marvambass / docker-nginx-ssl-secure Goto Github PK

⚠️ DEPRECATED ::: A Docker Nginx Container based on _/nginx which is extremly secure and gets you a Qualys A+ SSL rating

License: MIT License

Shell 69.35% Dockerfile 30.65%

docker-nginx-ssl-secure's Introduction

Docker very secured Nginx with secure SSL

maintained by MarvAmBass

FAQ - All you need to know about the marvambass Containers

What is it

This Dockerfile (available as marvambass/nginx-ssl-secure) gives you a ready to use secured production nginx server, with perfectly configured SSL. You should get a A+ Rating at the Qualys SSL Test.

View in Docker Registry marvambass/nginx-ssl-secure

View in GitHub MarvAmBass/docker-nginx-ssl-secure

Environment variables and defaults

DH_SIZE
default: 2048 (which takes a long time to create), for demo or unsecure applications you can use smaller values like 512

Running marvambass/nginx-ssl-secure Container

This Dockerfile is not really made for direct usage. It should be used as base-image for your nginx project. But you can run it anyways.

You should overwrite the /etc/nginx/external/ with a folder, containing your nginx *.conf files, certs and a dh.pem.
If you forget the dh.pem file, it will be created at the first start - but this can/will take a long time!

docker run -d \
-p 80:80 -p 443:443 \
-e 'DH_SIZE=512' \
-v $EXT_DIR:/etc/nginx/external/ \
marvambass/nginx-ssl-secure

Based on

This Dockerfile bases on the /_/nginx/ Official Image.

Cheat Sheet

Creating the dh4096.pem with openssl

To create a Diffie-Hellman cert, you can use the following command

openssl dhparam -out dh4096.pem 4096

Creating a high secure SSL CSR with openssl

This cert might be incompatible with Windows 2000, XP and older IE Versions

openssl req -nodes -new -newkey rsa:4096 -out csr.pem -sha256

Creating a self-signed ssl cert

Please note, that the Common Name (CN) is important and should be the FQDN to the secured server:

openssl req -x509 -newkey rsa:4086 \
-keyout key.pem -out cert.pem \
-days 3650 -nodes -sha256

docker-nginx-ssl-secure's People

Contributors

Stargazers

Watchers

docker-nginx-ssl-secure's Issues

Security fixes in upstream nginx

nginxinc/docker-nginx#94 fixes CVE-2016-4450.

Have you considered using a Repository Link to keep this automatically up to date?

cc @Belogix

Fork

Hi,

I really liked your work, it was bothering me, how to automatically provision an instance of owncloud or piwik without playing around with this mouse..

But, unfortunately, I'm running behind an ssl offloader HAproxy, so I had to rewrite big chuncks of your code. And then, I also changed some other stuff to fit to my infra..

I have to admit, I'm sad, but I spent 3 days working on that to fir my needs. I'm afraid I can't offer a PR...

If you want to have a look, I used your work in nginx-php, piwik and owncloud.
https://github.com/pierreozoux/IndiePaaS/tree/master/dockerfiles/services

Among other things here are some comments:

ENV DEBIAN_FRONTEND noninteractive
rm -rf /var/lib/apt/lists/*
mysql-check.sh (to check db before doing anything)
s/chmod a+x/chmod u+x/g (try to set minimum rights)
#!/bin/bash -eux (insteand of: #/bin/bash)
/tmp/nginx.log
support for persistent volume
use of $URL instead of localhost

I mean the work I did is still not perfect, but it fits my needs.
I liked the way you worked, this curl idea to configure is really nice! And your images are just with minimum, not like a bunch of fat images out there.

I would love to work with you to maintain these images. I'd prefer than by maintaining them by myself.

Tell me what do you think about it?

Ah, also, I removed references to your work, as it is quiet far from that now, does it bother you? If yes, I'll put a link to your images, and a big thanks!

Adding a startup hook

Hi,

how do you feel about adding an optional startup hook to your ENTRYPOINT script?
I want to generate some nginx config from environment variables during startup and currently would need to replace your script.
Instead I think it would be useful of your script contained something like

[ -f /opt/startup_hook.sh ] && /opt/startup_hook.sh

just before starting nginx?

Not an issue but a question-I'm trying to run your nginx container extended with phpbb

I'm trying to run the nginx ssl container with additionally phpBB installed. As you seem to be more experienced in writing Dockerfiles, could you maybe take a look at my project https://github.com/SeppPenner/docker-nginx-ssl-secure ?

Thank you in advance :)