revert adding http3 support, add set-misc for nonce

paskal · Jan 5, 2024 · 834e5f1 · 834e5f1
1 parent 91b0118
commit 834e5f1
Show file tree

Hide file tree

Showing 11 changed files with 20 additions and 33 deletions.
diff --git a/config/nginx/Dockerfile b/config/nginx/Dockerfile
@@ -1,18 +1,18 @@
-FROM macbre/nginx-http3
+FROM alpine:edge
 
 LABEL org.opencontainers.image.authors="Dmitry Verkhoturov <[email protected]>" \
       org.opencontainers.image.description="nginx with brotli installed and running as non-root user, with reload for cert renewal once in six hours" \
       org.opencontainers.image.documentation="https://github.com/paskal/bitrix.infra" \
       org.opencontainers.image.source="https://github.com/paskal/bitrix.infra.git" \
       org.opencontainers.image.title="nginx"
 
-USER root
-
 # for shadow package
 RUN echo http://dl-2.alpinelinux.org/alpine/edge/community/ >> /etc/apk/repositories
 
 # shadow for usermod
-RUN apk add --no-cache shadow
+# brotli for compression
+# set-misc for nonce random string generation
+RUN apk add --no-cache nginx-mod-http-brotli nginx-mod-http-set-misc shadow
 
 RUN usermod -u 1000 nginx
 RUN groupmod -g 1000 nginx

diff --git a/config/nginx/conf.d/adminer.conf b/config/nginx/conf.d/adminer.conf
@@ -1,10 +1,8 @@
 server {
-    listen 443 ssl;
-    listen 443 quic reuseport;
-    add_header alt-svc 'h3=":443"; ma=86400';
-    ssl_certificate      /etc/nginx/letsencrypt/live/favor-group.ru/fullchain.pem;
-    ssl_certificate_key  /etc/nginx/letsencrypt/live/favor-group.ru/privkey.pem;
-    ssl_trusted_certificate /etc/nginx/letsencrypt/live/favor-group.ru/chain.pem;
+    listen 443 http2 ssl;
+	ssl_certificate      /etc/nginx/letsencrypt/live/favor-group.ru/fullchain.pem;
+	ssl_certificate_key  /etc/nginx/letsencrypt/live/favor-group.ru/privkey.pem;
+	ssl_trusted_certificate /etc/nginx/letsencrypt/live/favor-group.ru/chain.pem;
 
     server_name  adminer.favor-group.ru;
     # Dmitry Verkhoturov and Eugene Donich external address

diff --git a/config/nginx/conf.d/cdn.conf b/config/nginx/conf.d/cdn.conf
@@ -5,8 +5,7 @@ map $http_origin $allow_origin {
 }
 
 server {
-    listen 443 ssl;
-    listen 443 quic;
+    listen 443 http2 ssl;
 
     server_name static.cdn-favor-group.ru;
 
@@ -17,8 +16,7 @@ server {
 }
 
 server {
-    listen 443 ssl;
-    listen 443 quic;
+    listen 443 http2 ssl;
 
     server_name dev.cdn-favor-group.ru;
 

diff --git a/config/nginx/conf.d/dev-test.conf b/config/nginx/conf.d/dev-test.conf
@@ -1,6 +1,5 @@
 server {
-    listen 443 ssl;
-    listen 443 quic;
+    listen  443 http2 ssl;
 
     server_name dev-test.favor-group.ru;
 

diff --git a/config/nginx/conf.d/dev.conf b/config/nginx/conf.d/dev.conf
@@ -1,5 +1,5 @@
 server {
-    listen 443 ssl;
+    listen  443 http2 ssl;
 
     server_name dev.favor-group.ru;
 

diff --git a/config/nginx/conf.d/hooks.conf b/config/nginx/conf.d/hooks.conf
@@ -1,7 +1,5 @@
 server {
-    listen 443 ssl;
-    listen 443 quic;
-
+    listen 443 http2 ssl;
     server_name  hooks.favor-group.ru;
     location / {
         proxy_read_timeout 600;

diff --git a/config/nginx/conf.d/prod.conf b/config/nginx/conf.d/prod.conf
@@ -1,5 +1,5 @@
 server {
-    listen 443 reuseport ssl;
+    listen 443 http2 reuseport ssl;
 
     server_name favor-group.ru;
 
@@ -19,7 +19,7 @@ server {
 }
 
 server {
-    listen 443 ssl;
+    listen 443 http2 ssl;
 
     server_name spb.favor-group.ru;
 
@@ -39,7 +39,7 @@ server {
 }
 
 server {
-    listen 443 ssl;
+    listen 443 http2 ssl;
 
     server_name tula.favor-group.ru;
 

diff --git a/config/nginx/conf.d/redirects.conf b/config/nginx/conf.d/redirects.conf
@@ -1,6 +1,6 @@
 # https www is a special case
 server {
-    listen 443 ssl;
+    listen 443 ssl http2;
     server_name  www.favor-group.ru;
     ssl_certificate      /etc/nginx/letsencrypt/live/favor-group.ru/fullchain.pem;
     ssl_certificate_key  /etc/nginx/letsencrypt/live/favor-group.ru/privkey.pem;
@@ -25,7 +25,7 @@ server {
 }
 
 server {
-    listen 443 default_server ssl;
+    listen 443 default_server ssl http2;
     ssl_certificate      /etc/nginx/letsencrypt/live/favor-group.ru/fullchain.pem;
     ssl_certificate_key  /etc/nginx/letsencrypt/live/favor-group.ru/privkey.pem;
     ssl_trusted_certificate /etc/nginx/letsencrypt/live/favor-group.ru/chain.pem;

diff --git a/config/nginx/nginx.conf b/config/nginx/nginx.conf
@@ -4,8 +4,8 @@ worker_processes auto;
 error_log  /var/log/nginx/other.error.log warn;
 pid        /var/run/nginx.pid;
 
-#load_module modules/ngx_http_brotli_filter_module.so;
-#load_module modules/ngx_http_brotli_static_module.so;
+load_module modules/ngx_http_brotli_filter_module.so;
+load_module modules/ngx_http_brotli_static_module.so;
 
 events {
     worker_connections  8192;
@@ -112,8 +112,6 @@ http {
 
     # HSTS (ngx_http_headers_module is required) (63072000 seconds)
     add_header Strict-Transport-Security 'max-age=31536000; includeSubdomains; preload' always;
-    # http3
-    #add_header alt-svc 'h3=":443"; ma=86400';
 
     # Reverse CloudFlare proxy
     # DO NOT use CloudFlare in Russia, Yandex will ban you!

diff --git a/config/nginx/security_headers.conf b/config/nginx/security_headers.conf
@@ -15,6 +15,3 @@ add_header Strict-Transport-Security 'max-age=31536000; includeSubdomains; prelo
 
 # for the sake of better benchmark score
 add_header Referrer-Policy same-origin;
-
-# http3
-#add_header alt-svc 'h3=":443"; ma=86400';
diff --git a/config/nginx/static-cdn.conf b/config/nginx/static-cdn.conf
@@ -19,7 +19,6 @@ location ~* ^.+\.(xml|txt|jpeg|jpg|png|gif|bmp|ico|svg|tif|tiff|css|map|js|json|
     expires max;
     add_header Cache-Control public;
     add_header Access-Control-Allow-Origin $allow_origin;
-    add_header alt-svc 'h3=":443"; ma=86400';
     include security_headers.conf;
     valid_referers none blocked favor-group.ru *.favor-group.ru *.cdn-favor-group.ru;
     if ($invalid_referer) {