Fabio/nginx-proxy-auto-docker
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add documentation, add support for nginx offical http3 tag vs experimental quic tag

Browse source
This commit is contained in:
patrickdk 2021-05-31 19:26:48 -04:00
parent 73f3f241a0
commit 113f2501d2
2 changed files with 40 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
README.md
View file

@ -287,7 +287,7 @@ OpenSSL 1.1.1, Opera 57, and Safari 12.1. Note that this profile is **not** com
Other policies available through the `SSL_POLICY` environment variable are [`Mozilla-Old`](https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility)
and the [AWS ELB Security Policies](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html)
`AWS-TLS-1-2-2017-01`, `AWS-TLS-1-1-2017-01`, `AWS-2016-08`, `AWS-2015-05`, `AWS-2015-03` and `AWS-2015-02`.
`AWS-FS-1-2-Res-2020-10`, `AWS-FS-1-2-Res-2019-08`, `AWS-FS-1-2-2019-08`, `AWS-FS-1-1-2019-08`, `AWS-FS-2018-06`, `AWS-TLS-1-2-Ext-2018-06`, `AWS-TLS-1-2-2017-01`, `AWS-TLS-1-1-2017-01`, `AWS-2016-08`, `AWS-2015-05`, `AWS-2015-03` and `AWS-2015-02`.
Note that the `Mozilla-Old` policy should use a 1024 bits DH key for compatibility but this container generates
a 4096 bits key. The [Diffie-Hellman Groups](#diffie-hellman-groups) section details different methods of bypassing
@ -321,6 +321,27 @@ is enabled with `max-age=31536000` for HTTPS sites. You can disable HSTS with t
even if they type in `http://` manually. The only way to get to an HTTP site after receiving an HSTS
response is to clear your browser's HSTS cache.
### HTTP/2 and HTTP/3 support
The default is to have HTTP/2 support enabled, as it is compiled into nginx. There is currently not native
support for HTTP/3 in nginx, so a custom nginx container would be needed to provide that currently.
An example container that works with HTTP/3 support currently is: ranadeeppolavarapu/nginx-http3
HTTP/2 provides multi-channel streaming and compression over a single connection, causing performance improvements,
less latency request times. But it suffers from the flaws of TCP due to packet loss, and this gets compounded
due to streaming many requests over a single connection. Any lost packets on the connection will cause delays
and stalls to all other requests that where made on that same connection.
More reading: [HTTP/2 Issues](https://www.twilio.com/blog/2017/10/http2-issues.html), [Comparing HTTP/3 vs HTTP/2](https://blog.cloudflare.com/http-3-vs-http-2/)
If you need to disable HTTP/2 support, you can include the environment variable `DISABLE_HTTP2=true`
If you are using an HTTP/3 (quic) enabled version of nginx you can pass `ENABLE_HTTP3=true`, and optionally
also also set `ALT_SVC` set to a custom alt-svc header, with the default currently set to h3-28 and h3-29.
When enabling HTTP/3 support, you will have to make sure you open up the udp port to it, according to your nginx
image used, normally 443/udp
If you are not using the nginx HTTP/3 preview build, you will likely need to use `ENABLE_HTTP3=quic` to use the
quic tag on the listen line in nginx instead of the http3 tag
### Basic Authentication Support
In order to be able to secure your virtual host, you have to create a file named as its equivalent VIRTUAL_HOST variable on directory
@ -336,6 +357,13 @@ $ docker run -d -p 80:80 -p 443:443 \
You'll need apache2-utils on the machine where you plan to create the htpasswd file. Follow these [instructions](http://httpd.apache.org/docs/2.2/programs/htpasswd.html)
### Client Certificates Support
Client certificates can be supported by defining the following environment variables:
`CLIENT_CA` to be set to the certificate to validate the clients against
`VERIFY_CLIENT` can be set to `on` to verify clients, `off` to ignore the client certificates, or `optional` the default to request but not verify
`VERIFY_DEPTH` to the depth to verify the client certificate
### Custom Nginx Configuration
If you need to configure Nginx beyond what is possible using environment variables, you can provide custom configuration files on either a proxy-wide or per-`VIRTUAL_HOST` basis.

21
nginx.tmpl
View file

@ -167,7 +167,8 @@ proxy_set_header Proxy "";
{{ $enable_ipv6 := eq (or ($.Env.ENABLE_IPV6) "") "true" }}
{{ $http2 := (or (and (not $.Env.DISABLE_HTTP2) "http2") "") }}
{{ $enable_http3 := eq (or ($.Env.ENABLE_HTTP3) "") "true" }}
{{ $enable_http3 := (or (eq (or ($.Env.ENABLE_HTTP3) "") "true") (eq (or ($.Env.ENABLE_HTTP3) "") "quic")) }}
{{ $http3 := (or (and (eq (or ($.Env.ENABLE_HTTP3) "") "quic") "quic") "http3") }}
{{ $alt_svc := or ($.Env.ALT_SVC) (print "h3-28=\":" $external_https_port "\"; ma=86400, h3-29=\":" $external_https_port "\"; ma=86400") }}
server {
@ -185,10 +186,10 @@ server {
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
server_tokens off;
{{ if $enable_http3 }}listen {{ $external_https_port }} quic reuseport;{{ end }}
{{ if $enable_http3 }}listen {{ $external_https_port }} {{ $http3 }} reuseport;{{ end }}
listen {{ $external_https_port }} ssl {{ $http2 }};
{{ if $enable_ipv6 }}
{{ if $enable_http3 }}listen [::]:{{ $external_https_port }} quic reuseport;{{ end }}
{{ if $enable_http3 }}listen [::]:{{ $external_https_port }} {{ $http3 }} reuseport;{{ end }}
listen [::]:{{ $external_https_port }} ssl {{ $http2 }};
{{ end }}
{{ $access_log }}
@ -196,7 +197,7 @@ server {
{{ if $enable_http3 }}
# Add Alt-Svc header to negotiate HTTP/3.
add_header alt-svc '{{ $alt_svc }}';
add_header Alt-Svc '{{ $alt_svc }}';
{{ end }}
ssl_session_cache shared:SSL:50m;
@ -326,17 +327,17 @@ server {
{{ if $server_tokens }}
server_tokens {{ $server_tokens }};
{{ end }}
{{ if $enable_http3 }}listen {{ $external_https_port }} quic {{ $default_server }};{{ end }}
{{ if $enable_http3 }}listen {{ $external_https_port }} {{ $http3 }} {{ $default_server }};{{ end }}
listen {{ $external_https_port }} ssl {{ $http2 }} {{ $default_server }};
{{ if $enable_ipv6 }}
{{ if $enable_http3 }}listen [::]:{{ $external_https_port }} quic {{ $default_server }};{{ end }}
{{ if $enable_http3 }}listen [::]:{{ $external_https_port }} {{ $http3 }} {{ $default_server }};{{ end }}
listen [::]:{{ $external_https_port }} ssl {{ $http2 }} {{ $default_server }};
{{ end }}
{{ $access_log }}
{{ if $enable_http3 }}
# Add Alt-Svc header to negotiate HTTP/3.
add_header alt-svc '{{ $alt_svc }}';
add_header Alt-Svc '{{ $alt_svc }}';
{{ end }}
{{ if eq $network_tag "internal" }}
@ -462,10 +463,10 @@ server {
{{ if $server_tokens }}
server_tokens {{ $server_tokens }};
{{ end }}
{{ if $enable_http3 }}listen {{ $external_https_port }} quic {{ $default_server }};{{ end }}
{{ if $enable_http3 }}listen {{ $external_https_port }} {{ $http3 }} {{ $default_server }};{{ end }}
listen {{ $external_https_port }} ssl {{ $http2 }} {{ $default_server }};
{{ if $enable_ipv6 }}
{{ if $enable_http3 }}listen [::]:{{ $external_https_port }} quic {{ $default_server }};{{ end }}
{{ if $enable_http3 }}listen [::]:{{ $external_https_port }} {{ $http3 }} {{ $default_server }};{{ end }}
listen [::]:{{ $external_https_port }} ssl {{ $http2 }} {{ $default_server }};
{{ end }}
{{ $access_log }}
@ -473,7 +474,7 @@ server {
{{ if $enable_http3 }}
# Add Alt-Svc header to negotiate HTTP/3.
add_header alt-svc '{{ $alt_svc }}';
add_header Alt-Svc '{{ $alt_svc }}';
{{ end }}
ssl_certificate /etc/nginx/certs/default.crt;