1
0

Compare commits

..

2 Commits

Author SHA1 Message Date
b92bd85597
doc: update examples 2024-09-20 22:51:44 +03:00
5b8ef5329e
angie: adjust SSL configuration 2024-09-20 22:51:30 +03:00
12 changed files with 105 additions and 62 deletions

View File

@ -1 +0,0 @@
grpc_ssl_verify on;

View File

@ -1,4 +1,8 @@
{%- for k, v in j2cfg.tls.conf_cmd.items() %}
{#- TODO: precise quotation #}
grpc_ssl_conf_command {{ k }} {{ v.__repr__() }};
{%- endfor %}
{%- endfor %}
grpc_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
grpc_ssl_verify on;
grpc_ssl_server_name on;

View File

@ -1 +0,0 @@
grpc_ssl_trusted_certificate ${NGX_SSL_CERT_FILE};

View File

@ -1 +0,0 @@
proxy_ssl_verify on;

View File

@ -1,4 +1,8 @@
{%- for k, v in j2cfg.tls.conf_cmd.items() %}
{#- TODO: precise quotation #}
proxy_ssl_conf_command {{ k }} {{ v.__repr__() }};
{%- endfor %}
{%- endfor %}
proxy_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
proxy_ssl_verify on;
proxy_ssl_server_name on;

View File

@ -1,4 +1,8 @@
{%- for k, v in j2cfg.tls.conf_cmd.items() %}
{#- TODO: precise quotation #}
uwsgi_ssl_conf_command {{ k }} {{ v.__repr__() }};
{%- endfor %}
{%- endfor %}
uwsgi_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
uwsgi_ssl_verify on;
uwsgi_ssl_server_name on;

View File

@ -1 +0,0 @@
uwsgi_ssl_trusted_certificate ${NGX_SSL_CERT_FILE};

View File

@ -74,20 +74,20 @@ tls:
profiles:
modern:
protocols: TLSv1.3
#prefer_server_ciphers: false
session_tickets: false
#prefer_server_ciphers: off
session_tickets: off
session_timeout: 1d
intermediate:
protocols: TLSv1.2 TLSv1.3
#prefer_server_ciphers: false
#prefer_server_ciphers: off
ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
dhparam: /etc/angie/tls.d/ffdhe2048.pem
session_tickets: false
dhparam: tls.d/ffdhe2048.pem
session_tickets: off
session_timeout: 1d
old:
protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
prefer_server_ciphers: true
prefer_server_ciphers: on
ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
dhparam: /etc/angie/tls.d/dh1024.pem
session_tickets: false
dhparam: tls.d/dh1024.pem
session_tickets: off
session_timeout: 1d

View File

@ -2,9 +2,7 @@
ssl_protocols {{ ssl_profile.protocols }};
{%- endif %}
{%- if ssl_profile.prefer_server_ciphers %}
ssl_prefer_server_ciphers on;
{%- else %}
ssl_prefer_server_ciphers off;
ssl_prefer_server_ciphers {{ ssl_profile.prefer_server_ciphers }};
{%- endif %}
{%- if ssl_profile.ciphers %}
ssl_ciphers {{ ssl_profile.ciphers }};

View File

@ -1,5 +1,22 @@
# print env via NJS
Dockerfile:
```dockerfile
FROM docker.io/rockdrilla/angie-conv:v0.0.1
COPY /site/ /etc/angie/site/
## install 'angie-module-njs' and process package contents
RUN apt-install-angie-mod.sh njs ; \
apt-clean.sh
## load ngx_http_js_module
ENV NGX_HTTP_MODULES='njs'
```
---
configuration:
```nginx
@ -16,6 +33,8 @@ server {
}
```
---
NJS script:
```js
@ -33,20 +52,7 @@ function report(r) {
export default { report };
```
Dockerfile:
```dockerfile
FROM docker.io/rockdrilla/angie-conv:v0.0.1
COPY /site/ /etc/angie/site/
## install 'angie-module-njs' and process package contents
RUN apt-install-angie-mod.sh njs ; \
apt-clean.sh
## load ngx_http_js_module
ENV NGX_HTTP_MODULES='njs'
```
---
Test URI e.g. with `curl`:
```sh

View File

@ -1,5 +1,22 @@
# print env via Perl
Dockerfile:
```dockerfile
FROM docker.io/rockdrilla/angie-conv:v0.0.1
COPY /site/ /etc/angie/site/
## install 'angie-module-perl' and process package contents
RUN apt-install-angie-mod.sh perl ; \
apt-clean.sh
## load ngx_http_perl_module
ENV NGX_HTTP_MODULES='perl'
```
---
configuration:
```nginx
@ -16,6 +33,8 @@ server {
}
```
---
Perl script:
```perl
@ -43,20 +62,7 @@ sub report {
__END__
```
Dockerfile:
```dockerfile
FROM docker.io/rockdrilla/angie-conv:v0.0.1
COPY /site/ /etc/angie/site/
## install 'angie-module-perl' and process package contents
RUN apt-install-angie-mod.sh perl ; \
apt-clean.sh
## load ngx_http_perl_module
ENV NGX_HTTP_MODULES='perl'
```
---
Test URI e.g. with `curl`:
```sh

View File

@ -1,20 +1,5 @@
# SSL with subdomains
configuration:
```nginx
server {
listen 8443 ssl;
server_name example.org;
ssl_certificate tls.d/example.org.chain.crt;
ssl_certificate_key tls.d/example.org.pem;
root static.d/example.org;
}
```
Dockerfile:
```dockerfile
@ -27,7 +12,45 @@ COPY /tls/ /etc/angie/tls/
ENV NGX_HTTP_CONFLOAD='ssl'
```
Optional cut-off SSL server block:
---
configuration:
```nginx
server {
listen 8443 ssl;
server_name www.example.org;
ssl_certificate tls.d/www.example.org.chain.crt;
ssl_certificate_key tls.d/www.example.org.pem;
root static.d/www.example.org;
}
```
---
configuration for wildcard certificate:
```nginx
server {
listen 8443 ssl;
server_name .example.org;
ssl_certificate tls.d/example.org.chain.crt;
ssl_certificate_key tls.d/example.org.pem;
root static.d/example.org;
}
```
*Note: certificate must have* `X509v3 Subject Alternative Name` *property with value like* `DNS:example.org, DNS:*.example.org` .
---
(optional) configuration for cut-off SSL server block (see [documentation](https://angie.software/en/configuration/modules/http/http_ssl/#ssl-reject-handshake) for rationale):
```nginx
server {
@ -42,6 +65,8 @@ server {
}
```
---
Test URI e.g. with `curl`:
```sh
curl --cacert ./tls/ca/root-ca.crt --capath /nonexistent --resolve example.org:8443:127.0.0.1 https://example.org:8443/