├── Dockerfile
├── LICENSE
├── README.md
├── basic.conf
├── entrypoint.sh
└── ssl.conf


/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM nginx
 2 | MAINTAINER MarvAmBass
 3 | 
 4 | ENV LANG C.UTF-8
 5 | 
 6 | RUN apt-get update; apt-get install -y \
 7 |     openssl
 8 | 
 9 | RUN rm -rf /etc/nginx/conf.d/*; \
10 |     mkdir -p /etc/nginx/external
11 | 
12 | RUN sed -i 's/access_log.*/access_log \/dev\/stdout;/g' /etc/nginx/nginx.conf; \
13 |     sed -i 's/error_log.*/error_log \/dev\/stdout info;/g' /etc/nginx/nginx.conf; \
14 |     sed -i 's/^pid/daemon off;\npid/g' /etc/nginx/nginx.conf
15 | 
16 | ADD basic.conf /etc/nginx/conf.d/basic.conf
17 | ADD ssl.conf /etc/nginx/conf.d/ssl.conf
18 | 
19 | ADD entrypoint.sh /opt/entrypoint.sh
20 | RUN chmod a+x /opt/entrypoint.sh
21 | 
22 | ENTRYPOINT ["/opt/entrypoint.sh"]
23 | CMD ["nginx"]
24 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2014 Marvin
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 
23 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Docker very secured Nginx with secure SSL
 2 | _maintained by MarvAmBass_
 3 | 
 4 | [FAQ - All you need to know about the marvambass Containers](https://marvin.im/docker-faq-all-you-need-to-know-about-the-marvambass-containers/)
 5 | 
 6 | ## What is it
 7 | 
 8 | This Dockerfile (available as ___marvambass/nginx-ssl-secure___) gives you a ready to use secured production nginx server, with perfectly configured SSL. You should get a A+ Rating at the Qualys SSL Test.
 9 | 
10 | View in Docker Registry [marvambass/nginx-ssl-secure](https://registry.hub.docker.com/u/marvambass/nginx-ssl-secure/)
11 | 
12 | View in GitHub [MarvAmBass/docker-nginx-ssl-secure](https://github.com/MarvAmBass/docker-nginx-ssl-secure)
13 | 
14 | ## Environment variables and defaults
15 | 
16 | * __DH\_SIZE__
17 |  * default: 2048 (which takes a long time to create), for demo or unsecure applications you can use smaller values like 512
18 | 
19 | ## Running marvambass/nginx-ssl-secure Container
20 | 
21 | This Dockerfile is not really made for direct usage. It should be used as base-image for your nginx project. But you can run it anyways.
22 | 
23 | You should overwrite the _/etc/nginx/external/_ with a folder, containing your nginx __\*.conf__ files, certs and a __dh.pem__.   
24 | _If you forget the dh.pem file, it will be created at the first start - but this can/will take a long time!_
25 | 
26 |     docker run -d \
27 |     -p 80:80 -p 443:443 \
28 |     -e 'DH_SIZE=512' \
29 |     -v $EXT_DIR:/etc/nginx/external/ \
30 |     marvambass/nginx-ssl-secure
31 | 
32 | ## Based on
33 | 
34 | This Dockerfile bases on the [/\_/nginx/](https://registry.hub.docker.com/_/nginx/) Official Image.
35 | 
36 | ## Cheat Sheet
37 | 
38 | ### Creating the dh4096.pem with openssl
39 | 
40 | To create a Diffie-Hellman cert, you can use the following command
41 | 
42 |     openssl dhparam -out dh4096.pem 4096
43 | 
44 | ### Creating a high secure SSL CSR with openssl
45 | 
46 | This cert might be incompatible with Windows 2000, XP and older IE Versions
47 | 
48 |     openssl req -nodes -new -newkey rsa:4096 -out csr.pem -sha256
49 | 
50 | ### Creating a self-signed ssl cert
51 | 
52 | Please note, that the Common Name (CN) is important and should be the FQDN to the secured server:
53 | 
54 |     openssl req -x509 -newkey rsa:4086 \
55 |     -keyout key.pem -out cert.pem \
56 |     -days 3650 -nodes -sha256
57 | 


--------------------------------------------------------------------------------
/basic.conf:
--------------------------------------------------------------------------------
1 | # hide nginx version
2 | server_tokens off;
3 | 
4 | # add nosniff header (https://www.owasp.org/index.php/List_of_useful_HTTP_headers)
5 | add_header X-Content-Type-Options nosniff;
6 | 


--------------------------------------------------------------------------------
/entrypoint.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | cat <<EOF
 4 | Welcome to the marvambass/nginx-ssl-secure container
 5 | 
 6 | IMPORTANT:
 7 |   IF you use SSL inside your personal NGINX-config,
 8 |   you should add the Strict-Transport-Security header like:
 9 | 
10 |     # only this domain
11 |     add_header Strict-Transport-Security "max-age=31536000";
12 |     # apply also on subdomains
13 |     add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
14 | 
15 |   to your config.
16 |   After this you should gain a A+ Grade on the Qualys SSL Test
17 | 
18 | EOF
19 | 
20 | if [ -z ${DH_SIZE+x} ]
21 | then
22 |   >&2 echo ">> no \$DH_SIZE specified using default" 
23 |   DH_SIZE="2048"
24 | fi
25 | 
26 | 
27 | DH="/etc/nginx/external/dh.pem"
28 | 
29 | if [ ! -e "$DH" ]
30 | then
31 |   echo ">> seems like the first start of nginx"
32 |   echo ">> doing some preparations..."
33 |   echo ""
34 | 
35 |   echo ">> generating $DH with size: $DH_SIZE"
36 |   openssl dhparam -out "$DH" $DH_SIZE
37 | fi
38 | 
39 | if [ ! -e "/etc/nginx/external/cert.pem" ] || [ ! -e "/etc/nginx/external/key.pem" ]
40 | then
41 |   echo ">> generating self signed cert"
42 |   openssl req -x509 -newkey rsa:4086 \
43 |   -subj "/C=XX/ST=XXXX/L=XXXX/O=XXXX/CN=localhost" \
44 |   -keyout "/etc/nginx/external/key.pem" \
45 |   -out "/etc/nginx/external/cert.pem" \
46 |   -days 3650 -nodes -sha256
47 | fi
48 | 
49 | echo ">> copy /etc/nginx/external/*.conf files to /etc/nginx/conf.d/"
50 | cp /etc/nginx/external/*.conf /etc/nginx/conf.d/ 2> /dev/null > /dev/null
51 | 
52 | # exec CMD
53 | echo ">> exec docker CMD"
54 | echo "$@"
55 | exec "$@"
56 | 


--------------------------------------------------------------------------------
/ssl.conf:
--------------------------------------------------------------------------------
 1 | # Getting a high secure SSL configured system
 2 | 
 3 | # Tutorials used:
 4 | # https://scotthelme.co.uk/a-plus-rating-qualys-ssl-test/
 5 | # http://www.howtoforge.com/ssl-perfect-forward-secrecy-in-nginx-webserver
 6 | 
 7 | # enable dh
 8 | ssl_dhparam /etc/nginx/external/dh.pem;
 9 | 
10 | # protocols
11 | ssl_protocols TLSv1.2 TLSv1.3;
12 | 
13 | add_header Strict-Transport-Security "max-age=63072000" always;
14 | 
15 | # ciphers
16 | ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
17 | ssl_prefer_server_ciphers off;
18 | 
19 | # SSL stapling
20 | ssl_stapling on;
21 | ssl_stapling_verify on;
22 | 


--------------------------------------------------------------------------------