nginx with boringssl

Jan 27, 2019 • 预计阅读时间 2 分钟

  • build with boringssl
  • enable TLS 1.3
  • enable 0-RTT

Install & Run

mount

  • log dir to /opt/nginx/log
  • config dir to /opt/nginx/etc
  • web root to /opt/www
docker pull cntrump/ubuntu_nginx_boringssl
docker run -v /opt/nginx/etc:/etc/nginx -v /opt/nginx/log:/var/log/nginx -v /opt/www:/var/www -v /opt/nginx/cache:/var/cache/nginx -p 80:80 -p 443:443 -d cntrump/ubuntu_nginx_boringssl /usr/sbin/nginx -g "daemon off;"

Using docker-compose

docker-compose.yml

version: '3'
services:
    nginx:
        image: 'cntrump/ubuntu_nginx_boringssl'
        volumes:
                 - /opt/nginx/etc:/etc/nginx
                 - /opt/nginx/log:/var/log/nginx
                 - /opt/nginx/cache:/var/cache/nginx
                 - /opt/www:/var/www
        ports:
               - '80:80'
               - '443:443'
        command: /usr/sbin/nginx -g "daemon off;"
        deploy:
            restart_policy:
                condition: on-failure
                delay: 5s
                max_attempts: 3
                window: 120s
docker-compose start/stop/restart nginx

Example nginx.conf

A+ configuration for https://myssl.com

user  nginx;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    gzip  off;
    gzip_comp_level  1;
    gzip_types  text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png application/vnd.ms-fontobject font/ttf font/opentype font/x-woff image/svg+xml;

    root /var/www;

    server {
        listen       80;
        listen       [::]:80;
        server_name  localhost;
        return 301  https://$host$uri?$args;
    }

    # HTTPS server
    server {
        listen       443 ssl http2;
        listen       [::]:443 ssl http2;
        server_name  localhost;

        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

        ssl_protocols  TLSv1.2 TLSv1.3;
        ssl_early_data on; # enable 0-RTT
        ssl_certificate /etc/nginx/yourdomain/fullchain.pem;
        ssl_certificate_key /etc/nginx/yourdomain/privkey.pem;
        ssl_ciphers TLS-CHACHA20-POLY1305-SHA256:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_prefer_server_ciphers  on;

        location / {
            index  index.html index.htm;
        }
    }
}
docker

Build extern version of hugo

Build nginx with boringssl on Ubuntu 18.04

comments powered by Disqus