From dfa038c263d80344e593c1f1f6c1180b07d4a6d9 Mon Sep 17 00:00:00 2001 From: Chris Johnson Date: Mon, 8 Aug 2016 17:24:09 -0400 Subject: [PATCH 1/3] Enable TLS for nginx within the local development process - generate a one off certificate & key for our developmnent server - ensure the cert & key are reasonably secure - update the nginx config file to implement TLS --- containers/nginx/Dockerfile.dev | 6 ++++++ containers/nginx/conf/nginx.dev.conf | 12 +++++++++++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/containers/nginx/Dockerfile.dev b/containers/nginx/Dockerfile.dev index e7c2dac1b3..06021a647c 100644 --- a/containers/nginx/Dockerfile.dev +++ b/containers/nginx/Dockerfile.dev @@ -1,5 +1,11 @@ FROM nginx +RUN mkdir -p /etc/secrets/ && \ + openssl req -batch -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout /etc/secrets/server.key -out /etc/secrets/server.crt && \ + chmod 0600 /etc/secrets && \ + chmod 0600 /etc/secrets/server.key && \ + chmod 0600 /etc/secrets/server.crt + COPY ./conf/nginx.dev.conf /etc/nginx/nginx.conf EXPOSE 80 443 diff --git a/containers/nginx/conf/nginx.dev.conf b/containers/nginx/conf/nginx.dev.conf index 1e8b7cf92c..2aa683adc9 100644 --- a/containers/nginx/conf/nginx.dev.conf +++ b/containers/nginx/conf/nginx.dev.conf @@ -14,7 +14,7 @@ http { include mime.types; default_type application/octet-stream; - keepalive_timeout 65; + keepalive_timeout 70; proxy_read_timeout 200; sendfile off; tcp_nopush on; @@ -33,8 +33,18 @@ http { '' close; } + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + server { listen 80; + listen 443 ssl; + + ssl_certificate /etc/secrets/server.crt; + ssl_certificate_key /etc/secrets/server.key; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers HIGH:!aNULL:!MD5; + client_max_body_size 50M; location /pp/ { From 4a9b2038394ad3e599be043235ade7d8e3fefbeb Mon Sep 17 00:00:00 2001 From: Chris Johnson Date: Mon, 8 Aug 2016 17:32:07 -0400 Subject: [PATCH 2/3] Update the HCP nginx conf file for TLS --- containers/nginx/conf/nginx.HCP.conf | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/containers/nginx/conf/nginx.HCP.conf b/containers/nginx/conf/nginx.HCP.conf index e0f4045f2c..41e7aaa3b4 100644 --- a/containers/nginx/conf/nginx.HCP.conf +++ b/containers/nginx/conf/nginx.HCP.conf @@ -14,7 +14,7 @@ http { include mime.types; default_type application/octet-stream; - keepalive_timeout 65; + keepalive_timeout 70; proxy_read_timeout 200; sendfile off; tcp_nopush on; @@ -33,8 +33,18 @@ http { '' close; } + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + server { listen 80; + listen 443 ssl; + + ssl_certificate /etc/secrets/console-cert; + ssl_certificate_key /etc/secrets/console-cert-key; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers HIGH:!aNULL:!MD5; + client_max_body_size 50M; location /pp/ { From 901bc425d8a46f6aa4748316b081520cda47faa5 Mon Sep 17 00:00:00 2001 From: Chris Johnson Date: Thu, 11 Aug 2016 12:58:41 -0400 Subject: [PATCH 3/3] Missed the one in the CI folder --- ci/nginx.conf.HCP | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/ci/nginx.conf.HCP b/ci/nginx.conf.HCP index e0f4045f2c..41e7aaa3b4 100644 --- a/ci/nginx.conf.HCP +++ b/ci/nginx.conf.HCP @@ -14,7 +14,7 @@ http { include mime.types; default_type application/octet-stream; - keepalive_timeout 65; + keepalive_timeout 70; proxy_read_timeout 200; sendfile off; tcp_nopush on; @@ -33,8 +33,18 @@ http { '' close; } + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + server { listen 80; + listen 443 ssl; + + ssl_certificate /etc/secrets/console-cert; + ssl_certificate_key /etc/secrets/console-cert-key; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers HIGH:!aNULL:!MD5; + client_max_body_size 50M; location /pp/ {