aptible / docker-nginx Goto Github PK

View Code? Open in Web Editor NEW

27.0 12.0 26.0 214 KB

NGiNX HTTP server

License: MIT License

Makefile 5.04% Shell 68.42% HTML 23.70% Ruby 1.48% Dockerfile 1.36%

aptible-enclave aptible-deploy

docker-nginx's Introduction

aptible/nginx

NGiNX HTTP reverse proxy server.

Intended Use

The aptible/nginx image is used for proxy containers that handle SSL/TLS termination and same-instance load balancing for Aptible Deploy Endpoints. For customers, we recommend using the official nginx image instead or forking this project if you would like to modify it for your own use.

Installation and Usage

docker pull quay.io/aptible/nginx
docker run -P quay.io/aptible/nginx

To proxy to an upstream host(s) and port(s), set the UPSTREAM_SERVERS environment variable:

docker run -P -e UPSTREAM_SERVERS=host1:3000,host2:4000 quay.io/aptible/nginx

The server starts with a default self-signed certificate. To load in your own certificate and private key, pass them in as mounted Docker "volumes." For example:

docker run -v /path/to/server.key:/etc/nginx/ssl/server.key -v /path/to/server.crt:/etc/nginx/ssl/server.crt quay.io/aptible/nginx

Alternatively, you can provide these via the SSL_CERTIFICATE and SSL_KEY environment variables.

To force SSL, set the FORCE_SSL environment variable to true:

docker run -e FORCE_SSL=true quay.io/aptible/nginx

Configuring supported protocols and cipher suites

The default set of protocols and cipher suites exposed in our NGiNX configuration aims to balance security and compatibility with older clients. This default configuration mitigates the POODLE vulnerabilities by only allowing SSLv3 with the RC4 cipher. At the same time, it's accomodating enough to support even a default installation of IE6 on Windows XP or use as a custom origin behind AWS CloudFront over SSLv3/TLS1.

There is, however, mounting evidence that RC4 is broken, which would mean that SSLv3 could not be used safely at all. To use a configuration that trades some compatibility for security set the DISABLE_WEAK_CIPHER_SUITES environment variable to true:

docker run -e DISABLE_WEAK_CIPHER_SUITES=true quay.io/aptible/nginx

This flag turns off SSLv3 as well as the RC4 cipher. The configuration it generates earns an A+ on the Qualys SSL Labs SSL Server Test while providing compatibility with almost all clients that Qualys tests. The lone exception is IE 6 on Windows XP, which only fails because Qualys tests the default installation: if TLS 1.0 is enabled in IE 6, our configuration can be used to connect.

To allow more control over the ciphers and protocols used by NGiNX, we also recognize the environment variables SSL_CIPHERS_OVERRIDE and SSL_PROTOCOLS_OVERRIDE which can be used to completely override the NGiNX ssl_ciphers and ssl_protocols settings. For example, to remove TLS 1.0 from the available list of protocols but keep the rest of the DISABLE_WEAK_CIPHER_SUITES settings, use SSL_PROTOCOLS_OVERRIDE to specify support for only TLS 1.1 and 1.2:

docker run -e DISABLE_WEAK_CIPHER_SUITES=true SSL_PROTOCOLS_OVERRIDE="TLSv1.1 TLSv1.2" quay.io/aptible/nginx

Since both SSL_PROTOCOLS_OVERRIDE and SSL_CIPHERS_OVERRIDE are injected verbatim into the NGiNX configuration, a syntax error in either can keep NGiNX from starting.

Simulating trusted SSL connections

If you're on OS X running boot2docker, you can configure your system to trust NGiNX's self-signed certificate by taking the following steps:

Add an entry to your /etc/hosts file mapping "example.com" to your Docker IP address:
```
 sudo echo $(boot2docker ip 2>/dev/null) example.com >> /etc/hosts
```
Start your NGiNX container (daemonized), and copy the automatically-generated certificate to a temporarily file, then open it (in Keychain).
```
 ID=$(docker run -d -p 80:80 -p 443:443 quay.io/aptible/nginx)
 docker cp ${ID}:/etc/nginx/ssl/server.crt /tmp/
 open /tmp/server.crt
```
Choose to "always trust" it within Keychain.
Visit https://example.com and see the trusted certificate.

Available Tags

latest: Currently NGiNX 1.19.1

Deployment

To push the Docker image to Quay, run the following command:

make release

Copyright and License

MIT License, see LICENSE for details.

docker-nginx's People

Contributors

Stargazers

Watchers

docker-nginx's Issues

Configurable MAINTENANCE_PAGE_URL

Sticky sessions

A single HTTP session should always stick to the same app container.

uWSGI support

PHP-FPM support

Relevant lines:

  location / {
    try_files $uri $uri/ /app.php?$args;
  }

  location = /favicon.ico {
    log_not_found off;
    access_log off;
  }

  location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
    expires max;
    log_not_found off;
  }
  location ~ /\.ht {
    deny  all;
  }

  location ~ \.php($|/) {
    include fastcgi_params;
    set $script $uri;
    set $path_info "";

    if ($uri ~ "^(.+\.php)($|/)") {
      set $script $1;
    }

    if ($uri ~ "^(.+\.php)(/.+)") {
      set $script $1;
      set $path_info $2;
    }
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_pass backend;

    fastcgi_param SCRIPT_NAME $script;
    fastcgi_param PATH_INFO $path_info;
    fastcgi_param REMOTE_ADDR $http_x_forwarded_for;
  }

X-Forwarded-For not being set to client's IP

These directives:

  set_real_ip_from 0.0.0.0/0;
  real_ip_header proxy_protocol;
...
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

do not seem to pass through the original client IP from ELB's proxy protocol.

See for example:

which suggest setting X-Forwarded-For differently.

at the very least you want:

proxy_set_header  X-Real-IP           $proxy_protocol_addr;

Update NGiNX for Heartbleed bug

The fix is likely more appropriate to be made in aptible-docker/ubuntu, but at the very least, the NGiNX image will need to be rebuilt/pushed, and it would be nice to have tests for the updated version.

References:
http://www.ubuntu.com/usn/usn-2165-1/
http://heartbleed.com/

SSLv3 POODLE mitigation breaks CloudFront caching

For some reason, the changes in #41 prevent CloudFront from caching responses from Aptible VHOSTs. My initial hypothesis is that CloudFront's edge servers are using a very narrow (possibly outdated) set of ciphers when making requests to origin servers.

ERROR
The request could not be satisfied.

CloudFront wasn't able to connect to the origin. 
Generated by cloudfront (CloudFront)

Where is www located?

In default nginx is /usr/share/nginx/html

Set unique X-Request-Id per request

cc: @cornmander

Additional mime types for gzip support.

It would be great to have:

gzip_types application/json application/javascript text/css;

enabled alongside gzip on; to support nginx-level gzipping of files besides html; perhaps more mime types depending on others' use cases.

Test for A+ status on Qualys SSL Labs

See, e.g. https://community.qualys.com/thread/9893

Support http2

Upgrade nginx version

Any reason not to upgrade to a more recent version?
Thanks.

413 Request Entity Too Large

Support APTIBLE_DENY_IPS for blacklisting remote IPs

Explicitly declare SSL configuration

attn @fancyremarker: As discussed, for transparency, it would be good to explicitly show here how we configure SSL. Right now it looks like we just rely on the defaults, which are fine, but it takes a bit of legwork to understand.

Support for client certificate authentication

Improve default 502 error page

Right now, the default NGiNX error page says:

Sorry, the page you are looking for is currently unavailable. Please try again later.

This is confusing to most users.

SSL certificate/key should be accepted via ENV

Configurable idle timeouts?

It may be helpful to be able to configure proxy_read_timeout via ENV, for example.

CBC ciphers still being used for SSLv3?

cc: @gkaemmer

Log external IP and pass through as HTTP header to app

HTTP abuse detection and blocking?

One option is http://snippets.aktagon.com/snippets/554-how-to-secure-an-nginx-server-with-fail2ban ; another is DIY with counters in Redis, for example.

Android connections (via Ionic) fail at SSL handshake

Server-Sent Events Support

Please see this deployable example:
https://github.com/wyc/go-server-sent-events-example

It works on localhost and my servers, but not yet on Aptible. It's supposed to generate a steady stream of server-sent events on :8080/messages

$ curl http://my-test-vhost.us-east-1.elb.amazonaws.com/messages
curl: (52) Empty reply from server

This conf cherrypicked from the internet seems to work?
BotBotMe/botbot-web#2

Thanks!

Protect against slow POST attacks

Switch to Nginx mainline?

We're currently using a rather old version of Nginx (from stable), and #73 updates us to a newer one, but sticks to stable.

However, Nginx appears to recommend using mainline instead (see e.g. http://serverfault.com/questions/715049/what-s-the-difference-between-the-mainline-and-stable-branches-of-nginx for reference).

Should we update to mainline? This would probably be a pre-requisite for supporting HTTP2 anyway.

cc @fancyremarker @blakepettersson

Default maintenance page should not be Aptible 404

Using this page in a spec makes it written to the default location

[error] lua_load_resty_core failed to load the resty.core module

Recreate:

docker pull quay.io/aptible/nginx                                                                                                                        docker run -P quay.io/aptible/nginx

Output:

Using default tag: latest
latest: Pulling from aptible/nginx
639a8023167c: Pull complete
853720b66ea7: Pull complete
7152166c5dcb: Pull complete
7af831c699dd: Pull complete
8e9610204309: Pull complete
515a2a01277f: Pull complete
653863f68b65: Pull complete
ce58cba36418: Pull complete
55941cada759: Pull complete
857df33d488c: Pull complete
5e80d39239ec: Pull complete
c0f12a64c24a: Pull complete
7edfb243c335: Pull complete
a96d590e5918: Pull complete
f5e5ba1fe446: Pull complete
fac59bec92f3: Pull complete
Digest: sha256:0bffd0e9dbedfa708962040159a767a99b9ad0d8f27d50330a70ba7a9fca4e1b
Status: Downloaded newer image for quay.io/aptible/nginx:latest
quay.io/aptible/nginx:latest
Generating a RSA private key
................................................+++++
..........+++++
writing new private key to '/etc/nginx/ssl/server.key'
-----
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/partial/ssl.conf:1
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
	no field package.preload['resty.core']
	no file './resty/core.lua'
	no file '/usr/share/luajit-2.0.4/resty/core.lua'
	no file '/usr/local/share/lua/5.1/resty/core.lua'
	no file '/usr/local/share/lua/5.1/resty/core/init.lua'
	no file '/usr/share/lua/5.1/resty/core.lua'
	no file '/usr/share/lua/5.1/resty/core/init.lua'
	no file './resty/core.so'
	no file '/usr/local/lib/lua/5.1/resty/core.so'
	no file '/usr/lib/lua/5.1/resty/core.so'
	no file '/usr/local/lib/lua/5.1/loadall.so'
	no file './resty.so'
	no file '/usr/local/lib/lua/5.1/resty.so'
	no file '/usr/lib/lua/5.1/resty.so'
	no file '/usr/local/lib/lua/5.1/loadall.so')

NGiNX should reject X-Forwarded-Proto headers sent over HTTP from external clients

cc: @chrisberkhout

404 pages returned for non-400 errors

NGiNX image should take a list of upstreams via ENV

This supports a ton of features, like #10, aptible/sweetness#91, #7, etc.

X-Forwarded-Proto always set to https

Right now X-Forwarded-Proto is always set to https even though Aptible will listen on http.

Patch for CVE-2014-3511

https://www.openssl.org/news/secadv_20140806.txt

fail_timeout=0

Consider setting fail_timeout=0; for upstreams in order to better support Unicorn and other queue-based backends.

See http://unicorn.bogomips.org/Unicorn/Configurator.html#method-i-timeout

cc: @dleve123

Set X-Request-Start header to aid in New Relic request queue instrumentation

https://docs.newrelic.com/docs/apm/applications-menu/features/request-queue-server-configuration-examples#nginx

Allow configuration of limited Host values to accept, to prevent Host Header Injection attacks

Logs not being sent to Docker's STDOUT

Update config to point logs to /dev/stdout

After PR #36, the configuration files don't point logs at /dev/stdout because old versions of docker were failing to write logs. Instead, the logs are directed to /proc/self/fd/1, which is where the /dev/stdout symlink leads. When legacy docker (< 0.12.0) is no longer in the picture, it may make sense to re-introduce the less obscure /dev/stdout for the sake of clarity/greppability/etc.

More rigorously enforce PFS

See http://crypto.stackexchange.com/questions/8933/how-can-i-use-ssl-tls-with-perfect-forward-secrecy for an example configuration.

Also, we should document somewhere the default Qualys SSL Labs grades that Aptible-hosted sites receive: https://www.ssllabs.com/ssltest/

cc: @chasballew re: Qualys.

The site specified an invalid Strict-Transport-Security header.

This is a bug in Firefox but we may be able to work around it by only setting response headers in NGiNX if they're not already present.