diff --git a/root/defaults/nginx/dhparams.pem b/root/defaults/nginx/dhparams.pem deleted file mode 100644 index eed4c41..0000000 --- a/root/defaults/nginx/dhparams.pem +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN DH PARAMETERS----- -MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz -+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a -87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 -YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi -7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD -ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3 -7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32 -nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e -8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx -iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K -zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI= ------END DH PARAMETERS----- \ No newline at end of file diff --git a/root/defaults/nginx/nginx.conf.sample b/root/defaults/nginx/nginx.conf.sample index 0f07946..8a43ad0 100644 --- a/root/defaults/nginx/nginx.conf.sample +++ b/root/defaults/nginx/nginx.conf.sample @@ -34,7 +34,7 @@ http { # Name servers used to resolve names of upstream servers into addresses. # It's also needed when using tcpsocket and udpsocket in Lua modules. - #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001; + #resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]; include /config/nginx/resolver.conf; # Don't tell nginx version to the clients. Default is 'on'. diff --git a/root/defaults/nginx/ssl.conf.sample b/root/defaults/nginx/ssl.conf.sample index 6eed2cd..b03cd69 100644 --- a/root/defaults/nginx/ssl.conf.sample +++ b/root/defaults/nginx/ssl.conf.sample @@ -1,34 +1,36 @@ -## Version 2025/12/26 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/3.23/root/defaults/nginx/ssl.conf.sample - -### Mozilla Recommendations -# generated 2025-12-26, Mozilla Guideline v5.7, nginx 1.28.0, OpenSSL 3.5.4, intermediate config, no OCSP -# https://ssl-config.mozilla.org/#server=nginx&version=1.28&config=intermediate&openssl=3.5.4&ocsp=false&guideline=5.7 +## Version 2026/05/04 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/3.23/root/defaults/nginx/ssl.conf.sample ssl_certificate /config/keys/cert.crt; ssl_certificate_key /config/keys/cert.key; -ssl_session_timeout 1d; -ssl_session_cache shared:MozSSL:10m; # about 40000 sessions -ssl_session_tickets off; -# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam -ssl_dhparam /config/nginx/dhparams.pem; +# HSTS (ngx_http_headers_module is required) (63072000 seconds) +#add_header Strict-Transport-Security "max-age=63072000" always; +### Mozilla SSL Configuration Generator +# generated 2026-05-04, Mozilla Guideline v6.0, nginx 1.28.3, OpenSSL 3.5.6, intermediate config, HSTS +# https://ssl-config.mozilla.org/#server=nginx&version=1.28.3&config=intermediate&openssl=3.5.6&hsts&guideline=6.0 # intermediate configuration ssl_protocols TLSv1.2 TLSv1.3; -ssl_ecdh_curve X25519:prime256v1:secp384r1; -ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; +ssl_ecdh_curve X25519MLKEM768:X25519:prime256v1:secp384r1; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305; ssl_prefer_server_ciphers off; -# HSTS (ngx_http_headers_module is required) (63072000 seconds) -#add_header Strict-Transport-Security "max-age=63072000" always; +# see also ssl_session_ticket_key alternative to stateful session cache +ssl_session_timeout 1d; +ssl_session_cache shared:MozSSL:10m; # about 40000 sessions -# Optional additional headers -#add_header Cache-Control "no-transform" always; -#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'" always; -#add_header Permissions-Policy "interest-cohort=()" always; +### Mozilla Practical security implementation +# https://developer.mozilla.org/en-US/docs/Web/Security +#add_header Access-Control-Allow-Origin $http_origin always; +#add_header Content-Security-Policy "upgrade-insecure-requests; base-uri 'self'; form-action 'self'; frame-ancestors 'self';" always; +#add_header Cross-Origin-Resource-Policy "same-origin" always; #add_header Referrer-Policy "same-origin" always; #add_header X-Content-Type-Options "nosniff" always; #add_header X-Frame-Options "SAMEORIGIN" always; -#add_header X-UA-Compatible "IE=Edge" always; -#add_header X-XSS-Protection "1; mode=block" always; + +### Optional additional headers #add_header Alt-Svc 'h3=":443"' always; +#add_header Cache-Control "no-transform" always; +#add_header Permissions-Policy "interest-cohort=()" always; +#add_header X-UA-Compatible "IE=Edge" always; +#add_header X-XSS-Protection "1; mode=block" always; \ No newline at end of file diff --git a/root/etc/s6-overlay/s6-rc.d/init-nginx/run b/root/etc/s6-overlay/s6-rc.d/init-nginx/run index 9e3ac52..bda59ab 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-nginx/run +++ b/root/etc/s6-overlay/s6-rc.d/init-nginx/run @@ -34,14 +34,6 @@ if [[ ${INDEX_EXISTS} == false ]] && grep -Eq '^\s*index[^#]*index\.html' /confi cp /defaults/www/index.html /config/www/index.html fi -# copy pre-generated dhparams or generate if needed -if [[ ! -f /config/nginx/dhparams.pem ]]; then - cp /defaults/nginx/dhparams.pem /config/nginx/dhparams.pem -fi -if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then - curl -o /config/nginx/dhparams.pem -L "https://ssl-config.mozilla.org/ffdhe4096.txt" -fi - # Set resolver, ignore ipv6 addresses touch /config/nginx/resolver.conf if ! grep -q 'resolver' /config/nginx/resolver.conf; then