From 3c5843264ef87ee3c0a31f79f68bc12a9fd635f2 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 26 Nov 2014 23:53:35 +0100 Subject: [PATCH 1/3] Switch to official nginx base-image. This changes the base-image to the official nginx image, reducing the virtual size of the image by approx 50%. Signed-off-by: Sebastiaan van Stijn --- Dockerfile | 11 +++-------- Procfile | 2 +- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4186212..718a735 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,14 +1,10 @@ -FROM ubuntu:14.04 +FROM nginx:1.7 MAINTAINER Jason Wilder jwilder@litl.com -# Install Nginx. -RUN echo "deb http://ppa.launchpad.net/nginx/stable/ubuntu trusty main" > /etc/apt/sources.list.d/nginx-stable-trusty.list \ - && echo "deb-src http://ppa.launchpad.net/nginx/stable/ubuntu trusty main" >> /etc/apt/sources.list.d/nginx-stable-trusty.list \ - && apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C300EE8C \ - && apt-get update \ +# Install wget and install/updates certificates +RUN apt-get update \ && apt-get install -y -q --no-install-recommends \ ca-certificates \ - nginx \ wget \ && apt-get clean \ && rm -r /var/lib/apt/lists/* @@ -30,7 +26,6 @@ RUN wget https://github.com/jwilder/docker-gen/releases/download/$DOCKER_GEN_VER COPY . /app/ WORKDIR /app/ -EXPOSE 80 443 ENV DOCKER_HOST unix:///tmp/docker.sock VOLUME ["/etc/nginx/certs"] diff --git a/Procfile b/Procfile index 7a22293..8547156 100644 --- a/Procfile +++ b/Procfile @@ -1,2 +1,2 @@ nginx: nginx -dockergen: docker-gen -watch -only-exposed -notify "nginx -s reload" /app/nginx.tmpl /etc/nginx/sites-enabled/default +dockergen: docker-gen -watch -only-exposed -notify "nginx -s reload" /app/nginx.tmpl /etc/nginx/conf.d/default.conf From 080a5157e6b1de3637e339a7cf54105f0316cfa7 Mon Sep 17 00:00:00 2001 From: Jason Wilder Date: Wed, 3 Dec 2014 11:06:11 -0700 Subject: [PATCH 2/3] Remove OCSP stapling Looks like it was not actually working before and failing silently because ssl_trusted_certificate was not specified. Will need to revisit implementing this functionality so removing it for now to prevent the warnings logged by nginx now. --- README.md | 2 +- nginx.tmpl | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/README.md b/README.md index 6a27951..e520322 100644 --- a/README.md +++ b/README.md @@ -82,7 +82,7 @@ and `CERT_NAME=shared` will then use this shared cert. The SSL cipher configuration is based on [mozilla nginx intermediate profile](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx) which should provide compatibility with clients back to Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, -Windows XP IE8, Android 2.3, Java 7. The configuration also enables OCSP stapling, HSTS, and SSL +Windows XP IE8, Android 2.3, Java 7. The configuration also enables HSTS, and SSL session caches. The behavior for the proxy when port 80 and 443 are exposed is as follows: diff --git a/nginx.tmpl b/nginx.tmpl index 3de1843..3aa28f4 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -96,8 +96,6 @@ server { ssl_prefer_server_ciphers on; ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; - ssl_stapling on; - ssl_stapling_verify on; ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }}; ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }}; From db924dba769508cfb48edf9a7ec5e774537b2abf Mon Sep 17 00:00:00 2001 From: Jason Wilder Date: Wed, 3 Dec 2014 11:12:01 -0700 Subject: [PATCH 3/3] Use nginx:1.7.7 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 718a735..fdd5c82 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.7 +FROM nginx:1.7.7 MAINTAINER Jason Wilder jwilder@litl.com # Install wget and install/updates certificates