absmach · drasko · Apr 2, 2019 · Mar 15, 2019 · Mar 26, 2019 · Mar 26, 2019
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
@@ -14,12 +14,14 @@ networks:
 
 services:
   nginx:
-    image: nginx:1.14.2-alpine
+    image: nginx:1.14.2
     container_name: mainflux-nginx
     restart: on-failure
     volumes:
-      - ./nginx.conf:/etc/nginx/nginx.conf
+      - ./nginx/nginx-${AUTH-key}.conf:/etc/nginx/nginx.conf
+      - ./ssl/authorization.js:/etc/nginx/authorization.js
       - ./ssl/certs/mainflux-server.crt:/etc/ssl/certs/mainflux-server.crt
+      - ./ssl/certs/ca.crt:/etc/ssl/certs/ca.crt
       - ./ssl/certs/mainflux-server.key:/etc/ssl/private/mainflux-server.key
       - ./ssl/dhparam.pem:/etc/ssl/certs/dhparam.pem
     ports:

diff --git a/docker/nginx.conf → docker/nginx/nginx-key.conf b/docker/nginx.conf → docker/nginx/nginx-key.conf
@@ -1,94 +1,49 @@
-###
-# Mainflux NGINX Conf
 #
-# Taken for /etc/nginx/nginx.conf on Debian machine
-# and https://github.com/nginxinc/docker-nginx/blob/master/mainline/alpine/nginx.conf
-###
+# Copyright (c) 2018
+# Mainflux
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# This is the default Mainflux NGINX configuration.
 
-##
-# User:
-# - 'www-data' on Debian
-# - 'nginx' on Alpine
-##
-#user www-data;
 user nginx;
 worker_processes auto;
 pid /run/nginx.pid;
 include /etc/nginx/modules-enabled/*.conf;
 
 events {
     worker_connections 768;
-    # multi_accept on;
 }
 
-###
-# HTTP
-###
 http {
-
-    ##
-    # Basic Settings
-    ##
     sendfile on;
     tcp_nopush on;
     tcp_nodelay on;
     keepalive_timeout 65;
     types_hash_max_size 2048;
-    # server_tokens off;
-
-    # server_names_hash_bucket_size 64;
-    # server_name_in_redirect off;
 
     include /etc/nginx/mime.types;
     default_type application/octet-stream;
 
-    ##
-    # SSL Settings
-    ##
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
+    ssl_protocols TLSv1.2 TLSv1.3;
     ssl_prefer_server_ciphers on;
 
-    ##
-    # Logging Settings
-    ##
     access_log /var/log/nginx/access.log;
     error_log /var/log/nginx/error.log;
 
-    ##
-    # Virtual Host Configs
-    ##
-
-    # HTTPS
     server {
         listen 80 default_server;
         listen [::]:80 default_server;
-        # SSL configuration
-        #
         listen 443 ssl http2 default_server;
         listen [::]:443 ssl http2 default_server;
 
-        #
-        # Note: You should disable gzip for SSL traffic.
-        # See: https://bugs.debian.org/773332
-        #
-        # Read up on ssl_ciphers to ensure a secure configuration.
-        # See: https://bugs.debian.org/765782
-        #
-        # Self signed certs generated by the ssl-cert package
-        # Don't use them in a production server!
-        #
-        # include snippets/snakeoil.conf;
-
-        # Certificates
+        # These paths are set to its default values as
+        # a volume in the docker/docker-compose.yml file.
         ssl_certificate /etc/ssl/certs/mainflux-server.crt;
         ssl_certificate_key /etc/ssl/private/mainflux-server.key;
         ssl_dhparam /etc/ssl/certs/dhparam.pem;
 
-
-        # from https://cipherli.st/
-        # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
-
-        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+        ssl_protocols TLSv1.2 TLSv1.3;
         ssl_prefer_server_ciphers on;
         ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
         ssl_ecdh_curve secp384r1;
@@ -98,15 +53,12 @@ http {
         resolver 8.8.8.8 8.8.4.4 valid=300s;
         resolver_timeout 5s;
 
-        # Disable preloading HSTS for now.  You can use the commented out header line that includes
-        # the "preload" directive if you understand the implications.
-        #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
         add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
         add_header X-Frame-Options DENY;
         add_header X-Content-Type-Options nosniff;
         add_header Access-Control-Allow-Origin '*';
         add_header Access-Control-Allow-Methods '*';
-        add_header Access-Control-Allow-Headers "*";
+        add_header Access-Control-Allow-Headers '*';
 
         server_name localhost;
 
@@ -200,8 +152,8 @@ http {
                 return 200;
             }
         }
-
-        # Proxy pass to mainflux-mqtt-adapter
+        
+        # Proxy pass to mainflux-mqtt-adapter over WS
         location /mqtt {
             proxy_redirect off;
             proxy_set_header Host $host;
@@ -244,21 +196,17 @@ http {
 
 # MQTT
 stream {
-    # MQTT
     server {
         listen 8883 ssl;
         listen [::]:8883 ssl;
 
-        # Certificates
+        # These paths are set to its default values as
+        # a volume in the docker/docker-compose.yml file.
         ssl_certificate /etc/ssl/certs/mainflux-server.crt;
         ssl_certificate_key /etc/ssl/private/mainflux-server.key;
         ssl_dhparam /etc/ssl/certs/dhparam.pem;
 
-
-        # from https://cipherli.st/
-        # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
-
-        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+        ssl_protocols TLSv1.2 TLSv1.3;
         ssl_prefer_server_ciphers on;
         ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
         ssl_ecdh_curve secp384r1;