diff --git a/confs/dhparam b/confs/dhparam new file mode 100644 index 0000000..088f967 --- /dev/null +++ b/confs/dhparam @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- \ No newline at end of file diff --git a/confs/https.conf b/confs/https.conf index 3cf82c7..5e9c91b 100644 --- a/confs/https.conf +++ b/confs/https.conf @@ -5,3 +5,5 @@ ssl_protocols %HTTPS_PROTOCOLS%; ssl_prefer_server_ciphers off; ssl_session_tickets off; %STRICT_TRANSPORT_SECURITY% +%SSL_DHPARAM% +%SSL_CIPHERS% diff --git a/entrypoint.sh b/entrypoint.sh index 27297e1..315638a 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -84,7 +84,7 @@ BLOCK_PROXIES="${BLOCK_PROXIES-yes}" BLOCK_ABUSERS="${BLOCK_ABUSERS-yes}" AUTO_LETS_ENCRYPT="${AUTO_LETS_ENCRYPT-no}" HTTP2="${HTTP2-yes}" -HTTPS_PROTOCOLS="${HTTPS_PROTOCOLS-TLSv1.3}" +HTTPS_PROTOCOLS="${HTTPS_PROTOCOLS-TLSv1.2 TLSv1.3}" STRICT_TRANSPORT_SECURITY="${STRICT_TRANSPORT_SECURITY-max-age=31536000}" USE_MODSECURITY="${USE_MODSECURITY-yes}" USE_MODSECURITY_CRS="${USE_MODSECURITY_CRS-yes}" @@ -262,10 +262,13 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GE else replace_in_file "/etc/nginx/https.conf" "%HTTP2%" "" fi - if [ "$HTTPS_PROTOCOLS" != "" ] ; then - replace_in_file "/etc/nginx/https.conf" "%HTTPS_PROTOCOLS%" "$HTTPS_PROTOCOLS" + replace_in_file "/etc/nginx/https.conf" "%HTTPS_PROTOCOLS%" "$HTTPS_PROTOCOLS" + if [ "$(echo $lel | grep TLSv1.2)" != "" ] ; then + replace_in_file "/etc/nginx/https.conf" "%SSL_DHPARAM%" "ssl_dhparam /etc/nginx/dhparam;" + replace_in_file "/etc/nginx/https.conf" "%SSL_CIPHERS%" "ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;" else - replace_in_file "/etc/nginx/https.conf" "%HTTPS_PROTOCOLS%" "" + replace_in_file "/etc/nginx/https.conf" "%SSL_DHPARAM%" "" + replace_in_file "/etc/nginx/https.conf" "%SSL_CIPHERS%" "" fi if [ "$STRICT_TRANSPORT_SECURITY" != "" ] ; then replace_in_file "/etc/nginx/https.conf" "%STRICT_TRANSPORT_SECURITY%" "more_set_headers 'Strict-Transport-Security: $STRICT_TRANSPORT_SECURITY';"