v1.1.1 - TLS 1.2 support

- Added "HTTPS_PROTOCOLS" environment value to enable to customize TLS version. default value is "TLSv1.3". (because TLSv1.2 sometimes needed)
- READMD.md

README.md

@@ -10,7 +10,7 @@ Avoid the hassle of following security best practices each time you need a web s
 
 Non-exhaustive list of features :
 - HTTPS support with transparent Let's Encrypt automation
-- State-of-the-art web security : HTTP security headers, php.ini hardening, prevent leaks, ...
+- State-of-the-art web security : HTTP security headers, prevent leaks, TLS hardening, ...
 - Integrated ModSecurity WAF with the OWASP Core Rule Set
 - Automatic ban of strange behaviors with fail2ban
 - Antibot challenge through cookie, javascript, captcha or recaptcha v3
@@ -364,6 +364,11 @@ Values : *yes* | *no*
 Default value : *yes*  
 If set to yes, nginx will use HTTP2 protocol when HTTPS is enabled.  
 
+`HTTPS_PROTOCOLS`  
+Values : *TLSv1.2* | *TLSv1.3* | *TLSv1.2 TLSv1.3*  
+Default value : *TLSv1.2 TLSv1.3*  
+The supported version of TLS. We recommend the default value *TLSv1.2 TLSv1.3* for compatibility reasons.
+
 ## ModSecurity
 
 `USE_MODSECURITY`  

VERSION

@@ -1 +1 @@
-1.1.0
+1.1.1

confs/dhparam

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----

confs/https.conf

@@ -1,7 +1,11 @@
 listen 0.0.0.0:8443 ssl %HTTP2%;
 ssl_certificate %HTTPS_CERT%;
 ssl_certificate_key %HTTPS_KEY%;
-ssl_protocols TLSv1.3;
+ssl_protocols %HTTPS_PROTOCOLS%;
 ssl_prefer_server_ciphers off;
 ssl_session_tickets off;
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m;
 %STRICT_TRANSPORT_SECURITY%
+%SSL_DHPARAM%
+%SSL_CIPHERS%

entrypoint.sh

@@ -45,7 +45,7 @@ function spaces_to_lua() {
 }
 
 # copy stub confs
-cp /opt/confs/*.conf /etc/nginx
+cp /opt/confs/* /etc/nginx
 cp /opt/logs/rsyslog.conf /etc/rsyslog.conf
 cp /opt/logs/logrotate.conf /etc/logrotate.conf
 cp -r /opt/lua/* /usr/local/lib/lua
@@ -84,6 +84,7 @@ BLOCK_PROXIES="${BLOCK_PROXIES-yes}"
 BLOCK_ABUSERS="${BLOCK_ABUSERS-yes}"
 AUTO_LETS_ENCRYPT="${AUTO_LETS_ENCRYPT-no}"
 HTTP2="${HTTP2-yes}"
+HTTPS_PROTOCOLS="${HTTPS_PROTOCOLS-TLSv1.2 TLSv1.3}"
 STRICT_TRANSPORT_SECURITY="${STRICT_TRANSPORT_SECURITY-max-age=31536000}"
 USE_MODSECURITY="${USE_MODSECURITY-yes}"
 USE_MODSECURITY_CRS="${USE_MODSECURITY_CRS-yes}"
@@ -261,6 +262,14 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GE
 	else
 		replace_in_file "/etc/nginx/https.conf" "%HTTP2%" ""
 	fi
+	replace_in_file "/etc/nginx/https.conf" "%HTTPS_PROTOCOLS%" "$HTTPS_PROTOCOLS"
+	if [ "$(echo $HTTPS_PROTOCOLS | grep TLSv1.2)" != "" ] ; then
+		replace_in_file "/etc/nginx/https.conf" "%SSL_DHPARAM%" "ssl_dhparam /etc/nginx/dhparam;"
+		replace_in_file "/etc/nginx/https.conf" "%SSL_CIPHERS%" "ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;"
+	else
+		replace_in_file "/etc/nginx/https.conf" "%SSL_DHPARAM%" ""
+		replace_in_file "/etc/nginx/https.conf" "%SSL_CIPHERS%" ""
+	fi
 	if [ "$STRICT_TRANSPORT_SECURITY" != "" ] ; then
 		replace_in_file "/etc/nginx/https.conf" "%STRICT_TRANSPORT_SECURITY%" "more_set_headers 'Strict-Transport-Security: $STRICT_TRANSPORT_SECURITY';"
 	else