Update nginx.conf (#1082)

* Update nginx.conf My propose is to use only TLS v1,2 and 1,3 with cipher suite recommended by https://wiki.mozilla.org/Security/Server_Side_TLS. * Update using https://ssl-config.mozilla.org/ * Update Alpine 3.11 * Update config.json * Update CHANGELOG.md * Update run.sh Co-authored-by: Pascal Vizeli <pascal.vizeli@syshack.ch>
2026-01-31 18:55:32 +01:00 · 2020-02-21 13:20:24 +01:00
parent 5650ceaa16
commit 54afd77178
5 changed files with 20 additions and 11 deletions
--- a/nginx_proxy/CHANGELOG.md
+++ b/nginx_proxy/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog

+## 3.0
+
+- Update Alpine to 3.11
+- Use mozilla Recommended SSL settings
+
 ## 2.6

 - Remove ipv6 listener because we run only inside virtual network on a ipv4 range
--- a/nginx_proxy/build.json
+++ b/nginx_proxy/build.json
@@ -1,9 +1,9 @@
 {
  "build_from": {
-    "aarch64": "homeassistant/aarch64-base:3.10",
-    "amd64": "homeassistant/amd64-base:3.10",
-    "armhf": "homeassistant/armhf-base:3.10",
-    "armv7": "homeassistant/armv7-base:3.10",
-    "i386": "homeassistant/i386-base:3.10"
+    "aarch64": "homeassistant/aarch64-base:3.11",
+    "amd64": "homeassistant/amd64-base:3.11",
+    "armhf": "homeassistant/armhf-base:3.11",
+    "armv7": "homeassistant/armv7-base:3.11",
+    "i386": "homeassistant/i386-base:3.11"
  }
 }
--- a/nginx_proxy/config.json
+++ b/nginx_proxy/config.json
@@ -1,6 +1,6 @@
 {
  "name": "NGINX Home Assistant SSL proxy",
-  "version": "2.6",
+  "version": "3.0",
  "slug": "nginx_proxy",
  "description": "An SSL/TLS proxy",
  "url": "https://github.com/home-assistant/hassio-addons/tree/master/nginx_proxy",
--- a/nginx_proxy/data/nginx.conf
+++ b/nginx_proxy/data/nginx.conf
@@ -36,6 +36,9 @@ http {
    server {
        server_name %%DOMAIN%%;

+        ssl_session_timeout 1d;
+        ssl_session_cache shared:MozSSL:10m;
+        ssl_session_tickets off;
        ssl_certificate /ssl/%%FULLCHAIN%%;
        ssl_certificate_key /ssl/%%PRIVKEY%%;

@@ -44,10 +47,11 @@ http {

        listen 443 ssl http2;
        %%HSTS%%
-        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
-        ssl_prefer_server_ciphers on;
-        ssl_session_cache shared:SSL:10m;
+        
+        # intermediate configuration
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+        ssl_prefer_server_ciphers off;

        proxy_buffering off;

--- a/nginx_proxy/data/run.sh
+++ b/nginx_proxy/data/run.sh
@@ -53,7 +53,7 @@ sed -i "s/%%FULLCHAIN%%/$CERTFILE/g" /etc/nginx.conf
 sed -i "s/%%PRIVKEY%%/$KEYFILE/g" /etc/nginx.conf
 sed -i "s/%%DOMAIN%%/$DOMAIN/g" /etc/nginx.conf

-[ -n "$HSTS" ] && HSTS="add_header Strict-Transport-Security \"$HSTS\";"
+[ -n "$HSTS" ] && HSTS="add_header Strict-Transport-Security \"$HSTS\" always;"
 sed -i "s/%%HSTS%%/$HSTS/g" /etc/nginx.conf

 # Allow customize configs from share