add Diffie-Hellman Parameters to cipher suites

2025-04-26 09:02:27 +00:00 · 2024-12-21 21:05:09 +03:30 · 2024-12-21 21:05:09 +03:30 · f68c1b7c29
commit f68c1b7c29
parent 32e0784865
4 changed files with 21 additions and 2 deletions
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@ -53,9 +53,11 @@ COPY --from=testca /home/step/certs/root_ca.crt /etc/ssl/certs/NginxProxyManager
 # Remove frontend service not required for prod, dev nginx config as well
 RUN rm -rf /etc/s6-overlay/s6-rc.d/user/contents.d/frontend /etc/nginx/conf.d/dev.conf \
 	&& chmod 644 /etc/logrotate.d/nginx-proxy-manager
 COPY start-container /usr/local/bin/start-container
 RUN chmod +x /usr/local/bin/start-container
 VOLUME [ "/data" ]
-ENTRYPOINT [ "/init" ]
+ENTRYPOINT [ "start-container" ]
 LABEL org.label-schema.schema-version="1.0" \
 	org.label-schema.license="MIT" \
--- a/docker/dev/Dockerfile
+++ b/docker/dev/Dockerfile
@ -35,5 +35,8 @@ RUN rm -f /etc/nginx/conf.d/production.conf \
 COPY --from=pebbleca /test/certs/pebble.minica.pem /etc/ssl/certs/pebble.minica.pem
 COPY --from=testca /home/step/certs/root_ca.crt /etc/ssl/certs/NginxProxyManager.crt
 COPY start-container /usr/local/bin/start-container
 RUN chmod +x /usr/local/bin/start-container
 EXPOSE 80 81 443
-ENTRYPOINT [ "/init" ]
+ENTRYPOINT [ "start-container" ]
--- a/docker/rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf
+++ b/docker/rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf
@ -6,3 +6,4 @@ ssl_protocols TLSv1.2 TLSv1.3;
 ssl_ciphers "ALL:RC4-SHA:AES128-SHA:AES256-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384:AES128-GCM-SHA256:RSA-AES256-CBC-SHA:RC4-MD5:DES-CBC3-SHA:AES256-SHA:RC4-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
 ssl_prefer_server_ciphers off;
 ssl_ecdh_curve X25519:prime256v1:secp384r1;
 ssl_dhparam /etc/ssl/certs/dhparam.pem;
--- a/docker/start-container
+++ b/docker/start-container
@ -0,0 +1,13 @@
 #!/usr/bin/env bash
 FILE="/etc/ssl/certs/dhparam.pem"
 if [ ! -f "$FILE" ]; then
    echo "the $FILE does not exist, creating..."
    openssl dhparam -out "$FILE" 2048
 else
    echo "the $FILE already exists, skipping..."
 fi
 echo "run default script"
 exec /init