Enhance HTTPS

docker-compose.yml

@@ -104,7 +104,8 @@ services:
 
   proxy:
     container_name: proxy
-    image: nginx
+    build: proxy
+    image: proxy
     ports:
       - 80:80
       - 443:443

proxy/Dockerfile

@@ -0,0 +1,4 @@
+FROM nginx
+
+RUN apt update && apt install -y openssl
+RUN mkdir /etc/nginx/cert && openssl dhparam -out /etc/nginx/cert/dhparam.pem 2048

proxy/nginx-conf.d/default.conf

@@ -1,24 +0,0 @@
-# server {
-#         listen 443 ssl http2;
-
-#         ssl_certificate /etc/nginx/cert/bjornjohansen.no.certchain.crt;
-#         ssl_certificate_key /etc/nginx/cert/bjornjohansen.no.key;
-
-#         ssl_session_cache shared:SSL:20m;
-#         ssl_session_timeout 60m;
-
-#         ssl_prefer_server_ciphers on;
-
-#         ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DHE+AES128:!ADH:!AECDH:!MD5;
-
-#         ssl_dhparam /etc/nginx/cert/dhparam.pem;
-
-#         ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-
-#         ssl_stapling on;
-#         ssl_stapling_verify on;
-#         ssl_trusted_certificate /etc/nginx/cert/trustchain.crt;
-#         resolver 8.8.8.8 8.8.4.4;
-
-#         add_header Strict-Transport-Security "max-age=31536000" always;
-# }

proxy/nginx.conf

@@ -28,5 +28,23 @@ http {
     ssl_certificate     /etc/letsencrypt/live/wojciechkozlowski.eu/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/wojciechkozlowski.eu/privkey.pem;
 
+    ssl_session_cache shared:SSL:20m;
+    ssl_session_timeout 60m;
+
+    ssl_prefer_server_ciphers on;
+
+    ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DHE+AES128:!ADH:!AECDH:!MD5;
+
+    ssl_dhparam /etc/nginx/cert/dhparam.pem;
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate /etc/letsencrypt/live/wojciechkozlowski.eu/chain.pem;
+    resolver 208.67.222.222 208.67.220.220;
+
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
     include /etc/nginx/conf.d/*.conf;
 }