Comments (5)
umputun
commented on May 11, 2024
nginx-le doesn't do any magic. All it does is LE certificate update and replacement of SSL_CERT, SSL_CERT and SSL_CHAIN_CERT with those cert paths. And the file you mapped to /etc/nginx/service.conf will be copied to /etc/nginx.d/conf/ and this about it.
You can see what it made by yourself inside the container, i.e. docker exec -it nginx cat /etc/nginx/conf.d/service.conf. As long as your source service.conf valid the result should be valid as well, so whatever works with nginx will be working fine with nginx-le because nginx-le is the nginx.
from nginx-le.
vtoupet
commented on May 11, 2024
Thanks for your reply.
With a bit of hacking I managed to make it work (but I finally realized that I could not do SSL termination for that TCP stream as it requires NGINX Plus (see https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-tcp/).
from nginx-le.
paskal
commented on May 11, 2024
Can you please post what you did at least briefly? Otherwise somebody will find this thread and will not be able to learn about how to do what you did.
from nginx-le.
vtoupet
commented on May 11, 2024
Sure,
in the docker-compose.yml, I add a volume like so: - ./path_to/service_db.conf:/etc/nginx/stream.d/service_db.conf
and the content of service_db.conf (see the hardcoded value for ssl_certificate as nginx-le script does not take care of this)
upstream postgres {
server localhost:5432;
}
server {
listen 5433;
proxy_pass postgres;
proxy_ssl on;
ssl_certificate /etc/nginx/ssl/le-crt.pem;
ssl_certificate_key /etc/nginx/ssl/le-key.pem;
ssl_trusted_certificate /etc/nginx/ssl/le-chain-crt.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
ssl_ecdh_curve secp384r1;
ssl_session_timeout 10m;
}
Maybe one enhancement of neginx-le script could be to retrieve all files that look like stream_*.conf and replace certificate path the same way as service*.conf and move the files to stream.dfolder.
That is just a pity that open source nginx does not handle SSL termination for TCP upstream...
from nginx-le.
paskal
commented on May 11, 2024
@vtoupet thanks for the idea, will be done in #48. I believe it was proposed some time ago in another issue but we didn't pick it up at that time.
from nginx-le.
Related Issues (20)
- Adding new domain won't refresh certificates HOT 5
- Predefined ssl ciphers does not works for Android 7 HOT 1
- Support multiple domains (domain1.com, domain2.org, example.ru) HOT 6
- Possibility to add domain/change configuration without long recreation container HOT 5
- Issue with updating cert HOT 2
- requests LE certificate and will refresh every 10 days .. HOT 2
- gen a wild certificate ? (support dns challenge) HOT 4
- Please upgrade your ACME client to a version that supports ACMEv2 HOT 2
- sh: 0: unknown operand HOT 6
- SSL lab grade is B HOT 1
- Certificate is not renewed during runtime, but after restart it got renewed HOT 3
- "BEGIN TRUSTED CERTIFICATE" is expected HOT 36
- ocsp.int-x3.letsencrypt.org could not be resolved HOT 8
- image cannot be gracefully stopped HOT 2
- Challenge failed for domain HOT 4
- How can I get multiple certificates for different services? HOT 4
- Update nginx image up to 1.20.1, cause: 1.19 contains security issue
- Update "LE_FQDN" without restart? HOT 1
- failed to run certbot HOT 11
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nginx-le.