Merge branch 'hypernext'

* hypernext:
  bring back ipv6 conf
  changelog
  refresh the tls nginx conf, only use tls1.3 now
  add some nginx timeout config
  Set `keepalive_timeout` default value to 10s (see 2.4.3 of nginx cis benchmark)
  update nginx to 1.23.4

CHANGELOG.md

@@ -1,6 +1,13 @@
 # Container image version
 # Note: the version here is from `ELABIMG_VERSION` present in Dockerfile, not the tagged one
 
+# 4.2.0
+
+* Update nginx from 1.23.1 to 1.23.4
+* Set `keepalive_timeout` default value to 10s (see 2.4.3 of nginx cis benchmark)
+* Add more nginx timeout settings
+* Only use TLS1.3 in nginx in TLS mode
+
 # 4.1.0
 
 * Add /nginx-status for metrics about nginx process. This endpoint is password protected by `STATUS_PASSWORD`. If this variable is not set, a random password is generated, effectively disabling access to this endpoint.

Dockerfile

@@ -6,7 +6,7 @@
 # Note: no need to chain the RUN commands here as it's a builder image and nothing will be kept
 FROM alpine:3.16 as nginx-builder
 
-ENV NGINX_VERSION=1.23.1
+ENV NGINX_VERSION=1.23.4
 # releases can be signed by any key on this page https://nginx.org/en/pgp_keys.html
 # so this might need to be updated for a new release
 # available keys: mdounin, maxim, sb, thresh
@@ -108,7 +108,7 @@ RUN abuild-keygen -n -a && abuild && find /home/builder/packages -type f -name '
 FROM alpine:3.16
 
 # this is versioning for the container image
-ENV ELABIMG_VERSION=4.1.0
+ENV ELABIMG_VERSION=4.2.0
 
 # the target elabftw version is passed with --build-arg
 # it is a mandatory ARG

src/docker-compose.yml-EXAMPLE

@@ -211,9 +211,9 @@ services:
 
         # optional: modify the keepalive_timeout value
         # nginx doc: http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout
-        # default: 100s
-        # example value: 120s
-        #- KEEPALIVE_TIMEOUT=100s
+        # default: 10s
+        # example value: 5s
+        #- KEEPALIVE_TIMEOUT=10s
 
         #######################
         # REDIS CONFIGURATION #

src/init/prepare.sh

@@ -35,7 +35,8 @@ getEnv() {
     unset SECRET_KEY
     max_php_memory=${MAX_PHP_MEMORY:-256M}
     max_upload_size=${MAX_UPLOAD_SIZE:-100M}
-    keepalive_timeout=${KEEPALIVE_TIMEOUT:-100s}
+    # CIS benchmark nginx 2.0.0 2.4.3
+    keepalive_timeout=${KEEPALIVE_TIMEOUT:-10s}
     php_timezone=${PHP_TIMEZONE:-Europe/Paris}
     set_real_ip=${SET_REAL_IP:-false}
     set_real_ip_from=${SET_REAL_IP_FROM:-192.168.31.48}

src/nginx/http.conf

@@ -3,6 +3,7 @@
 # http server for /elabftw
 server {
     listen 443;
+    # this line gets uncommented if ENABLE_IPV6 is true
     #listen [::]:443;
 
     server_name %SERVER_NAME%;

src/nginx/https.conf

@@ -3,6 +3,7 @@
 # https server for /elabftw
 server {
     listen 443 ssl http2;
+    # this line gets uncommented if ENABLE_IPV6 is true
     #listen [::]:443 ssl http2;
 
     server_name %SERVER_NAME%;
@@ -12,20 +13,14 @@ server {
     # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
     ssl_certificate %CERT_PATH%;
     ssl_certificate_key %KEY_PATH%;
+
+    # config from https://ssl-config.mozilla.org
     ssl_session_timeout 1d;
-    ssl_session_cache shared:SSL:50m;
+    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
     ssl_session_tickets off;
 
-    # modern configuration. tweak to your needs.
-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
-    ssl_prefer_server_ciphers on;
-
-    # OCSP Stapling ---
-    # fetch OCSP records from URL in ssl_certificate and cache them
-    #ssl_stapling on;
-    #ssl_stapling_verify on;
-
-    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
-    #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
+    # modern configuration
+    ssl_protocols TLSv1.3;
+    # we do not set ssl_prefer_server_ciphers on anymore, but
+    # let the client decide, see https://github.com/mozilla/server-side-tls/issues/260 (off is the default)
 }

src/nginx/nginx.conf

@@ -17,6 +17,11 @@ http {
     sendfile on;
     # by default nginx will not allow them, but they are valid and useful in some contexts (OIDC)
     underscores_in_headers on;
+    # timeouts
+    # see CIS benchmark nginx 2.4.4
+    client_body_timeout   10s;
+    client_header_timeout 10s;
+    send_timeout          10s;
     keepalive_timeout %KEEPALIVE_TIMEOUT%;
     client_max_body_size %CLIENT_MAX_BODY_SIZE%;
     client_body_buffer_size 100m;