1
0

Compare commits

..

No commits in common. "b92bd85597a065f7f043b4d22c98e86929ce902f" and "d3684274e3486c8ae26a59f2613158cb895f1b4e" have entirely different histories.

12 changed files with 62 additions and 105 deletions

View File

@ -2,7 +2,3 @@
{#- TODO: precise quotation #} {#- TODO: precise quotation #}
grpc_ssl_conf_command {{ k }} {{ v.__repr__() }}; grpc_ssl_conf_command {{ k }} {{ v.__repr__() }};
{%- endfor %} {%- endfor %}
grpc_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
grpc_ssl_verify on;
grpc_ssl_server_name on;

View File

@ -0,0 +1 @@
grpc_ssl_verify on;

View File

@ -0,0 +1 @@
grpc_ssl_trusted_certificate ${NGX_SSL_CERT_FILE};

View File

@ -2,7 +2,3 @@
{#- TODO: precise quotation #} {#- TODO: precise quotation #}
proxy_ssl_conf_command {{ k }} {{ v.__repr__() }}; proxy_ssl_conf_command {{ k }} {{ v.__repr__() }};
{%- endfor %} {%- endfor %}
proxy_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
proxy_ssl_verify on;
proxy_ssl_server_name on;

View File

@ -0,0 +1 @@
proxy_ssl_verify on;

View File

@ -2,7 +2,3 @@
{#- TODO: precise quotation #} {#- TODO: precise quotation #}
uwsgi_ssl_conf_command {{ k }} {{ v.__repr__() }}; uwsgi_ssl_conf_command {{ k }} {{ v.__repr__() }};
{%- endfor %} {%- endfor %}
uwsgi_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
uwsgi_ssl_verify on;
uwsgi_ssl_server_name on;

View File

@ -0,0 +1 @@
uwsgi_ssl_trusted_certificate ${NGX_SSL_CERT_FILE};

View File

@ -74,20 +74,20 @@ tls:
profiles: profiles:
modern: modern:
protocols: TLSv1.3 protocols: TLSv1.3
#prefer_server_ciphers: off #prefer_server_ciphers: false
session_tickets: off session_tickets: false
session_timeout: 1d session_timeout: 1d
intermediate: intermediate:
protocols: TLSv1.2 TLSv1.3 protocols: TLSv1.2 TLSv1.3
#prefer_server_ciphers: off #prefer_server_ciphers: false
ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
dhparam: tls.d/ffdhe2048.pem dhparam: /etc/angie/tls.d/ffdhe2048.pem
session_tickets: off session_tickets: false
session_timeout: 1d session_timeout: 1d
old: old:
protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
prefer_server_ciphers: on prefer_server_ciphers: true
ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
dhparam: tls.d/dh1024.pem dhparam: /etc/angie/tls.d/dh1024.pem
session_tickets: off session_tickets: false
session_timeout: 1d session_timeout: 1d

View File

@ -2,7 +2,9 @@
ssl_protocols {{ ssl_profile.protocols }}; ssl_protocols {{ ssl_profile.protocols }};
{%- endif %} {%- endif %}
{%- if ssl_profile.prefer_server_ciphers %} {%- if ssl_profile.prefer_server_ciphers %}
ssl_prefer_server_ciphers {{ ssl_profile.prefer_server_ciphers }}; ssl_prefer_server_ciphers on;
{%- else %}
ssl_prefer_server_ciphers off;
{%- endif %} {%- endif %}
{%- if ssl_profile.ciphers %} {%- if ssl_profile.ciphers %}
ssl_ciphers {{ ssl_profile.ciphers }}; ssl_ciphers {{ ssl_profile.ciphers }};

View File

@ -1,22 +1,5 @@
# print env via NJS # print env via NJS
Dockerfile:
```dockerfile
FROM docker.io/rockdrilla/angie-conv:v0.0.1
COPY /site/ /etc/angie/site/
## install 'angie-module-njs' and process package contents
RUN apt-install-angie-mod.sh njs ; \
apt-clean.sh
## load ngx_http_js_module
ENV NGX_HTTP_MODULES='njs'
```
---
configuration: configuration:
```nginx ```nginx
@ -33,8 +16,6 @@ server {
} }
``` ```
---
NJS script: NJS script:
```js ```js
@ -52,7 +33,20 @@ function report(r) {
export default { report }; export default { report };
``` ```
--- Dockerfile:
```dockerfile
FROM docker.io/rockdrilla/angie-conv:v0.0.1
COPY /site/ /etc/angie/site/
## install 'angie-module-njs' and process package contents
RUN apt-install-angie-mod.sh njs ; \
apt-clean.sh
## load ngx_http_js_module
ENV NGX_HTTP_MODULES='njs'
```
Test URI e.g. with `curl`: Test URI e.g. with `curl`:
```sh ```sh

View File

@ -1,22 +1,5 @@
# print env via Perl # print env via Perl
Dockerfile:
```dockerfile
FROM docker.io/rockdrilla/angie-conv:v0.0.1
COPY /site/ /etc/angie/site/
## install 'angie-module-perl' and process package contents
RUN apt-install-angie-mod.sh perl ; \
apt-clean.sh
## load ngx_http_perl_module
ENV NGX_HTTP_MODULES='perl'
```
---
configuration: configuration:
```nginx ```nginx
@ -33,8 +16,6 @@ server {
} }
``` ```
---
Perl script: Perl script:
```perl ```perl
@ -62,7 +43,20 @@ sub report {
__END__ __END__
``` ```
--- Dockerfile:
```dockerfile
FROM docker.io/rockdrilla/angie-conv:v0.0.1
COPY /site/ /etc/angie/site/
## install 'angie-module-perl' and process package contents
RUN apt-install-angie-mod.sh perl ; \
apt-clean.sh
## load ngx_http_perl_module
ENV NGX_HTTP_MODULES='perl'
```
Test URI e.g. with `curl`: Test URI e.g. with `curl`:
```sh ```sh

View File

@ -1,5 +1,20 @@
# SSL with subdomains # SSL with subdomains
configuration:
```nginx
server {
listen 8443 ssl;
server_name example.org;
ssl_certificate tls.d/example.org.chain.crt;
ssl_certificate_key tls.d/example.org.pem;
root static.d/example.org;
}
```
Dockerfile: Dockerfile:
```dockerfile ```dockerfile
@ -12,45 +27,7 @@ COPY /tls/ /etc/angie/tls/
ENV NGX_HTTP_CONFLOAD='ssl' ENV NGX_HTTP_CONFLOAD='ssl'
``` ```
--- Optional cut-off SSL server block:
configuration:
```nginx
server {
listen 8443 ssl;
server_name www.example.org;
ssl_certificate tls.d/www.example.org.chain.crt;
ssl_certificate_key tls.d/www.example.org.pem;
root static.d/www.example.org;
}
```
---
configuration for wildcard certificate:
```nginx
server {
listen 8443 ssl;
server_name .example.org;
ssl_certificate tls.d/example.org.chain.crt;
ssl_certificate_key tls.d/example.org.pem;
root static.d/example.org;
}
```
*Note: certificate must have* `X509v3 Subject Alternative Name` *property with value like* `DNS:example.org, DNS:*.example.org` .
---
(optional) configuration for cut-off SSL server block (see [documentation](https://angie.software/en/configuration/modules/http/http_ssl/#ssl-reject-handshake) for rationale):
```nginx ```nginx
server { server {
@ -65,8 +42,6 @@ server {
} }
``` ```
---
Test URI e.g. with `curl`: Test URI e.g. with `curl`:
```sh ```sh
curl --cacert ./tls/ca/root-ca.crt --capath /nonexistent --resolve example.org:8443:127.0.0.1 https://example.org:8443/ curl --cacert ./tls/ca/root-ca.crt --capath /nonexistent --resolve example.org:8443:127.0.0.1 https://example.org:8443/