Skip to content

fancyremarker/docker-nginx

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

69 Commits
templates
templates
 
 
test
test
 
 
Dockerfile
Dockerfile
 
 
LICENSE.md
LICENSE.md
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
install-nginx
install-nginx
 
 

Repository files navigation

aptible/nginx

Docker Repository on Quay.io

NGiNX HTTP reverse proxy server.

Installation and Usage

docker pull quay.io/aptible/nginx
docker run -P quay.io/aptible/nginx

To proxy to an upstream host(s) and port(s), set the UPSTREAM_SERVERS environment variable:

docker run -P -e UPSTREAM_SERVERS=host1:3000,host2:4000 quay.io/aptible/nginx

The server starts with a default self-signed certificate. To load in your own certificate and private key, pass them in as mounted Docker "volumes." For example:

docker run -v /path/to/server.key:/etc/nginx/ssl/server.key -v /path/to/server.crt:/etc/nginx/ssl/server.crt quay.io/aptible/nginx

To force SSL, set the FORCE_SSL environment variable to true:

docker run -e FORCE_SSL=true quay.io/aptible/nginx

Configuring supported protocols and cipher suites

The default set of protocols and cipher suites exposed in our NGiNX configuration aims to balance security and compatibility with older clients. This default configuration mitigates the POODLE vulnerabilities by only allowing SSLv3 with the RC4 cipher. At the same time, it's accomodating enough to support even a default installation of IE6 on Windows XP or use as a custom origin behind AWS CloudFront over SSLv3/TLS1.

There is, however, mounting evidence that RC4 is broken, which would mean that SSLv3 could not be used safely at all. To use a configuration that trades some compatibility for security set the DISABLE_WEAK_CIPHER_SUITES environment variable to true:

docker run -e DISABLE_WEAK_CIPHER_SUITES=true quay.io/aptible/nginx

This flag turns off SSLv3 as well as the RC4 cipher. The configuration it generates earns an A+ on the Qualys SSL Labs SSL Server Test while providing compatibility with almost all clients that Qualys tests. The lone exception is IE 6 on Windows XP, which only fails because Qualys tests the default installation: if TLS 1.0 is enabled in IE 6, our configuration can be used to connect.

Simulating trusted SSL connections

If you're on OS X running boot2docker, you can configure your system to trust NGiNX's self-signed certificate by taking the following steps:

  1. Add an entry to your /etc/hosts file mapping "example.com" to your Docker IP address:

     sudo echo $(boot2docker ip 2>/dev/null) example.com >> /etc/hosts

  2. Start your NGiNX container (daemonized), and copy the automatically-generated certificate to a temporarily file, then open it (in Keychain).

     ID=$(docker run -d -p 80:80 -p 443:443 quay.io/aptible/nginx)
 docker cp ${ID}:/etc/nginx/ssl/server.crt /tmp/
 open /tmp/server.crt

  3. Choose to "always trust" it within Keychain.

  4. Visit https://example.com and see the trusted certificate.

Available Tags

  • latest: Currently NGiNX 1.6.2

Deployment

To push the Docker image to Quay, run the following command:

make release

Copyright and License

MIT License, see LICENSE for details.

Copyright (c) 2014 Aptible and contributors.

@fancyremarker

About

NGiNX HTTP server

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

2 watching

Forks

24 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages