From 834e5f1744523d66909f3b204448c5451bc3c2dc Mon Sep 17 00:00:00 2001
From: Dmitry Verkhoturov <paskal.07@gmail.com>
Date: Fri, 5 Jan 2024 21:45:11 +0100
Subject: [PATCH] revert adding http3 support, add set-misc for nonce

---
 config/nginx/Dockerfile            |  8 ++++----
 config/nginx/conf.d/adminer.conf   | 10 ++++------
 config/nginx/conf.d/cdn.conf       |  6 ++----
 config/nginx/conf.d/dev-test.conf  |  3 +--
 config/nginx/conf.d/dev.conf       |  2 +-
 config/nginx/conf.d/hooks.conf     |  4 +---
 config/nginx/conf.d/prod.conf      |  6 +++---
 config/nginx/conf.d/redirects.conf |  4 ++--
 config/nginx/nginx.conf            |  6 ++----
 config/nginx/security_headers.conf |  3 ---
 config/nginx/static-cdn.conf       |  1 -
 11 files changed, 20 insertions(+), 33 deletions(-)

diff --git a/config/nginx/Dockerfile b/config/nginx/Dockerfile
index 307ec8f..916eb98 100644
--- a/config/nginx/Dockerfile
+++ b/config/nginx/Dockerfile
@@ -1,4 +1,4 @@
-FROM macbre/nginx-http3
+FROM alpine:edge
 
 LABEL org.opencontainers.image.authors="Dmitry Verkhoturov <paskal.07@gmail.com>" \
       org.opencontainers.image.description="nginx with brotli installed and running as non-root user, with reload for cert renewal once in six hours" \
@@ -6,13 +6,13 @@ LABEL org.opencontainers.image.authors="Dmitry Verkhoturov <paskal.07@gmail.com>
       org.opencontainers.image.source="https://github.com/paskal/bitrix.infra.git" \
       org.opencontainers.image.title="nginx"
 
-USER root
-
 # for shadow package
 RUN echo http://dl-2.alpinelinux.org/alpine/edge/community/ >> /etc/apk/repositories
 
 # shadow for usermod
-RUN apk add --no-cache shadow
+# brotli for compression
+# set-misc for nonce random string generation
+RUN apk add --no-cache nginx-mod-http-brotli nginx-mod-http-set-misc shadow
 
 RUN usermod -u 1000 nginx
 RUN groupmod -g 1000 nginx
diff --git a/config/nginx/conf.d/adminer.conf b/config/nginx/conf.d/adminer.conf
index 24456af..df23325 100644
--- a/config/nginx/conf.d/adminer.conf
+++ b/config/nginx/conf.d/adminer.conf
@@ -1,10 +1,8 @@
 server {
-    listen 443 ssl;
-    listen 443 quic reuseport;
-    add_header alt-svc 'h3=":443"; ma=86400';
-    ssl_certificate      /etc/nginx/letsencrypt/live/favor-group.ru/fullchain.pem;
-    ssl_certificate_key  /etc/nginx/letsencrypt/live/favor-group.ru/privkey.pem;
-    ssl_trusted_certificate /etc/nginx/letsencrypt/live/favor-group.ru/chain.pem;
+    listen 443 http2 ssl;
+	ssl_certificate      /etc/nginx/letsencrypt/live/favor-group.ru/fullchain.pem;
+	ssl_certificate_key  /etc/nginx/letsencrypt/live/favor-group.ru/privkey.pem;
+	ssl_trusted_certificate /etc/nginx/letsencrypt/live/favor-group.ru/chain.pem;
 
     server_name  adminer.favor-group.ru;
     # Dmitry Verkhoturov and Eugene Donich external address
diff --git a/config/nginx/conf.d/cdn.conf b/config/nginx/conf.d/cdn.conf
index 89ee33f..93289d5 100644
--- a/config/nginx/conf.d/cdn.conf
+++ b/config/nginx/conf.d/cdn.conf
@@ -5,8 +5,7 @@ map $http_origin $allow_origin {
 }
 
 server {
-    listen 443 ssl;
-    listen 443 quic;
+    listen 443 http2 ssl;
 
     server_name static.cdn-favor-group.ru;
 
@@ -17,8 +16,7 @@ server {
 }
 
 server {
-    listen 443 ssl;
-    listen 443 quic;
+    listen 443 http2 ssl;
 
     server_name dev.cdn-favor-group.ru;
 
diff --git a/config/nginx/conf.d/dev-test.conf b/config/nginx/conf.d/dev-test.conf
index a8a2760..206d974 100644
--- a/config/nginx/conf.d/dev-test.conf
+++ b/config/nginx/conf.d/dev-test.conf
@@ -1,6 +1,5 @@
 server {
-    listen 443 ssl;
-    listen 443 quic;
+    listen  443 http2 ssl;
 
     server_name dev-test.favor-group.ru;
 
diff --git a/config/nginx/conf.d/dev.conf b/config/nginx/conf.d/dev.conf
index 3029bc8..6e4a9ca 100644
--- a/config/nginx/conf.d/dev.conf
+++ b/config/nginx/conf.d/dev.conf
@@ -1,5 +1,5 @@
 server {
-    listen 443 ssl;
+    listen  443 http2 ssl;
 
     server_name dev.favor-group.ru;
 
diff --git a/config/nginx/conf.d/hooks.conf b/config/nginx/conf.d/hooks.conf
index cb5590d..19b6964 100644
--- a/config/nginx/conf.d/hooks.conf
+++ b/config/nginx/conf.d/hooks.conf
@@ -1,7 +1,5 @@
 server {
-    listen 443 ssl;
-    listen 443 quic;
-
+    listen 443 http2 ssl;
     server_name  hooks.favor-group.ru;
     location / {
         proxy_read_timeout 600;
diff --git a/config/nginx/conf.d/prod.conf b/config/nginx/conf.d/prod.conf
index b785b32..8e37214 100644
--- a/config/nginx/conf.d/prod.conf
+++ b/config/nginx/conf.d/prod.conf
@@ -1,5 +1,5 @@
 server {
-    listen 443 reuseport ssl;
+    listen 443 http2 reuseport ssl;
 
     server_name favor-group.ru;
 
@@ -19,7 +19,7 @@ server {
 }
 
 server {
-    listen 443 ssl;
+    listen 443 http2 ssl;
 
     server_name spb.favor-group.ru;
 
@@ -39,7 +39,7 @@ server {
 }
 
 server {
-    listen 443 ssl;
+    listen 443 http2 ssl;
 
     server_name tula.favor-group.ru;
 
diff --git a/config/nginx/conf.d/redirects.conf b/config/nginx/conf.d/redirects.conf
index 6973294..b8159ec 100644
--- a/config/nginx/conf.d/redirects.conf
+++ b/config/nginx/conf.d/redirects.conf
@@ -1,6 +1,6 @@
 # https www is a special case
 server {
-    listen 443 ssl;
+    listen 443 ssl http2;
     server_name  www.favor-group.ru;
     ssl_certificate      /etc/nginx/letsencrypt/live/favor-group.ru/fullchain.pem;
     ssl_certificate_key  /etc/nginx/letsencrypt/live/favor-group.ru/privkey.pem;
@@ -25,7 +25,7 @@ server {
 }
 
 server {
-    listen 443 default_server ssl;
+    listen 443 default_server ssl http2;
     ssl_certificate      /etc/nginx/letsencrypt/live/favor-group.ru/fullchain.pem;
     ssl_certificate_key  /etc/nginx/letsencrypt/live/favor-group.ru/privkey.pem;
     ssl_trusted_certificate /etc/nginx/letsencrypt/live/favor-group.ru/chain.pem;
diff --git a/config/nginx/nginx.conf b/config/nginx/nginx.conf
index e32dc08..fd3734a 100644
--- a/config/nginx/nginx.conf
+++ b/config/nginx/nginx.conf
@@ -4,8 +4,8 @@ worker_processes auto;
 error_log  /var/log/nginx/other.error.log warn;
 pid        /var/run/nginx.pid;
 
-#load_module modules/ngx_http_brotli_filter_module.so;
-#load_module modules/ngx_http_brotli_static_module.so;
+load_module modules/ngx_http_brotli_filter_module.so;
+load_module modules/ngx_http_brotli_static_module.so;
 
 events {
     worker_connections  8192;
@@ -112,8 +112,6 @@ http {
 
     # HSTS (ngx_http_headers_module is required) (63072000 seconds)
     add_header Strict-Transport-Security 'max-age=31536000; includeSubdomains; preload' always;
-    # http3
-    #add_header alt-svc 'h3=":443"; ma=86400';
 
     # Reverse CloudFlare proxy
     # DO NOT use CloudFlare in Russia, Yandex will ban you!
diff --git a/config/nginx/security_headers.conf b/config/nginx/security_headers.conf
index 4505371..76629b2 100644
--- a/config/nginx/security_headers.conf
+++ b/config/nginx/security_headers.conf
@@ -15,6 +15,3 @@ add_header Strict-Transport-Security 'max-age=31536000; includeSubdomains; prelo
 
 # for the sake of better benchmark score
 add_header Referrer-Policy same-origin;
-
-# http3
-#add_header alt-svc 'h3=":443"; ma=86400';
diff --git a/config/nginx/static-cdn.conf b/config/nginx/static-cdn.conf
index 6ead14a..60fee17 100644
--- a/config/nginx/static-cdn.conf
+++ b/config/nginx/static-cdn.conf
@@ -19,7 +19,6 @@ location ~* ^.+\.(xml|txt|jpeg|jpg|png|gif|bmp|ico|svg|tif|tiff|css|map|js|json|
     expires max;
     add_header Cache-Control public;
     add_header Access-Control-Allow-Origin $allow_origin;
-    add_header alt-svc 'h3=":443"; ma=86400';
     include security_headers.conf;
     valid_referers none blocked favor-group.ru *.favor-group.ru *.cdn-favor-group.ru;
     if ($invalid_referer) {