doc: update examples

angie: adjust SSL configuration
2024-09-20 22:51:44 +03:00 · 2024-09-20 22:51:30 +03:00
12 changed files with 105 additions and 62 deletions
--- a/angie/conf.dist/grpc/ssl-verify.conf
+++ b/angie/conf.dist/grpc/ssl-verify.conf
@ -1 +0,0 @@
 grpc_ssl_verify on;
--- a/angie/conf.dist/grpc/ssl-cmd.conf.j2
+++ b/angie/conf.dist/grpc/ssl-cmd.conf.j2
@ -2,3 +2,7 @@
 {#- TODO: precise quotation #}
 grpc_ssl_conf_command  {{ k }}  {{ v.__repr__() }};
 {%- endfor %}
 grpc_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
 grpc_ssl_verify on;
 grpc_ssl_server_name on;
--- a/angie/conf.dist/grpc/tls-ca-file.conf.in
+++ b/angie/conf.dist/grpc/tls-ca-file.conf.in
@ -1 +0,0 @@
 grpc_ssl_trusted_certificate ${NGX_SSL_CERT_FILE};
--- a/angie/conf.dist/proxy/ssl-verify.conf
+++ b/angie/conf.dist/proxy/ssl-verify.conf
@ -1 +0,0 @@
 proxy_ssl_verify on;
--- a/angie/conf.dist/proxy/ssl-cmd.conf.j2
+++ b/angie/conf.dist/proxy/ssl-cmd.conf.j2
@ -2,3 +2,7 @@
 {#- TODO: precise quotation #}
 proxy_ssl_conf_command  {{ k }}  {{ v.__repr__() }};
 {%- endfor %}
 proxy_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
 proxy_ssl_verify on;
 proxy_ssl_server_name on;
--- a/angie/conf.dist/uwsgi/ssl-cmd.conf.j2
+++ b/angie/conf.dist/uwsgi/ssl-cmd.conf.j2
@ -2,3 +2,7 @@
 {#- TODO: precise quotation #}
 uwsgi_ssl_conf_command  {{ k }}  {{ v.__repr__() }};
 {%- endfor %}
 uwsgi_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
 uwsgi_ssl_verify on;
 uwsgi_ssl_server_name on;
--- a/angie/conf.dist/uwsgi/tls-ca-file.conf.in
+++ b/angie/conf.dist/uwsgi/tls-ca-file.conf.in
@ -1 +0,0 @@
 uwsgi_ssl_trusted_certificate ${NGX_SSL_CERT_FILE};
--- a/angie/j2cfg.dist/00-defaults.yml.j2
+++ b/angie/j2cfg.dist/00-defaults.yml.j2
@ -74,20 +74,20 @@ tls:
  profiles:
    modern:
      protocols: TLSv1.3
-     #prefer_server_ciphers: false
+     #prefer_server_ciphers: off
-      session_tickets: false
+      session_tickets: off
      session_timeout: 1d
    intermediate:
      protocols: TLSv1.2 TLSv1.3
-     #prefer_server_ciphers: false
+     #prefer_server_ciphers: off
      ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
-      dhparam: /etc/angie/tls.d/ffdhe2048.pem
+      dhparam: tls.d/ffdhe2048.pem
-      session_tickets: false
+      session_tickets: off
      session_timeout: 1d
    old:
      protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
-      prefer_server_ciphers: true
+      prefer_server_ciphers: on
      ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
-      dhparam: /etc/angie/tls.d/dh1024.pem
+      dhparam: tls.d/dh1024.pem
-      session_tickets: false
+      session_tickets: off
      session_timeout: 1d
--- a/angie/snip.dist/ssl-profile.j2m
+++ b/angie/snip.dist/ssl-profile.j2m
@ -2,9 +2,7 @@
 ssl_protocols {{ ssl_profile.protocols }};
 {%- endif %}
 {%- if ssl_profile.prefer_server_ciphers %}
-ssl_prefer_server_ciphers on;
+ssl_prefer_server_ciphers {{ ssl_profile.prefer_server_ciphers }};
 {%- else %}
 ssl_prefer_server_ciphers off;
 {%- endif %}
 {%- if ssl_profile.ciphers %}
 ssl_ciphers {{ ssl_profile.ciphers }};
--- a/doc/examples/njs/README.md
+++ b/doc/examples/njs/README.md
@ -1,5 +1,22 @@
 # print env via NJS
 Dockerfile:
 ```dockerfile
 FROM docker.io/rockdrilla/angie-conv:v0.0.1
 COPY /site/ /etc/angie/site/
 ## install 'angie-module-njs' and process package contents
 RUN apt-install-angie-mod.sh njs ; \
    apt-clean.sh
 ## load ngx_http_js_module
 ENV NGX_HTTP_MODULES='njs'
 ```
 ---
 configuration:
 ```nginx
@ -16,6 +33,8 @@ server {
 }
 ```
 ---
 NJS script:
 ```js
@ -33,20 +52,7 @@ function report(r) {
 export default { report };
 ```
-Dockerfile:
+---
 ```dockerfile
 FROM docker.io/rockdrilla/angie-conv:v0.0.1
 COPY /site/ /etc/angie/site/
 ## install 'angie-module-njs' and process package contents
 RUN apt-install-angie-mod.sh njs ; \
    apt-clean.sh
 ## load ngx_http_js_module
 ENV NGX_HTTP_MODULES='njs'
 ```
 Test URI e.g. with `curl`:
 ```sh
--- a/doc/examples/perl/README.md
+++ b/doc/examples/perl/README.md
@ -1,5 +1,22 @@
 # print env via Perl
 Dockerfile:
 ```dockerfile
 FROM docker.io/rockdrilla/angie-conv:v0.0.1
 COPY /site/ /etc/angie/site/
 ## install 'angie-module-perl' and process package contents
 RUN apt-install-angie-mod.sh perl ; \
    apt-clean.sh
 ## load ngx_http_perl_module
 ENV NGX_HTTP_MODULES='perl'
 ```
 ---
 configuration:
 ```nginx
@ -16,6 +33,8 @@ server {
 }
 ```
 ---
 Perl script:
 ```perl
@ -43,20 +62,7 @@ sub report {
 __END__
 ```
-Dockerfile:
+---
 ```dockerfile
 FROM docker.io/rockdrilla/angie-conv:v0.0.1
 COPY /site/ /etc/angie/site/
 ## install 'angie-module-perl' and process package contents
 RUN apt-install-angie-mod.sh perl ; \
    apt-clean.sh
 ## load ngx_http_perl_module
 ENV NGX_HTTP_MODULES='perl'
 ```
 Test URI e.g. with `curl`:
 ```sh
--- a/doc/examples/ssl/README.md
+++ b/doc/examples/ssl/README.md
@ -1,20 +1,5 @@
 # SSL with subdomains
 configuration:
 ```nginx
 server {
    listen 8443 ssl;
    server_name example.org;
    ssl_certificate      tls.d/example.org.chain.crt;
    ssl_certificate_key  tls.d/example.org.pem;
    root static.d/example.org;
 }
 ```
 Dockerfile:
 ```dockerfile
@ -27,7 +12,45 @@ COPY /tls/    /etc/angie/tls/
 ENV NGX_HTTP_CONFLOAD='ssl'
 ```
-Optional cut-off SSL server block:
+---
 configuration:
 ```nginx
 server {
    listen 8443 ssl;
    server_name www.example.org;
    ssl_certificate      tls.d/www.example.org.chain.crt;
    ssl_certificate_key  tls.d/www.example.org.pem;
    root static.d/www.example.org;
 }
 ```
 ---
 configuration for wildcard certificate:
 ```nginx
 server {
    listen 8443 ssl;
    server_name .example.org;
    ssl_certificate      tls.d/example.org.chain.crt;
    ssl_certificate_key  tls.d/example.org.pem;
    root static.d/example.org;
 }
 ```
 *Note: certificate must have* `X509v3 Subject Alternative Name` *property with value like* `DNS:example.org, DNS:*.example.org` .
 ---
 (optional) configuration for cut-off SSL server block (see [documentation](https://angie.software/en/configuration/modules/http/http_ssl/#ssl-reject-handshake) for rationale):
 ```nginx
 server {
@ -42,6 +65,8 @@ server {
 }
 ```
 ---
 Test URI e.g. with `curl`:
 ```sh
 curl --cacert ./tls/ca/root-ca.crt --capath /nonexistent --resolve example.org:8443:127.0.0.1 https://example.org:8443/
Author	SHA1	Message	Date
Konstantin Demin	b92bd85597	doc: update examples	2024-09-20 22:51:44 +03:00
Konstantin Demin	5b8ef5329e	angie: adjust SSL configuration	2024-09-20 22:51:30 +03:00
		`@ -1 +0,0 @@`
			`grpc_ssl_trusted_certificate ${NGX_SSL_CERT_FILE};`
		`@ -1 +0,0 @@`
			`uwsgi_ssl_trusted_certificate ${NGX_SSL_CERT_FILE};`