From 6614563f7a1fd1f7019e19a8b781f7935453256a Mon Sep 17 00:00:00 2001
From: bfren <bf@bfren.dev>
Date: Wed, 28 Dec 2022 13:52:10 +0000
Subject: [PATCH 1/3] Bumping version to 5.1.8

---
 VERSION | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/VERSION b/VERSION
index 693ad74..a106d2a 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-5.1.7
\ No newline at end of file
+5.1.8
\ No newline at end of file

From 03a30597b7146d1ffbcf22ab33a1573865c11d96 Mon Sep 17 00:00:00 2001
From: bfren <bf@bfren.dev>
Date: Wed, 28 Dec 2022 13:52:42 +0000
Subject: [PATCH 2/3] Adding PROXY_HARDEN environment variable

---
 Dockerfile | 8 +++++---
 README.md  | 1 +
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 7965ad8..ab1e41d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM bfren/nginx:nginx1.22-4.0.21
+FROM bfren/nginx:nginx1.22-4.0.22
 
 LABEL org.opencontainers.image.source="https://github.com/bfren/docker-nginx-proxy"
 
@@ -13,12 +13,14 @@ ENV \
     PROXY_URI= \
     # clean all config and certificates before doing anything else
     PROXY_CLEAN_INSTALL=0 \
+    # enable automatic certificate updating
+    PROXY_ENABLE_AUTO_UPDATE=1 \
+    # use hardened mode (remove old / insecure ciphers and protocols)
+    PROXY_HARDEN=0 \
     # used for renewal notification emails
     PROXY_LETS_ENCRYPT_EMAIL= \
     # set to 1 to use live instead of staging server
     PROXY_LETS_ENCRYPT_LIVE=0 \
-    # enable automatic certificate updating
-    PROXY_ENABLE_AUTO_UPDATE=1 \
     # set to the number of bits to use for generating private key
     PROXY_SSL_KEY_BITS=4096 \
     # set to the number of bits to use for generating DHPARAM
diff --git a/README.md b/README.md
index 4ec705a..962acc2 100644
--- a/README.md
+++ b/README.md
@@ -38,6 +38,7 @@ For SSL certificate requests to work correctly, ports 80 and 443 need mapping fr
 | ------------------------------------ | --------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
 | `PROXY_URI`                          | URI                   | The base URI of the proxy server - will be used to handle unbound requests.                                                                  | *None* - **required** |
 | `PROXY_CLEAN_INSTALL`                | 0 or 1                | If 1, all Nginx and SSL configuration and certificates will be deleted and regenerated.                                                      | 0                     |
+| `PROXY_HARDEN`                       | 0 or 1                | If 1, only modern SSL ciphers and protocols will be enabled (some older devices may not be able to access it).                               | 0                     |
 | `PROXY_LETS_ENCRYPT_EMAIL`           | A valid email address | Used by Lets Encrypt for notification emails.                                                                                                | *None* - **required** |
 | `PROXY_LETS_ENCRYPT_LIVE`            | 0 or 1                | Only set to 1 (to request live certificates) when your config is correct - Lets Encrypt rate limit certificate requests.                     | 0                     |
 | `PROXY_SSL_DHPARAM_BITS`             | A valid integer       | The size of your DHPARAM variables - adjust down only if you have limited processing resources.                                              | 4096                  |

From 8b8fe0c898356a00d6754d9a43291a251ce1396b Mon Sep 17 00:00:00 2001
From: bfren <bf@bfren.dev>
Date: Wed, 28 Dec 2022 13:52:54 +0000
Subject: [PATCH 3/3] Using PROXY_HARDEN to generate ssl configuration

---
 overlay/etc/bf/init.d/21-ssl-conf             | 19 +++++++++++++++++++
 .../bf/init.d/{21-ssl-init => 22-ssl-init}    |  0
 .../bf/templates/ssl-intermediate.conf.esh    | 13 +++++++++++++
 overlay/etc/bf/templates/ssl-modern.conf.esh  | 12 ++++++++++++
 4 files changed, 44 insertions(+)
 create mode 100644 overlay/etc/bf/init.d/21-ssl-conf
 rename overlay/etc/bf/init.d/{21-ssl-init => 22-ssl-init} (100%)
 create mode 100644 overlay/etc/bf/templates/ssl-intermediate.conf.esh
 create mode 100644 overlay/etc/bf/templates/ssl-modern.conf.esh

diff --git a/overlay/etc/bf/init.d/21-ssl-conf b/overlay/etc/bf/init.d/21-ssl-conf
new file mode 100644
index 0000000..efa7f5a
--- /dev/null
+++ b/overlay/etc/bf/init.d/21-ssl-conf
@@ -0,0 +1,19 @@
+#!/command/with-contenv bash
+
+set -euo pipefail
+export BF_E=`basename ${0}`
+
+
+#======================================================================================================================
+# Generate SSL configuration file.
+#======================================================================================================================
+
+if [ "${PROXY_HARDEN}" = "1" ] ; then
+    TEMPLATE="modern"
+else
+    TEMPLATE="intermediate"
+fi
+
+bf-echo "Using ${TEMPLATE} SSL configuration."
+bf-esh ${BF_TEMPLATES}/ssl-${TEMPLATE}.conf.esh /etc/nginx/http.d/ssl.conf
+bf-done
diff --git a/overlay/etc/bf/init.d/21-ssl-init b/overlay/etc/bf/init.d/22-ssl-init
similarity index 100%
rename from overlay/etc/bf/init.d/21-ssl-init
rename to overlay/etc/bf/init.d/22-ssl-init
diff --git a/overlay/etc/bf/templates/ssl-intermediate.conf.esh b/overlay/etc/bf/templates/ssl-intermediate.conf.esh
new file mode 100644
index 0000000..cfca0b2
--- /dev/null
+++ b/overlay/etc/bf/templates/ssl-intermediate.conf.esh
@@ -0,0 +1,13 @@
+#======================================================================================================================
+# SSL
+# Using Mozilla's SSL Configuration Generator with 'Intermediate' settings - https://ssl-config.mozilla.org/
+#======================================================================================================================
+
+ssl_protocols                   TLSv1.2 TLSv1.3;
+ssl_ciphers                     ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_prefer_server_ciphers       off;
+ssl_session_timeout             1d;
+ssl_session_cache               shared:MozSSL:10m;
+ssl_session_tickets             off;
+ssl_stapling                    on;
+ssl_stapling_verify             on;
diff --git a/overlay/etc/bf/templates/ssl-modern.conf.esh b/overlay/etc/bf/templates/ssl-modern.conf.esh
new file mode 100644
index 0000000..9d476d8
--- /dev/null
+++ b/overlay/etc/bf/templates/ssl-modern.conf.esh
@@ -0,0 +1,12 @@
+#======================================================================================================================
+# SSL
+# Using Mozilla's SSL Configuration Generator with 'Modern' settings - https://ssl-config.mozilla.org/
+#======================================================================================================================
+
+ssl_protocols                   TLSv1.3;
+ssl_prefer_server_ciphers       off;
+ssl_session_timeout             1d;
+ssl_session_cache               shared:MozSSL:10m;
+ssl_session_tickets             off;
+ssl_stapling                    on;
+ssl_stapling_verify             on;