fix: clean up TLS configuration

The distinction between server TLS and proxy TLS configuration wasn't
clear and partially wrong.

- use separate environment variables for configuring server TLS / proxy
  TLS
- update documentation on environment variables

Fixes #166

apache/Dockerfile

@@ -64,19 +64,19 @@ ARG LUA_VERSION="n/a"
 LABEL maintainer="Felipe Zipitria <[email protected]>"
 
 ENV APACHE_ALWAYS_TLS_REDIRECT=off \
+    APACHE_LOGFORMAT='"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""' \
+    APACHE_ERRORLOG_FORMAT='"[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i"' \
+    APACHE_METRICS_LOGFORMAT='"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""' \
     ACCESSLOG=/var/log/apache2/access.log \
     BACKEND=http://localhost:80 \
     BACKEND_WS=ws://localhost:8080 \
     ERRORLOG='/proc/self/fd/2' \
-    APACHE_LOGFORMAT='"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""' \
-    APACHE_ERRORLOG_FORMAT='"[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i"' \
-    APACHE_METRICS_LOGFORMAT='"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""' \
     H2_PROTOCOLS='h2 http/1.1' \
     LOGLEVEL=warn \
     METRICS_ALLOW_FROM='127.0.0.0/255.0.0.0 ::1/128' \
     METRICS_DENY_FROM='All' \
-    METRICSLOG='/dev/null' \
     MUTEX='default' \
+    METRICSLOG='/dev/null' \
     MODSEC_AUDIT_ENGINE="RelevantOnly" \
     MODSEC_AUDIT_LOG_FORMAT=JSON \
     MODSEC_AUDIT_LOG_TYPE=Serial \
@@ -110,26 +110,28 @@ ENV APACHE_ALWAYS_TLS_REDIRECT=off \
     PORT=80 \
     PROXY_ERROR_OVERRIDE=on \
     PROXY_PRESERVE_HOST=on \
+    PROXY_SSL=on \
     PROXY_SSL_CA_CERT=/etc/ssl/certs/ca-certificates.crt \
-    PROXY_SSL_CERT_KEY=/usr/local/apache2/conf/server.key \
-    PROXY_SSL_CERT=/usr/local/apache2/conf/server.crt \
+    PROXY_SSL_CERT=/usr/local/apache2/conf/proxy.crt \
+    PROXY_SSL_CERT_KEY=/usr/local/apache2/conf/proxy.key \
     PROXY_SSL_CHECK_PEER_NAME=off \
+    PROXY_SSL_CIPHER_SUITE="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \
+    PROXY_SSL_PROTOCOL="all -SSLv3 -TLSv1 -TLSv1.1" \
     PROXY_SSL_VERIFY=none \
-    PROXY_SSL=on \
     PROXY_TIMEOUT=60 \
     REMOTEIP_INT_PROXY='10.1.0.0/16' \
     REQ_HEADER_FORWARDED_PROTO='https' \
     SERVER_ADMIN=root@localhost \
     SERVER_NAME=localhost \
     SERVER_SIGNATURE=Off \
     SERVER_TOKENS=Full \
+    SSL_CERT=/usr/local/apache2/conf/server.crt \
+    SSL_CERT_KEY=/usr/local/apache2/conf/server.key \
     SSL_CIPHER_SUITE="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \
     SSL_ENGINE=on \
     SSL_HONOR_CIPHER_ORDER=off \
     SSL_PORT=443 \
     SSL_PROTOCOL="all -SSLv3 -TLSv1 -TLSv1.1" \
-    SSL_PROXY_PROTOCOL="all -SSLv3 -TLSv1 -TLSv1.1" \
-    SSL_PROXY_CIPHER_SUITE="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \
     SSL_SESSION_TICKETS=off \
     SSL_USE_STAPLING=On \
     TIMEOUT=60 \

apache/Dockerfile-alpine

@@ -120,26 +120,28 @@ ENV APACHE_ALWAYS_TLS_REDIRECT=off \
     PORT=80 \
     PROXY_ERROR_OVERRIDE=on \
     PROXY_PRESERVE_HOST=on \
+    PROXY_SSL=on \
     PROXY_SSL_CA_CERT=/etc/ssl/certs/ca-certificates.crt \
-    PROXY_SSL_CERT_KEY=/usr/local/apache2/conf/server.key \
-    PROXY_SSL_CERT=/usr/local/apache2/conf/server.crt \
+    PROXY_SSL_CERT=/usr/local/apache2/conf/proxy.crt \
+    PROXY_SSL_CERT_KEY=/usr/local/apache2/conf/proxy.key \
     PROXY_SSL_CHECK_PEER_NAME=off \
+    PROXY_SSL_CIPHER_SUITE="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \
+    PROXY_SSL_PROTOCOL="all -SSLv3 -TLSv1 -TLSv1.1" \
     PROXY_SSL_VERIFY=none \
-    PROXY_SSL=on \
     PROXY_TIMEOUT=60 \
     REMOTEIP_INT_PROXY='10.1.0.0/16' \
     REQ_HEADER_FORWARDED_PROTO='https' \
     SERVER_ADMIN=root@localhost \
     SERVER_NAME=localhost \
     SERVER_SIGNATURE=Off \
     SERVER_TOKENS=Full \
+    SSL_CERT=/usr/local/apache2/conf/server.crt \
+    SSL_CERT_KEY=/usr/local/apache2/conf/server.key \
     SSL_CIPHER_SUITE="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \
     SSL_ENGINE=on \
     SSL_HONOR_CIPHER_ORDER=off \
     SSL_PORT=443 \
     SSL_PROTOCOL="all -SSLv3 -TLSv1 -TLSv1.1" \
-    SSL_PROXY_PROTOCOL="all -SSLv3 -TLSv1 -TLSv1.1" \
-    SSL_PROXY_CIPHER_SUITE="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \
     SSL_SESSION_TICKETS=off \
     SSL_USE_STAPLING=On \
     TIMEOUT=60 \

apache/conf/extra/httpd-ssl.conf

@@ -1,7 +1,7 @@
 Listen                  ${SSL_PORT}
 
-SSLProxyProtocol        ${SSL_PROXY_PROTOCOL}
-SSLProxyCipherSuite     ${SSL_PROXY_CIPHER_SUITE}
+SSLProxyProtocol        ${PROXY_SSL_PROTOCOL}
+SSLProxyCipherSuite     ${PROXY_SSL_CIPHER_SUITE}
 
 SSLPassPhraseDialog     builtin
 

apache/conf/extra/httpd-vhosts.conf

@@ -41,6 +41,6 @@ UseCanonicalName on
 <VirtualHost *:${SSL_PORT}>
   Protocols ${H2_PROTOCOLS}
   SSLEngine ${SSL_ENGINE}
-  SSLCertificateFile ${PROXY_SSL_CERT}
-  SSLCertificateKeyFile ${PROXY_SSL_CERT_KEY}
+  SSLCertificateFile ${SSL_CERT}
+  SSLCertificateKeyFile ${SSL_CERT_KEY}
 </VirtualHost>

nginx/Dockerfile

@@ -144,18 +144,26 @@ ENV ACCESSLOG=/var/log/nginx/access.log \
     REAL_IP_HEADER="X-REAL-IP" \
     REAL_IP_PROXY_HEADER="X-REAL-IP" \
     REAL_IP_RECURSIVE="on" \
-    PROXY_TIMEOUT=60s \
-    PROXY_SSL_CERT=/etc/nginx/conf/server.crt \
-    PROXY_SSL_CERT_KEY=/etc/nginx/conf/server.key \
-    PROXY_SSL_DH_BITS=2048 \
-    PROXY_SSL_PROTOCOLS="TLSv1.2 TLSv1.3" \
+    PROXY_SSL=off \
+    PROXY_SSL_CERT=/etc/nginx/conf/proxy.crt \
+    PROXY_SSL_CERT_KEY=/etc/nginx/conf/proxy.key \
     PROXY_SSL_CIPHERS="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \
-    PROXY_SSL_PREFER_CIPHERS=off \
+    PROXY_SSL_PROTOCOLS="TLSv1.2 TLSv1.3" \
     PROXY_SSL_VERIFY=off \
-    PROXY_SSL_OCSP_STAPLING=off \
+    PROXY_SSL_VERIFY_DEPTH=1 \
+    PROXY_TIMEOUT=60s \
     SERVER_NAME=localhost \
     SERVER_TOKENS=off \
+    SSL_CERT=/etc/nginx/conf/server.crt \
+    SSL_CERT_KEY=/etc/nginx/conf/server.key \
+    SSL_CIPHERS="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \
+    SSL_DH_BITS=2048 \
+    SSL_OCSP_STAPLING=off \
     SSL_PORT=443 \
+    SSL_PREFER_CIPHERS=off \
+    SSL_PROTOCOLS="TLSv1.2 TLSv1.3" \
+    SSL_VERIFY=off \
+    SSL_VERIFY_DEPTH=1 \
     TIMEOUT=60s \
     WORKER_CONNECTIONS=1024 \
     LD_LIBRARY_PATH=/lib:/usr/lib:/usr/local/lib \

nginx/Dockerfile-alpine

@@ -139,18 +139,26 @@ ENV ACCESSLOG=/var/log/nginx/access.log \
     REAL_IP_HEADER="X-REAL-IP" \
     REAL_IP_PROXY_HEADER="X-REAL-IP" \
     REAL_IP_RECURSIVE="on" \
-    PROXY_TIMEOUT=60s \
-    PROXY_SSL_CERT=/etc/nginx/conf/server.crt \
-    PROXY_SSL_CERT_KEY=/etc/nginx/conf/server.key \
-    PROXY_SSL_DH_BITS=2048 \
-    PROXY_SSL_PROTOCOLS="TLSv1.2 TLSv1.3" \
+    PROXY_SSL=off \
+    PROXY_SSL_CERT=/etc/nginx/conf/proxy.crt \
+    PROXY_SSL_CERT_KEY=/etc/nginx/conf/proxy.key \
     PROXY_SSL_CIPHERS="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \
-    PROXY_SSL_PREFER_CIPHERS=off \
+    PROXY_SSL_PROTOCOLS="TLSv1.2 TLSv1.3" \
     PROXY_SSL_VERIFY=off \
-    PROXY_SSL_OCSP_STAPLING=off \
+    PROXY_SSL_VERIFY_DEPTH=1 \
+    PROXY_TIMEOUT=60s \
     SERVER_NAME=localhost \
     SERVER_TOKENS=off \
+    SSL_CERT=/etc/nginx/conf/server.crt \
+    SSL_CERT_KEY=/etc/nginx/conf/server.key \
+    SSL_CIPHERS="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \
+    SSL_DH_BITS=2048 \
+    SSL_OCSP_STAPLING=off \
     SSL_PORT=443 \
+    SSL_PREFER_CIPHERS=off \
+    SSL_PROTOCOLS="TLSv1.2 TLSv1.3" \
+    SSL_VERIFY_DEPTH=1 \
+    SSL_VERIFY=off \
     TIMEOUT=60s \
     WORKER_CONNECTIONS=1024 \
     LD_LIBRARY_PATH=/lib:/usr/lib:/usr/local/lib \

nginx/docker-entrypoint.d/91-update-resolver.sh

@@ -4,7 +4,6 @@
 set -eu
 
 LC_ALL=C
-ME=$( basename "$0" )
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
 DNS_SERVER="${DNS_SERVER:-$(grep -i '^nameserver' /etc/resolv.conf | head -n1 | cut -d ' ' -f2)}"

nginx/docker-entrypoint.d/92-update-real_ip.sh

@@ -4,7 +4,6 @@
 set -eu
 
 LC_ALL=C
-ME=$( basename "$0" )
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
 # split comma separated IP addresses into multiple `set_real_ip xxx;` lines

nginx/docker-entrypoint.d/93-update-proxy-ssl-config.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+# vim:sw=2:ts=2:sts=2:et
+
+set -eu
+
+LC_ALL=C
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+PROXY_SSL_CONFIG=""
+if [ "${PROXY_SSL}" = "on" ]; then
+    PROXY_SSL_CONFIG="include includes/proxy_backend_ssl.conf;"
+fi
+
+sed -i.bak -r 's#PROXY_SSL_CONFIG#'"${PROXY_SSL_CONFIG}"'#' /etc/nginx/conf.d/default.conf

nginx/templates/conf.d/default.conf.template

@@ -14,6 +14,8 @@ server {
     set $upstream ${BACKEND};
     set $always_redirect ${NGINX_ALWAYS_TLS_REDIRECT};
 
+    PROXY_SSL_CONFIG
+
     location / {
         client_max_body_size 0;
 
@@ -37,22 +39,25 @@ server {
     server_name ${SERVER_NAME};
     set $upstream ${BACKEND};
 
-    ssl_certificate ${PROXY_SSL_CERT};
-    ssl_certificate_key ${PROXY_SSL_CERT_KEY};
+    ssl_certificate ${SSL_CERT};
+    ssl_certificate_key ${SSL_CERT_KEY};
     ssl_session_timeout 1d;
     ssl_session_cache shared:MozSSL:10m;
     ssl_session_tickets off;
 
-    ssl_dhparam /etc/ssl/certs/dhparam-${PROXY_SSL_DH_BITS}.pem;
+    ssl_dhparam /etc/ssl/certs/dhparam-${SSL_DH_BITS}.pem;
+
+    ssl_protocols ${SSL_PROTOCOLS};
+    ssl_ciphers ${SSL_CIPHERS};
+    ssl_prefer_server_ciphers ${SSL_PREFER_CIPHERS};
 
-    ssl_protocols ${PROXY_SSL_PROTOCOLS};
-    ssl_ciphers ${PROXY_SSL_CIPHERS};
-    ssl_prefer_server_ciphers ${PROXY_SSL_PREFER_CIPHERS};
+    ssl_stapling ${SSL_OCSP_STAPLING};
+    ssl_stapling_verify ${SSL_OCSP_STAPLING};
 
-    ssl_stapling ${PROXY_SSL_OCSP_STAPLING};
-    ssl_stapling_verify ${PROXY_SSL_OCSP_STAPLING};
+    ssl_verify_client ${SSL_VERIFY};
+    ssl_verify_depth ${SSL_VERIFY_DEPTH};
 
-    ssl_verify_client ${PROXY_SSL_VERIFY};
+    PROXY_SSL_CONFIG
 
     location / {
         client_max_body_size 0;

nginx/templates/includes/proxy_backend_ssl.conf.template

@@ -0,0 +1,8 @@
+proxy_ssl_certificate ${PROXY_SSL_CERT};
+proxy_ssl_certificate_key ${PROXY_SSL_CERT_KEY};
+
+proxy_ssl_protocols ${PROXY_SSL_PROTOCOLS};
+proxy_ssl_ciphers ${PROXY_SSL_CIPHERS};
+
+proxy_ssl_verify ${PROXY_SSL_VERIFY};
+proxy_ssl_verify_depth ${PROXY_SSL_VERIFY_DEPTH};

openresty/Dockerfile-alpine

@@ -158,17 +158,26 @@ ENV ACCESSLOG=/var/log/nginx/access.log \
     REAL_IP_HEADER="X-REAL-IP" \
     REAL_IP_PROXY_HEADER="X-REAL-IP" \
     REAL_IP_RECURSIVE="on" \
-    PROXY_TIMEOUT=60s \
-    PROXY_SSL_CERT=/usr/local/openresty/nginx/conf/server.crt \
-    PROXY_SSL_CERT_KEY=/usr/local/openresty/nginx/conf/server.key \
-    PROXY_SSL_DH_BITS=2048 \
-    PROXY_SSL_PROTOCOLS="TLSv1.2 TLSv1.3" \
+    PROXY_SSL=off \
+    PROXY_SSL_CERT=/etc/nginx/conf/proxy.crt \
+    PROXY_SSL_CERT_KEY=/etc/nginx/conf/proxy.key \
     PROXY_SSL_CIPHERS="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \
-    PROXY_SSL_PREFER_CIPHERS=off \
+    PROXY_SSL_PROTOCOLS="TLSv1.2 TLSv1.3" \
     PROXY_SSL_VERIFY=off \
-    PROXY_SSL_OCSP_STAPLING=off \
+    PROXY_SSL_VERIFY_DEPTH=1 \
+    PROXY_TIMEOUT=60s \
     SERVER_NAME=localhost \
+    SERVER_TOKENS=off \
+    SSL_CERT=/etc/nginx/conf/server.crt \
+    SSL_CERT_KEY=/etc/nginx/conf/server.key \
+    SSL_CIPHERS="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \
+    SSL_DH_BITS=2048 \
+    SSL_OCSP_STAPLING=off \
     SSL_PORT=443 \
+    SSL_PREFER_CIPHERS=off \
+    SSL_PROTOCOLS="TLSv1.2 TLSv1.3" \
+    SSL_VERIFY=off \
+    SSL_VERIFY_DEPTH=1 \
     TIMEOUT=60s \
     WORKER_CONNECTIONS=1024 \
     # Change this from normal nginx setup. Do not add /usr/lib or /lib