From 711f42d411a03c59a3fd253da60186419ada2ee0 Mon Sep 17 00:00:00 2001 From: "Benjamin W. Broersma" Date: Sat, 4 Oct 2025 04:23:14 +0200 Subject: [PATCH 1/7] Add post-quantum hybrid ECDHE-MLKEM for TLSv1.3 --- docker/compose.development.yaml | 2 +- docker/compose.integration-tests.yaml | 6 +++--- docker/compose.yaml | 2 +- docker/webserver.Dockerfile | 11 ++++++----- docker/webserver/nginx_templates/app.conf.template | 1 + 5 files changed, 12 insertions(+), 10 deletions(-) diff --git a/docker/compose.development.yaml b/docker/compose.development.yaml index 34d43da26..d997381ef 100644 --- a/docker/compose.development.yaml +++ b/docker/compose.development.yaml @@ -1,7 +1,7 @@ services: # terminate tls so we don't need to have exceptions in the nginx config file for development port-expose: - image: nginx:1.27.3-alpine + image: nginx:1.29.1-alpine3.22 networks: - public-internet - internal diff --git a/docker/compose.integration-tests.yaml b/docker/compose.integration-tests.yaml index 35825ac8c..b1084a3e6 100644 --- a/docker/compose.integration-tests.yaml +++ b/docker/compose.integration-tests.yaml @@ -4,7 +4,7 @@ services: # from the internal network to the outside # also terminate tls so we don't need to have exceptions in the nginx config file for development port-expose: - image: nginx:1.27.3-alpine + image: nginx:1.29.1-alpine3.22 networks: - public-internet - port-expose @@ -96,7 +96,7 @@ services: - $RABBITMQ_GUI test-target: - image: nginx:1.27.3-alpine + image: nginx:1.29.1-alpine3.22 networks: public-internet: @@ -137,7 +137,7 @@ services: MH_SMTP_BIND_ADDR: 0.0.0.0:25 static: - image: nginx:1.27.3-alpine + image: nginx:1.29.1-alpine3.22 restart: unless-stopped diff --git a/docker/compose.yaml b/docker/compose.yaml index ecc66f4c6..999a865e3 100644 --- a/docker/compose.yaml +++ b/docker/compose.yaml @@ -59,7 +59,7 @@ services: - nginx-logs-exporter:/var/log/nginx/prometheus-nginxlog-exporter/ healthcheck: - test: ["CMD", "service", "nginx", "status"] + test: ["CMD", "curl", "-kfsSo/dev/null", "https://$INTERNETNL_DOMAINNAME", "--resolve", "$INTERNETNL_DOMAINNAME:443:127.0.0.1"] interval: $HEALTHCHECK_INTERVAL start_interval: $HEALTHCHECK_START_INTERVAL start_period: 1m diff --git a/docker/webserver.Dockerfile b/docker/webserver.Dockerfile index cc4728625..eed6ae911 100644 --- a/docker/webserver.Dockerfile +++ b/docker/webserver.Dockerfile @@ -1,11 +1,12 @@ -FROM nginx:1.27.3 +FROM nginx:1.29.1-alpine3.22 -RUN apt-get update && apt-get install -y \ +RUN apk add \ + # for random quic host key + openssl \ # for htpasswd apache2-utils \ - # for gixy install - python3-venv \ - && rm -rf /var/lib/apt/lists/* + # for gixy and certbot install + python3 # install nginx config static analysis tool RUN python3 -m venv /opt/gixy diff --git a/docker/webserver/nginx_templates/app.conf.template b/docker/webserver/nginx_templates/app.conf.template index e091882b9..cf85f8ec7 100644 --- a/docker/webserver/nginx_templates/app.conf.template +++ b/docker/webserver/nginx_templates/app.conf.template @@ -37,6 +37,7 @@ ssl_stapling on; ssl_stapling_verify on; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305; +ssl_ecdh_curve SecP384r1MLKEM1024:X25519MLKEM768:SecP256r1MLKEM768:secp521r1:brainpoolP512r1:x448:brainpoolP384r1:secp384r1:x25519:secp256r1:brainpoolP256r1; http2 on; http3 on; From c1a648e2a22440bbfd481007975b54d4c859467d Mon Sep 17 00:00:00 2001 From: "Benjamin W. Broersma" Date: Sat, 4 Oct 2025 13:34:44 +0200 Subject: [PATCH 2/7] Fix CI/CD collect correct env=batch-test logs --- .github/workflows/docker.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 8eff4292f..4eb47ee76 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -725,7 +725,7 @@ jobs: - name: Collect Docker Compose logs if: always() - run: make logs-all-dump env=test > docker-compose.log + run: make logs-all-dump env=batch-test > docker-compose.log - uses: test-summary/action@v2.3 with: From 224959e7a1691085c91c1f7299e22be8c14937c0 Mon Sep 17 00:00:00 2001 From: "Benjamin W. Broersma" Date: Sat, 4 Oct 2025 16:06:04 +0200 Subject: [PATCH 3/7] Removed -f flag --- docker/compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/compose.yaml b/docker/compose.yaml index 999a865e3..989543bf9 100644 --- a/docker/compose.yaml +++ b/docker/compose.yaml @@ -59,7 +59,7 @@ services: - nginx-logs-exporter:/var/log/nginx/prometheus-nginxlog-exporter/ healthcheck: - test: ["CMD", "curl", "-kfsSo/dev/null", "https://$INTERNETNL_DOMAINNAME", "--resolve", "$INTERNETNL_DOMAINNAME:443:127.0.0.1"] + test: ["CMD", "curl", "-ksSo/dev/null", "https://$INTERNETNL_DOMAINNAME", "--resolve", "$INTERNETNL_DOMAINNAME:443:127.0.0.1"] interval: $HEALTHCHECK_INTERVAL start_interval: $HEALTHCHECK_START_INTERVAL start_period: 1m From 71be444092b575916bfbcba1d3c7ceaf4ef28cac Mon Sep 17 00:00:00 2001 From: "Benjamin W. Broersma" Date: Sat, 4 Oct 2025 17:17:41 +0200 Subject: [PATCH 4/7] Rewrite 'service nginx reload' to 'nginx -s reload' grep -Rl "service nginx reload" | xargs sed -ir 's/service nginx reload/nginx -s reload/' make fix --- integration_tests/conftest.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/integration_tests/conftest.py b/integration_tests/conftest.py index 91df39499..3fd6ff29d 100644 --- a/integration_tests/conftest.py +++ b/integration_tests/conftest.py @@ -187,8 +187,7 @@ def register_test_user(unique_id): # reload nginx command = ( - f'docker compose --ansi=never --project-name "{COMPOSE_PROJECT_NAME}"' - " exec webserver service nginx reload" + f'docker compose --ansi=never --project-name "{COMPOSE_PROJECT_NAME}"' " exec webserver nginx -s reload" ) subprocess.check_call(command, shell=True, universal_newlines=True) From eb05457fad4398077da5aa16004d6043286b8521 Mon Sep 17 00:00:00 2001 From: "Benjamin W. Broersma" Date: Sun, 5 Oct 2025 13:51:44 +0200 Subject: [PATCH 5/7] Optimize size with apk add --no-cache --- docker/webserver.Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/webserver.Dockerfile b/docker/webserver.Dockerfile index eed6ae911..63c4edeea 100644 --- a/docker/webserver.Dockerfile +++ b/docker/webserver.Dockerfile @@ -1,6 +1,6 @@ FROM nginx:1.29.1-alpine3.22 -RUN apk add \ +RUN apk add --no-cache \ # for random quic host key openssl \ # for htpasswd From a67fb48c7d63d78f7add09849319148fb0a70936 Mon Sep 17 00:00:00 2001 From: "Benjamin W. Broersma" Date: Thu, 9 Oct 2025 19:51:31 +0200 Subject: [PATCH 6/7] Fixes #1884 by overwriting default localhost --- .../nginx_templates/{app.conf.template => default.conf.template} | 0 .../{letsencrypt.conf.template => tls.conf.template} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename docker/webserver/nginx_templates/{app.conf.template => default.conf.template} (100%) rename docker/webserver/nginx_templates/{letsencrypt.conf.template => tls.conf.template} (100%) diff --git a/docker/webserver/nginx_templates/app.conf.template b/docker/webserver/nginx_templates/default.conf.template similarity index 100% rename from docker/webserver/nginx_templates/app.conf.template rename to docker/webserver/nginx_templates/default.conf.template diff --git a/docker/webserver/nginx_templates/letsencrypt.conf.template b/docker/webserver/nginx_templates/tls.conf.template similarity index 100% rename from docker/webserver/nginx_templates/letsencrypt.conf.template rename to docker/webserver/nginx_templates/tls.conf.template From 1ba07ae72dae3c40e2e74352f9304622efc663fe Mon Sep 17 00:00:00 2001 From: "Benjamin W. Broersma" Date: Thu, 9 Oct 2025 19:54:16 +0200 Subject: [PATCH 7/7] Fixes #1791 by comment out OCSP stapling config - Comment out OCSP stapling. - Move almost all ssl_ config to one file since OCSP config is also linked to certificate. This makes it easier to include this ssl config in a mail-block for a DRY config. - Change from OpenSSL to IANA cipher naming. --- docker/webserver/nginx_templates/default.conf.template | 7 ------- docker/webserver/nginx_templates/tls.conf.template | 6 ++++++ 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/docker/webserver/nginx_templates/default.conf.template b/docker/webserver/nginx_templates/default.conf.template index cf85f8ec7..0565cffa2 100644 --- a/docker/webserver/nginx_templates/default.conf.template +++ b/docker/webserver/nginx_templates/default.conf.template @@ -32,13 +32,6 @@ resolver 127.0.0.11 ipv6=off valid=5s; root /var/www/internet.nl; -# enable OSCP stapling -ssl_stapling on; -ssl_stapling_verify on; -ssl_protocols TLSv1.2 TLSv1.3; -ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305; -ssl_ecdh_curve SecP384r1MLKEM1024:X25519MLKEM768:SecP256r1MLKEM768:secp521r1:brainpoolP512r1:x448:brainpoolP384r1:secp384r1:x25519:secp256r1:brainpoolP256r1; - http2 on; http3 on; quic_gso on; diff --git a/docker/webserver/nginx_templates/tls.conf.template b/docker/webserver/nginx_templates/tls.conf.template index ce3f174b4..8a52fea0f 100644 --- a/docker/webserver/nginx_templates/tls.conf.template +++ b/docker/webserver/nginx_templates/tls.conf.template @@ -1,2 +1,8 @@ +# If certificate has OCSP, enable the ssl_stapling +#ssl_stapling on; +#ssl_stapling_verify on; +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256; +ssl_ecdh_curve SecP384r1MLKEM1024:X25519MLKEM768:SecP256r1MLKEM768:secp521r1:brainpoolP512r1:x448:brainpoolP384r1:secp384r1:x25519:secp256r1:brainpoolP256r1; ssl_certificate /etc/letsencrypt/live/${INTERNETNL_DOMAINNAME}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/${INTERNETNL_DOMAINNAME}/privkey.pem;