bfren · bfren · Dec 28, 2022 · Dec 28, 2022 · Dec 28, 2022 · Dec 28, 2022
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM bfren/nginx:nginx1.22-4.0.21
+FROM bfren/nginx:nginx1.22-4.0.22
 
 LABEL org.opencontainers.image.source="https://github.com/bfren/docker-nginx-proxy"
 
@@ -13,12 +13,14 @@ ENV \
     PROXY_URI= \
     # clean all config and certificates before doing anything else
     PROXY_CLEAN_INSTALL=0 \
+    # enable automatic certificate updating
+    PROXY_ENABLE_AUTO_UPDATE=1 \
+    # use hardened mode (remove old / insecure ciphers and protocols)
+    PROXY_HARDEN=0 \
     # used for renewal notification emails
     PROXY_LETS_ENCRYPT_EMAIL= \
     # set to 1 to use live instead of staging server
     PROXY_LETS_ENCRYPT_LIVE=0 \
-    # enable automatic certificate updating
-    PROXY_ENABLE_AUTO_UPDATE=1 \
     # set to the number of bits to use for generating private key
     PROXY_SSL_KEY_BITS=4096 \
     # set to the number of bits to use for generating DHPARAM

diff --git a/README.md b/README.md
@@ -38,6 +38,7 @@ For SSL certificate requests to work correctly, ports 80 and 443 need mapping fr
 | ------------------------------------ | --------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
 | `PROXY_URI`                          | URI                   | The base URI of the proxy server - will be used to handle unbound requests.                                                                  | *None* - **required** |
 | `PROXY_CLEAN_INSTALL`                | 0 or 1                | If 1, all Nginx and SSL configuration and certificates will be deleted and regenerated.                                                      | 0                     |
+| `PROXY_HARDEN`                       | 0 or 1                | If 1, only modern SSL ciphers and protocols will be enabled (some older devices may not be able to access it).                               | 0                     |
 | `PROXY_LETS_ENCRYPT_EMAIL`           | A valid email address | Used by Lets Encrypt for notification emails.                                                                                                | *None* - **required** |
 | `PROXY_LETS_ENCRYPT_LIVE`            | 0 or 1                | Only set to 1 (to request live certificates) when your config is correct - Lets Encrypt rate limit certificate requests.                     | 0                     |
 | `PROXY_SSL_DHPARAM_BITS`             | A valid integer       | The size of your DHPARAM variables - adjust down only if you have limited processing resources.                                              | 4096                  |

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-5.1.7
+5.1.8
diff --git a/overlay/etc/bf/init.d/21-ssl-conf b/overlay/etc/bf/init.d/21-ssl-conf
@@ -0,0 +1,19 @@
+#!/command/with-contenv bash
+
+set -euo pipefail
+export BF_E=`basename ${0}`
+
+
+#======================================================================================================================
+# Generate SSL configuration file.
+#======================================================================================================================
+
+if [ "${PROXY_HARDEN}" = "1" ] ; then
+    TEMPLATE="modern"
+else
+    TEMPLATE="intermediate"
+fi
+
+bf-echo "Using ${TEMPLATE} SSL configuration."
+bf-esh ${BF_TEMPLATES}/ssl-${TEMPLATE}.conf.esh /etc/nginx/http.d/ssl.conf
+bf-done
diff --git a/overlay/etc/bf/init.d/21-ssl-init → overlay/etc/bf/init.d/22-ssl-init b/overlay/etc/bf/init.d/21-ssl-init → overlay/etc/bf/init.d/22-ssl-init
diff --git a/overlay/etc/bf/templates/ssl-intermediate.conf.esh b/overlay/etc/bf/templates/ssl-intermediate.conf.esh
@@ -0,0 +1,13 @@
+#======================================================================================================================
+# SSL
+# Using Mozilla's SSL Configuration Generator with 'Intermediate' settings - https://ssl-config.mozilla.org/
+#======================================================================================================================
+
+ssl_protocols                   TLSv1.2 TLSv1.3;
+ssl_ciphers                     ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_prefer_server_ciphers       off;
+ssl_session_timeout             1d;
+ssl_session_cache               shared:MozSSL:10m;
+ssl_session_tickets             off;
+ssl_stapling                    on;
+ssl_stapling_verify             on;
diff --git a/overlay/etc/bf/templates/ssl-modern.conf.esh b/overlay/etc/bf/templates/ssl-modern.conf.esh
@@ -0,0 +1,12 @@
+#======================================================================================================================
+# SSL
+# Using Mozilla's SSL Configuration Generator with 'Modern' settings - https://ssl-config.mozilla.org/
+#======================================================================================================================
+
+ssl_protocols                   TLSv1.3;
+ssl_prefer_server_ciphers       off;
+ssl_session_timeout             1d;
+ssl_session_cache               shared:MozSSL:10m;
+ssl_session_tickets             off;
+ssl_stapling                    on;
+ssl_stapling_verify             on;