Open
Description
I have been trying for a while to use TLSv1.3 with this nginx image.
Tried installing openssl 1.1.1 directly into the image via the following lines:
# Install openssl 1.1.1
RUN wget https://ftp.openssl.org/source/openssl-1.1.1k.tar.gz
RUN tar -xzvf openssl-1.1.1k.tar.gz
RUN /openssl-1.1.1k/config --prefix=/usr --openssldir=/etc/ssl --libdir=lib no-shared zlib-dynamic
RUN make
RUN make install
ENV LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib64
Also tried to use a centos8 image, but the controller is not compatible with it.
This is the configuration:
# Generated by NGINX Controller 1666183879 [ADC-1533cd2c-7a02-4ed1-9ac6-7a2f7a456004] - instance:pdns-all:unspecified;
user nginx;
worker_processes auto;
worker_shutdown_timeout 60s;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
#load_module /etc/nginx/modules/ngx_http_f5_metrics_module.so;
#load_module /etc/nginx/modules/ngx_stream_f5_metrics_module.so;
events {
worker_connections 8196;
}
http {
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.wap.wmlc wmlc;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
default_type application/octet-stream;
log_format controller_recommended_log_format '$remote_addr - "$remote_user" [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for" "$host" sn="$server_name" rt="$request_time" ua="$upstream_addr" us="$upstream_status" ut="$upstream_response_time" ul="$upstream_response_length" cs="$upstream_cache_status" pa="$f5_published_api"';
access_log /var/log/nginx/access.log controller_recommended_log_format;
error_log /var/log/nginx/error.log;
sendfile on;
keepalive_timeout 65;
server_tokens off;
server_names_hash_bucket_size 128;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
ssl_session_timeout 1h;
# upstream test_http_f7b67c7e-59e1-4a13-9897-8a20a73f879f {
# zone test_http_f7b67c7e-59e1-4a13-9897-8a20a73f879f 160k;
# least_conn;
# server 127.0.0.1:49151 backup;
# keepalive 100000;
# keepalive_requests 100000;
# keepalive_timeout 60s;
# }
map $host $f5_published_api {
default -;
}
server {
server_name test.ben.com;
listen 443 ssl reuseport;
ssl_protocols TLSv1.3;
ssl_certificate /etc/controller-agent/configurator/auxfiles/d2e29ee9-b6f2-4977-ac12-8ef44f0c0e0a.crt;
ssl_certificate_key /etc/controller-agent/configurator/auxfiles/d2e29ee9-b6f2-4977-ac12-8ef44f0c0e0a.key;
ssl_session_cache off;
ssl_prefer_server_ciphers on;
set $f5_gateway ben-gateway;
set $f5_environment testtls1v3;
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
# location / {
# access_log /var/log/nginx/access.log controller_recommended_log_format;
# set $f5_app ben-app;
# set $f5_component ben-comp;
# client_max_body_size 999999m;
# proxy_set_header X-Forwarded-For $remote_addr;
# proxy_set_header Host $host;
# proxy_http_version 1.1;
# proxy_ssl_server_name on;
# proxy_ssl_name $host;
# proxy_set_header Connection $connection_upgrade;
# proxy_set_header Upgrade $http_upgrade;
# proxy_pass http://test_http_f7b67c7e-59e1-4a13-9897-8a20a73f879f;
# }
# location = /_health_check_test_http_f7b67c7e-59e1-4a13-9897-8a20a73f879f {
# internal;
# proxy_set_header Host $host;
# proxy_set_header Connection '';
# proxy_pass http://test_http_f7b67c7e-59e1-4a13-9897-8a20a73f879f;
# }
}
server {
server_name 127.0.0.1;
listen 127.0.0.1:49151;
access_log off;
location /api {
}
}
}
worker_cpu_affinity auto;
When having the configuration on a VM it works and i get TLSv1.3 communication.
When using the docker image built it does not work (With the same configuration same everything).
Is there a way for me to be able to use TLSv1.3 with the controller and this image?
Metadata
Metadata
Assignees
Labels
No labels