
9 changed files with 351 additions and 0 deletions
--- a/boring-nginx/Dockerfile
+++ b/boring-nginx/Dockerfile
@ -0,0 +1,118 @@
+FROM alpine:3.3
+MAINTAINER Wonderfall <wonderfall@schrodinger.io>
+
+ENV UID=991 GID=991
+
+ARG NGINX_VERSION=1.11.0
+ARG GPG_NGINX="B0F4 2533 73F8 F6F5 10D4  2178 520A 9993 A1C0 52F8"
+ARG SIGNATURE=secret
+ARG BUILD_CORES
+
+COPY boring.patch /tmp/boring.patch
+
+RUN echo "@commuedge http://nl.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories \
+ && NB_CORES=${BUILD_CORES-$(getconf _NPROCESSORS_CONF)} \
+ && BUILD_DEPS=" \
+    build-base \
+    linux-headers \
+    ca-certificates \
+    automake \
+    autoconf \
+    git \
+    tar \
+    libtool \
+    pcre-dev \
+    zlib-dev \
+    binutils \
+    gnupg \
+    cmake \
+    go" \
+ && apk -U add \
+    ${BUILD_DEPS} \
+    pcre \
+    zlib \
+    libgcc \
+    libstdc++ \
+    su-exec \
+    openssl \
+    tini@commuedge \
+ && cd /tmp && git clone https://github.com/bagder/libbrotli && cd libbrotli \
+ && ./autogen.sh && ./configure && make -j ${NB_CORES} && make install \
+ && mkdir /tmp/ngx_brotli && cd /tmp/ngx_brotli \
+ && wget -qO- https://github.com/google/ngx_brotli/archive/master.tar.gz | tar xz --strip 1 \
+ && cd /tmp && git clone https://boringssl.googlesource.com/boringssl \
+ && cd boringssl \
+ && mkdir build && cd build && cmake -DCMAKE_BUILD_TYPE=Release .. && make -j ${NB_CORES} && cd .. \
+ && mkdir -p .openssl/lib/ && cd .openssl && ln -s ../include && cd .. \
+ && cp build/crypto/libcrypto.a build/ssl/libssl.a .openssl/lib && cd /tmp \
+ && NGINX_TARBALL="nginx-${NGINX_VERSION}.tar.gz" \
+ && wget -q http://nginx.org/download/${NGINX_TARBALL} \
+ && echo "Verifying ${NGINX_TARBALL} using GPG..." \
+ && wget -q http://nginx.org/download/${NGINX_TARBALL}.asc \
+ && wget -q http://nginx.org/keys/mdounin.key \
+ && gpg --import mdounin.key \
+ && FINGERPRINT="$(LANG=C gpg --verify ${NGINX_TARBALL}.asc ${NGINX_TARBALL} 2>&1 \
+  | sed -n "s#Primary key fingerprint: \(.*\)#\1#p")" \
+ && if [ -z "${FINGERPRINT}" ]; then echo "Warning! Invalid GPG signature!" && exit 1; fi \
+ && if [ "${FINGERPRINT}" != "${GPG_NGINX}" ]; then echo "Warning! Wrong GPG fingerprint!" && exit 1; fi \
+ && echo "All seems good, now unpacking ${NGINX_TARBALL}..." \
+ && tar xzf ${NGINX_TARBALL} && cd nginx-${NGINX_VERSION} \
+ && sed -i -e "s/\"Server: nginx\" CRLF/\"Server: ${SIGNATURE}\" CRLF/g" \
+    -e "s/\"Server: \" NGINX_VER CRLF/\"Server: ${SIGNATURE}\" NGINX_VER CRLF/g" \
+    src/http/ngx_http_header_filter_module.c \
+ && patch -p1 < /tmp/boring.patch \
+ && sed -i \
+    -e '/SSL_R_BLOCK_CIPHER_PAD_IS_WRONG/d' \
+    -e '/SSL_R_NO_CIPHERS_SPECIFIED/d' \
+    src/event/ngx_event_openssl.c \
+ && ./configure \
+    --prefix=/etc/nginx \
+    --sbin-path=/usr/local/sbin/nginx \
+    --with-cc-opt='-g -O2 -fstack-protector-strong -fPIE -Wformat -Werror=format-security -I ../boringssl/.openssl/include/' \
+    --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -L ../boringssl/.openssl/lib' \
+    --with-http_ssl_module \
+    --with-http_v2_module \
+    --with-http_gzip_static_module \
+    --with-http_stub_status_module \
+    --with-file-aio \
+    --with-threads \
+    --with-pcre-jit \
+    --without-http_ssi_module \
+    --without-http_scgi_module \
+    --without-http_uwsgi_module \
+    --without-http_geo_module \
+    --without-http_autoindex_module \
+    --without-http_map_module \
+    --without-http_split_clients_module \
+    --without-http_memcached_module \
+    --without-http_empty_gif_module \
+    --without-http_browser_module \
+    --http-proxy-temp-path=/tmp/proxy_temp \
+    --http-client-body-temp-path=/tmp/client_body_temp \
+    --http-fastcgi-temp-path=/tmp/fastcgi_temp \
+    --http-log-path=/var/log/nginx/access.log \
+    --error-log-path=/var/log/nginx/error.log \
+    --add-module=/tmp/ngx_brotli \
+ && make -j ${NB_CORES} && make install && make clean \
+ && strip -s /usr/local/sbin/nginx \
+ && apk del ${BUILD_DEPS} \
+ && rm -rf /tmp/* /var/cache/apk/*
+
+COPY nginx.conf /etc/nginx/conf/nginx.conf
+COPY run.sh /usr/local/bin/run.sh
+COPY ngxpasswd /usr/local/bin/ngxpasswd
+COPY ssl_params /etc/nginx/conf/ssl_params
+COPY headers_params /etc/nginx/conf/headers_params
+COPY proxy_params /etc/nginx/conf/proxy_params
+
+RUN chmod +x /usr/local/bin/*
+
+EXPOSE 8000 4430
+
+VOLUME /sites-enabled /conf.d /passwds /certs /var/log/nginx
+
+LABEL description="Secure nginx built from source." \
+      openssl="BoringSSL (date of the container)." \
+      nginx="nginx ${NGINX_VERSION}."
+
+CMD ["/sbin/tini","--","run.sh"]
--- a/boring-nginx/README.md
+++ b/boring-nginx/README.md
@ -0,0 +1,47 @@
+## wonderfall/reverse
+
+![](https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/115px-Nginx_logo.svg.png)
+
+![](https://upload.wikimedia.org/wikipedia/commons/thumb/a/a1/OpenSSL_logo.png/220px-OpenSSL_logo.png)
+
+#### What is this?
+It is nginx statically linked against a custom OpenSSL build, with embedded Brotli support. Secured by default (no root processes, even the master one), it should be safe to use...
+
+#### Features
+- Based on Alpine Linux.
+- nginx built against OpenSSL.
+- OpenSSL : no weak algorithms.
+- OpenSSL : ChaCha20 ciphers support.
+- nginx : HTTP/2 (+NPN) support.
+- nginx : Brotli compression support (and configured).
+- nginx : no root master process.
+- nginx : AIO Threads support.
+- nginx : no unnessary modules.
+- nginx : optimized configuration.
+
+#### Notes
+It is required to chown your certs files with the right uid/pid and change the `listen` directive to 8000/4430 instead of 80/443. Linux 3.17+, and the latest Docker stable are recommended.
+
+#### Volumes
+- **/sites-enabled** : vhosts files (*.conf)
+- **/conf.d** : additional configuration files
+- **/certs** : SSL/TLS certificates
+- **/var/log/nginx** : nginx logs
+- **/passwds** : authentication files
+
+#### Build-time variables
+- **NGINX_VERSION** : version of nginx
+- **OPENSSL_VERSION** : version of LibreSSL
+
+#### Environment variables
+- **GID** : nginx group id *(default : 991)*
+- **UID** : nginx user id *(default : 991)*
+
+#### How to use it?
+https://github.com/hardware/mailserver/wiki/Reverse-proxy-configuration
+
+Some configuration files located in `/etc/nginx/conf` are already provided, you can use them with the `include` directive.
+
+- `ssl_params` : TLS (1.0, 1.1, 1.2), CHACHA20, AES 256/128. Nice balance between compatibility and security.
+- `headers_params` : HSTS (+ preload), XSS protection...
+- `proxy_params` : useful with `proxy_pass`.
--- a/boring-nginx/boring.patch
+++ b/boring-nginx/boring.patch
@ -0,0 +1,40 @@
+# HG changeset patch
+# User Piotr Sikora <piotrsikora at google.com>
+# Date 1446864006 28800
+#      Fri Nov 06 18:40:06 2015 -0800
+# Node ID 9716b76675442d78d750ee542e4c80fa86d9b355
+# Parent  8aef9afa46e31a112fa1ceaffaefbc5990dbde22
+SSL: cast hostname in SSL_set_tlsext_host_name().
+
+BoringSSL promoted this macro to a proper function,
+so it requires parameters with correct types now.
+
+Signed-off-by: Piotr Sikora <piotrsikora at google.com>
+
+diff -r 8aef9afa46e3 -r 9716b7667544 src/http/ngx_http_upstream.c
+--- a/src/http/ngx_http_upstream.c
+++ b/src/http/ngx_http_upstream.c
+@@ -1660,7 +1660,9 @@ ngx_http_upstream_ssl_name(ngx_http_requ
+     ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
+                    "upstream SSL server name: \"%s\"", name.data);
+ 
+-    if (SSL_set_tlsext_host_name(c->ssl->connection, name.data) == 0) {
+    if (SSL_set_tlsext_host_name(c->ssl->connection, (const char *) name.data)
+        == 0)
+    {
+         ngx_ssl_error(NGX_LOG_ERR, r->connection->log, 0,
+                       "SSL_set_tlsext_host_name(\"%s\") failed", name.data);
+         return NGX_ERROR;
+diff -r 8aef9afa46e3 -r 9716b7667544 src/stream/ngx_stream_proxy_module.c
+--- a/src/stream/ngx_stream_proxy_module.c
+++ b/src/stream/ngx_stream_proxy_module.c
+@@ -851,7 +851,8 @@ ngx_stream_proxy_ssl_name(ngx_stream_ses
+     ngx_log_debug1(NGX_LOG_DEBUG_STREAM, s->connection->log, 0,
+                    "upstream SSL server name: \"%s\"", name.data);
+ 
+-    if (SSL_set_tlsext_host_name(u->peer.connection->ssl->connection, name.data)
+    if (SSL_set_tlsext_host_name(u->peer.connection->ssl->connection,
+                                 (const char *) name.data)
+         == 0)
+     {
+         ngx_ssl_error(NGX_LOG_ERR, s->connection->log, 0,
--- a/boring-nginx/headers_params
+++ b/boring-nginx/headers_params
@ -0,0 +1,4 @@
+add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
+add_header X-Frame-Options SAMEORIGIN;
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";
--- a/boring-nginx/nginx.conf
+++ b/boring-nginx/nginx.conf
@ -0,0 +1,81 @@
+worker_processes auto;
+pid /var/run/nginx.pid;
+daemon off;
+pcre_jit on;
+
+events {
+    worker_connections 2048; 
+    use epoll;
+}
+
+http {
+    limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
+    limit_conn limit_per_ip 64;
+    limit_req_zone $binary_remote_addr zone=allips:10m rate=150r/s;
+    limit_req zone=allips burst=150 nodelay;
+
+    include /etc/nginx/conf/mime.types;
+    default_type application/octet-stream;
+
+    access_log /var/log/nginx/access.log combined;
+    error_log /var/log/nginx/error.log crit;
+
+    client_body_buffer_size 10K;
+    client_header_buffer_size 1k;
+    client_max_body_size 8m;
+    large_client_header_buffers 2 1k;
+    
+    aio threads;
+    sendfile on;
+    keepalive_timeout 15;
+    keepalive_disable msie6;
+    keepalive_requests 100;
+    tcp_nopush on;
+    tcp_nodelay on;
+    server_tokens off;
+    
+    gzip on;
+    gzip_comp_level 5;
+    gzip_min_length 512;
+    gzip_buffers 4 8k;
+    gzip_proxied any;
+    gzip_vary on;
+    gzip_disable "msie6";
+    gzip_types
+        text/css
+        text/javascript
+        text/xml
+        text/plain
+        text/x-component
+        application/javascript
+        application/x-javascript
+        application/json
+        application/xml
+        application/rss+xml
+        application/vnd.ms-fontobject
+        font/truetype
+        font/opentype
+        image/svg+xml;
+  
+    brotli on;
+    brotli_static on;
+    brotli_buffers 16 8k;
+    brotli_comp_level 6;
+    brotli_types
+        text/css
+        text/javascript
+        text/xml
+        text/plain
+        text/x-component
+        application/javascript
+        application/x-javascript
+        application/json
+        application/xml
+        application/rss+xml
+        application/vnd.ms-fontobject
+        font/truetype
+        font/opentype
+        image/svg+xml;
+
+    include /sites-enabled/*.conf;
+}
--- a/boring-nginx/ngxpasswd
+++ b/boring-nginx/ngxpasswd
@ -0,0 +1,42 @@
+#!/bin/sh
+NAME="$1"
+USER="$2"
+PASSWORD="$3"
+
+cd /passwds || exit 1
+
+if [ -z "$NAME" ]; then
+    echo "Service name must be defined" 1>&2
+    exit 1
+elif [ -f $NAME.htpasswd ]; then
+    echo "$NAME.htpasswd exists, aborting" 1>&2
+    exit 1
+fi
+
+if [ -z "$USER" ]; then
+    echo "User must be defined" 1>&2
+    exit 1
+fi
+
+if [ -z "$PASSWORD" ]; then
+    PASSWORD=`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1`
+    echo "Password was not defined, generating a random one..."
+fi
+
+echo -n $USER:`openssl passwd -apr1 $PASSWORD` >> $NAME.htpasswd
+chown $UID:$GID $NAME.htpasswd
+chmod 640 $NAME.htpasswd
+
+echo
+echo  "A new password file has been saved to /passwds/$NAME.htpasswd :"
+echo  "- Service  :  $NAME"
+echo  "- User     :  $USER"
+echo  "- Password :  $PASSWORD"
+echo
+echo  "Paste this to your vhost in order to enable auth :"
+echo  "        auth_basic \"Who's this?\";"
+echo  "        auth_basic_user_file /passwds/$NAME.htpasswd;"
+echo
+echo "Done."
+
+exit 0
--- a/boring-nginx/proxy_params
+++ b/boring-nginx/proxy_params
@ -0,0 +1,6 @@
+proxy_set_header        Host                 $host;
+proxy_set_header        X-Real-IP            $remote_addr;
+proxy_set_header        X-Forwarded-For      $proxy_add_x_forwarded_for;
+proxy_set_header        X-Remote-Port        $remote_port;
+proxy_set_header        X-Forwarded-Proto    $scheme;
+proxy_redirect          off;
--- a/boring-nginx/run.sh
+++ b/boring-nginx/run.sh
@ -0,0 +1,5 @@
+#!/bin/sh
+touch /var/run/nginx.pid
+chown -R $UID:$GID /etc/nginx /var/log/nginx /var/run/nginx.pid /sites-enabled /conf.d /certs
+chmod -R 700 /certs
+su-exec $UID:$GID nginx
--- a/boring-nginx/ssl_params
+++ b/boring-nginx/ssl_params
@ -0,0 +1,8 @@
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ecdh_curve secp384r1;
+ssl_ciphers [ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-ECDSA-CHACHA20-POLY1305-D|ECDHE-RSA-CHACHA20-POLY1305-D|ECDHE-ECDSA-AES256-GCM-SHA384|ECDHE-RSA-AES256-GCM-SHA384|ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-RSA-AES128-GCM-SHA256]:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA;
+ssl_prefer_server_ciphers on;
+
+ssl_session_cache shared:SSL:20m;
+ssl_session_timeout 15m;
+ssl_session_tickets off;