Remove dhparams.pem and update nginx configuration for improved security and compliance with Mozilla guidelines#197
Remove dhparams.pem and update nginx configuration for improved security and compliance with Mozilla guidelines#197
Conversation
…ity and compliance with Mozilla guidelines Signed-off-by: Eric Nemchik <eric@nemchik.com>
There was a problem hiding this comment.
Pull request overview
Updates the base image’s default Nginx TLS configuration to align with newer Mozilla SSL Config Generator guidance, removing legacy DH parameter handling and reorganizing the sample SSL config for clarity and modern recommendations.
Changes:
- Removed DH parameter provisioning/downloading from init startup (and removed the bundled
dhparams.pem). - Updated
ssl.conf.sampleto Mozilla guideline v6.0 output (ECDHE-only cipher list, updated curves, session settings, and reorganized header suggestions). - Updated the commented resolver example to use bracketed IPv6 literals.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| root/etc/s6-overlay/s6-rc.d/init-nginx/run | Removes DH params copy/download logic from first-start init. |
| root/defaults/nginx/ssl.conf.sample | Refreshes Mozilla-based TLS recommendations and reorganizes security header commentary. |
| root/defaults/nginx/nginx.conf.sample | Updates resolver example to proper IPv6 literal syntax. |
| root/defaults/nginx/dhparams.pem | Removes the bundled DH parameters file. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
I am a bot, here are the test results for this PR:
|
Signed-off-by: Eric Nemchik <eric@nemchik.com>
|
I am a bot, here are the test results for this PR:
|
Ref: mozilla/ssl-config-generator#252
Ref: https://github.com/mozilla/ssl-config-generator/blob/858f8f74a4fd1293a3a7f5ab0c16eb1eb891393a/src/js/helpers/nginx.js#L65-L70
ssl_session_ticketshas been changed in nginx so disabling is no longer needed or recommended.Ref: https://github.com/mozilla/ssl-config-generator/blob/5325c35c365a080dd88975d99b08fac4f30858fa/README.md?plain=1#L103
Ref: https://github.com/mozilla/ssl-config-generator/blob/5325c35c365a080dd88975d99b08fac4f30858fa/src/js/helpers/nginx.js#L72-L77
Ref: https://github.com/mozilla/ssl-config-generator/blob/5325c35c365a080dd88975d99b08fac4f30858fa/src/js/state.js#L151
ssl_dhparamis no longer used as this ships only ECDHE ciphers and uses TLS 1.2 or higherAdditional security recommendations from Mozilla are now noted in comments and the file has been a little reorganized to reflect.
Notable changes:
#add_header Access-Control-Allow-Origin $http_origin always;(Mozilla security recommendation)base-uri 'self'; form-action 'self';toContent-Security-Policy(Mozilla Observatory recommendation)#add_header Cross-Origin-Resource-Policy "same-origin" always;(Mozilla security recommendation)Additional note:
/config/nginx/dhparams.pemis not removed from existing setups. If users update their conf, the file does nothing. If users delete/config/nginx/dhparams.pemand do not update their conf their setup will break and we should recommend updating their conf.