diff --git a/docker-compose.yml b/docker-compose.yml index 5a727ca..13a9528 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -48,7 +48,7 @@ services: # Optional Settings # - "NOREDIR=true" # Do not redirect port 80 # - "DISIPV6=true" # Disable IPV6 in nginx - +# - "SECURESSL=true" # Enable higher security SSL in nginx misp-modules: image: coolacid/misp-docker:modules-latest environment: diff --git a/server/Dockerfile b/server/Dockerfile index cedcc77..5a05e1c 100644 --- a/server/Dockerfile +++ b/server/Dockerfile @@ -120,7 +120,8 @@ ARG PHP_VER # nginx RUN rm /etc/nginx/sites-enabled/*; mkdir /run/php - COPY files/etc/nginx/misp /etc/nginx/sites-enabled/misp + COPY files/etc/nginx/misp /etc/nginx/sites-available/misp + COPY files/etc/nginx/misp-secure /etc/nginx/sites-available/misp-secure COPY files/etc/nginx/misp80 /etc/nginx/sites-available/misp80 COPY files/etc/nginx/misp80-noredir /etc/nginx/sites-available/misp80-noredir diff --git a/server/files/entrypoint_nginx.sh b/server/files/entrypoint_nginx.sh index 2c9ccc8..4be081f 100755 --- a/server/files/entrypoint_nginx.sh +++ b/server/files/entrypoint_nginx.sh @@ -123,6 +123,21 @@ else echo "Configure NGINX | Port 80 already configured" fi +if [[ ! -L "/etc/nginx/sites-enabled/misp" && "$SECURESSL" == true ]]; then + echo "Configure NGINX | Using Secure SSL" + ln -s /etc/nginx/sites-available/misp-secure /etc/nginx/sites-enabled/misp +elif [[ ! -L "/etc/nginx/sites-enabled/misp" ]]; then + echo "Configure NGINX | Using Standard SSL" + ln -s /etc/nginx/sites-available/misp /etc/nginx/sites-enabled/misp + if [[ ! -f /etc/ssl/certs/dhparams.pem ]]; then + echo "Configure NGINX | Building dhparams.pem" + openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048 + fi +else + echo "Configure NGINX | SSL already configured" +fi + + if [[ "$DISIPV6" == true ]]; then echo "Configure NGINX | Disabling IPv6" sed -i "s/listen \[\:\:\]/\#listen \[\:\:\]/" /etc/nginx/sites-enabled/misp80 diff --git a/server/files/etc/nginx/misp b/server/files/etc/nginx/misp index 9efc4d9..a1fb26f 100644 --- a/server/files/etc/nginx/misp +++ b/server/files/etc/nginx/misp @@ -16,9 +16,11 @@ server { ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; - - # modern configuration - ssl_protocols TLSv1.3; + + # intermediate configuration + ssl_dhparam /etc/ssl/certs/dhparams.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; # enable HSTS @@ -26,14 +28,14 @@ server { add_header X-Frame-Options SAMEORIGIN; # Aded headers for hardening browser security - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; - + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By;