1
0

Compare commits

...

2 Commits

Author SHA1 Message Date
b92bd85597
doc: update examples 2024-09-20 22:51:44 +03:00
5b8ef5329e
angie: adjust SSL configuration 2024-09-20 22:51:30 +03:00
12 changed files with 105 additions and 62 deletions

View File

@ -1 +0,0 @@
grpc_ssl_verify on;

View File

@ -1,4 +1,8 @@
{%- for k, v in j2cfg.tls.conf_cmd.items() %} {%- for k, v in j2cfg.tls.conf_cmd.items() %}
{#- TODO: precise quotation #} {#- TODO: precise quotation #}
grpc_ssl_conf_command {{ k }} {{ v.__repr__() }}; grpc_ssl_conf_command {{ k }} {{ v.__repr__() }};
{%- endfor %} {%- endfor %}
grpc_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
grpc_ssl_verify on;
grpc_ssl_server_name on;

View File

@ -1 +0,0 @@
grpc_ssl_trusted_certificate ${NGX_SSL_CERT_FILE};

View File

@ -1 +0,0 @@
proxy_ssl_verify on;

View File

@ -1,4 +1,8 @@
{%- for k, v in j2cfg.tls.conf_cmd.items() %} {%- for k, v in j2cfg.tls.conf_cmd.items() %}
{#- TODO: precise quotation #} {#- TODO: precise quotation #}
proxy_ssl_conf_command {{ k }} {{ v.__repr__() }}; proxy_ssl_conf_command {{ k }} {{ v.__repr__() }};
{%- endfor %} {%- endfor %}
proxy_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
proxy_ssl_verify on;
proxy_ssl_server_name on;

View File

@ -1,4 +1,8 @@
{%- for k, v in j2cfg.tls.conf_cmd.items() %} {%- for k, v in j2cfg.tls.conf_cmd.items() %}
{#- TODO: precise quotation #} {#- TODO: precise quotation #}
uwsgi_ssl_conf_command {{ k }} {{ v.__repr__() }}; uwsgi_ssl_conf_command {{ k }} {{ v.__repr__() }};
{%- endfor %} {%- endfor %}
uwsgi_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
uwsgi_ssl_verify on;
uwsgi_ssl_server_name on;

View File

@ -1 +0,0 @@
uwsgi_ssl_trusted_certificate ${NGX_SSL_CERT_FILE};

View File

@ -74,20 +74,20 @@ tls:
profiles: profiles:
modern: modern:
protocols: TLSv1.3 protocols: TLSv1.3
#prefer_server_ciphers: false #prefer_server_ciphers: off
session_tickets: false session_tickets: off
session_timeout: 1d session_timeout: 1d
intermediate: intermediate:
protocols: TLSv1.2 TLSv1.3 protocols: TLSv1.2 TLSv1.3
#prefer_server_ciphers: false #prefer_server_ciphers: off
ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
dhparam: /etc/angie/tls.d/ffdhe2048.pem dhparam: tls.d/ffdhe2048.pem
session_tickets: false session_tickets: off
session_timeout: 1d session_timeout: 1d
old: old:
protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
prefer_server_ciphers: true prefer_server_ciphers: on
ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
dhparam: /etc/angie/tls.d/dh1024.pem dhparam: tls.d/dh1024.pem
session_tickets: false session_tickets: off
session_timeout: 1d session_timeout: 1d

View File

@ -2,9 +2,7 @@
ssl_protocols {{ ssl_profile.protocols }}; ssl_protocols {{ ssl_profile.protocols }};
{%- endif %} {%- endif %}
{%- if ssl_profile.prefer_server_ciphers %} {%- if ssl_profile.prefer_server_ciphers %}
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers {{ ssl_profile.prefer_server_ciphers }};
{%- else %}
ssl_prefer_server_ciphers off;
{%- endif %} {%- endif %}
{%- if ssl_profile.ciphers %} {%- if ssl_profile.ciphers %}
ssl_ciphers {{ ssl_profile.ciphers }}; ssl_ciphers {{ ssl_profile.ciphers }};

View File

@ -1,5 +1,22 @@
# print env via NJS # print env via NJS
Dockerfile:
```dockerfile
FROM docker.io/rockdrilla/angie-conv:v0.0.1
COPY /site/ /etc/angie/site/
## install 'angie-module-njs' and process package contents
RUN apt-install-angie-mod.sh njs ; \
apt-clean.sh
## load ngx_http_js_module
ENV NGX_HTTP_MODULES='njs'
```
---
configuration: configuration:
```nginx ```nginx
@ -16,6 +33,8 @@ server {
} }
``` ```
---
NJS script: NJS script:
```js ```js
@ -33,20 +52,7 @@ function report(r) {
export default { report }; export default { report };
``` ```
Dockerfile: ---
```dockerfile
FROM docker.io/rockdrilla/angie-conv:v0.0.1
COPY /site/ /etc/angie/site/
## install 'angie-module-njs' and process package contents
RUN apt-install-angie-mod.sh njs ; \
apt-clean.sh
## load ngx_http_js_module
ENV NGX_HTTP_MODULES='njs'
```
Test URI e.g. with `curl`: Test URI e.g. with `curl`:
```sh ```sh

View File

@ -1,5 +1,22 @@
# print env via Perl # print env via Perl
Dockerfile:
```dockerfile
FROM docker.io/rockdrilla/angie-conv:v0.0.1
COPY /site/ /etc/angie/site/
## install 'angie-module-perl' and process package contents
RUN apt-install-angie-mod.sh perl ; \
apt-clean.sh
## load ngx_http_perl_module
ENV NGX_HTTP_MODULES='perl'
```
---
configuration: configuration:
```nginx ```nginx
@ -16,6 +33,8 @@ server {
} }
``` ```
---
Perl script: Perl script:
```perl ```perl
@ -43,20 +62,7 @@ sub report {
__END__ __END__
``` ```
Dockerfile: ---
```dockerfile
FROM docker.io/rockdrilla/angie-conv:v0.0.1
COPY /site/ /etc/angie/site/
## install 'angie-module-perl' and process package contents
RUN apt-install-angie-mod.sh perl ; \
apt-clean.sh
## load ngx_http_perl_module
ENV NGX_HTTP_MODULES='perl'
```
Test URI e.g. with `curl`: Test URI e.g. with `curl`:
```sh ```sh

View File

@ -1,20 +1,5 @@
# SSL with subdomains # SSL with subdomains
configuration:
```nginx
server {
listen 8443 ssl;
server_name example.org;
ssl_certificate tls.d/example.org.chain.crt;
ssl_certificate_key tls.d/example.org.pem;
root static.d/example.org;
}
```
Dockerfile: Dockerfile:
```dockerfile ```dockerfile
@ -27,7 +12,45 @@ COPY /tls/ /etc/angie/tls/
ENV NGX_HTTP_CONFLOAD='ssl' ENV NGX_HTTP_CONFLOAD='ssl'
``` ```
Optional cut-off SSL server block: ---
configuration:
```nginx
server {
listen 8443 ssl;
server_name www.example.org;
ssl_certificate tls.d/www.example.org.chain.crt;
ssl_certificate_key tls.d/www.example.org.pem;
root static.d/www.example.org;
}
```
---
configuration for wildcard certificate:
```nginx
server {
listen 8443 ssl;
server_name .example.org;
ssl_certificate tls.d/example.org.chain.crt;
ssl_certificate_key tls.d/example.org.pem;
root static.d/example.org;
}
```
*Note: certificate must have* `X509v3 Subject Alternative Name` *property with value like* `DNS:example.org, DNS:*.example.org` .
---
(optional) configuration for cut-off SSL server block (see [documentation](https://angie.software/en/configuration/modules/http/http_ssl/#ssl-reject-handshake) for rationale):
```nginx ```nginx
server { server {
@ -42,6 +65,8 @@ server {
} }
``` ```
---
Test URI e.g. with `curl`: Test URI e.g. with `curl`:
```sh ```sh
curl --cacert ./tls/ca/root-ca.crt --capath /nonexistent --resolve example.org:8443:127.0.0.1 https://example.org:8443/ curl --cacert ./tls/ca/root-ca.crt --capath /nonexistent --resolve example.org:8443:127.0.0.1 https://example.org:8443/