add ssl conf

Author: makasim

base/Dockerfile

@@ -23,8 +23,9 @@ RUN ln -sf /dev/stderr /var/log/nginx/access.log \
 
 RUN rm -f /etc/nginx/sites-enabled/*
 
-COPY nginx.conf.tpl /tmp/nginx.conf.tpl
-COPY php-fpm.conf.tpl /tmp/php-fpm.conf.tpl
+COPY nginx.conf.tpl /nginx.conf.tpl
+COPY nginx_ssl.conf.tpl /nginx_ssl.conf.tpl
+COPY php-fpm.conf.tpl /php-fpm.conf.tpl
 COPY defaults.ini /etc/php/7.2/cli/conf.d/defaults.ini
 COPY defaults.ini /etc/php/7.2/fpm/conf.d/defaults.ini
 

base/entrypoint.sh

@@ -5,15 +5,22 @@ export NGINX_PHP_FALLBACK=${NGINX_PHP_FALLBACK:-'/index.php'}
 export NGINX_PHP_LOCATION=${NGINX_PHP_LOCATION:-'^/index\.php(/|$$)'}
 export NGINX_USER=${NGINX_USER:-'www-data'}
 export NGINX_CONF=${NGINX_CONF:-'/etc/nginx/nginx.conf'}
+export NGINX_SSL_PUBLIC_CERTIFICATE=${NGINX_SSL_PUBLIC_CERTIFICATE:-''}
+export NGINX_SSL_PRIVATE_CERTIFICATE=${NGINX_SSL_PRIVATE_CERTIFICATE:-''}
 
 export PHP_SOCK_FILE=${PHP_SOCK_FILE:-'/run/php.sock'}
 export PHP_USER=${PHP_USER:-'www-data'}
 export PHP_GROUP=${PHP_GROUP:-'www-data'}
 export PHP_MODE=${PHP_MODE:-'0660'}
 export PHP_FPM_CONF=${PHP_FPM_CONF:-'/etc/php/7.2/fpm/php-fpm.conf'}
 
-envsubst '${NGINX_WEB_ROOT} ${NGINX_PHP_FALLBACK} ${NGINX_PHP_LOCATION} ${NGINX_USER} ${NGINX_CONF} ${PHP_SOCK_FILE} ${PHP_USER} ${PHP_GROUP} ${PHP_MODE} ${PHP_FPM_CONF}' < /tmp/nginx.conf.tpl > $NGINX_CONF
-envsubst '${NGINX_WEB_ROOT} ${NGINX_PHP_FALLBACK} ${NGINX_PHP_LOCATION} ${NGINX_USER} ${NGINX_CONF} ${PHP_SOCK_FILE} ${PHP_USER} ${PHP_GROUP} ${PHP_MODE} ${PHP_FPM_CONF}' < /tmp/php-fpm.conf.tpl > $PHP_FPM_CONF
+envsubst '${NGINX_WEB_ROOT} ${NGINX_PHP_FALLBACK} ${NGINX_PHP_LOCATION} ${NGINX_USER} ${NGINX_CONF} ${PHP_SOCK_FILE} ${PHP_USER} ${PHP_GROUP} ${PHP_MODE} ${PHP_FPM_CONF}' < /nginx.conf.tpl > $NGINX_CONF
+envsubst '${NGINX_WEB_ROOT} ${NGINX_PHP_FALLBACK} ${NGINX_PHP_LOCATION} ${NGINX_USER} ${NGINX_CONF} ${PHP_SOCK_FILE} ${PHP_USER} ${PHP_GROUP} ${PHP_MODE} ${PHP_FPM_CONF}' < /php-fpm.conf.tpl > $PHP_FPM_CONF
+
+if [ ! -z "$NGINX_SSL_PUBLIC_CERTIFICATE" ]
+then
+      envsubst '${NGINX_SSL_PUBLIC_CERTIFICATE} ${NGINX_SSL_PRIVATE_CERTIFICATE} ${NGINX_WEB_ROOT} ${NGINX_PHP_FALLBACK} ${NGINX_PHP_LOCATION} ${NGINX_USER} ${NGINX_CONF} ${PHP_SOCK_FILE} ${PHP_USER} ${PHP_GROUP} ${PHP_MODE} ${PHP_FPM_CONF}' < /nginx_ssl.conf.tpl > /etc/nginx/conf.d/nginx_ssl.conf
+fi
 
 TRAPPED_SIGNAL=false
 

base/nginx_ssl.conf.tpl

@@ -0,0 +1,44 @@
+
+server {
+    listen 443 ssl http2 default_server;
+    listen [::]:443 ssl http2 default_server;
+    root $NGINX_WEB_ROOT;
+
+    location / {
+        try_files $uri $NGINX_PHP_FALLBACK$is_args$args;
+    }
+    location ~ $NGINX_PHP_LOCATION {
+        fastcgi_pass unix:$PHP_SOCK_FILE;
+        fastcgi_split_path_info ^(.+\.php)(/.*)$;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
+        fastcgi_param DOCUMENT_ROOT $realpath_root;
+
+        internal;
+    }
+
+    # return 404 for all other php files not matching the front controller
+    # this prevents access to other php files you don't want to be accessible.
+    location ~ \.php$ {
+        return 404;
+    }
+
+    ssl_certificate $NGINX_SSL_PUBLIC_CERTIFICATE;
+    ssl_certificate_key $NGINX_SSL_PRIVATE_CERTIFICATE;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+    ssl_ecdh_curve secp384r1;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_tickets off;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    resolver 8.8.8.8 8.8.4.4 valid=300s;
+    resolver_timeout 5s;
+    # Disable preloading HSTS for now.  You can use the commented out header line that includes
+    # the "preload" directive if you understand the implications.
+    #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
+    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
+    add_header X-Frame-Options DENY;
+    add_header X-Content-Type-Options nosniff;
+}