Signal-TLS-Proxy
Signal-TLS-Proxy copied to clipboard
signalapp
Use upstream NGINX image
The current images are 2 years out of date, and if it's too much work to track the releases I'd suggest just using the upstream image. Using alpine as the base OS will also help reduce the attack surface as well.
This PR includes the changes in my previous PR https://github.com/signalapp/Signal-TLS-Proxy/pull/22.
Yes, I came here wanting to mention this too. Speaking of attack surfaces: there are two flavours of nginx docker images published by nginxinc themselves, with or without root. The ones which runs without root could also be a possibility: nginxinc/nginx-unprivileged. With the unprivileged image, the default port is 8080.
I run some Nginx as proxies, and I have them running with the filesystem in read-only and the config in tmpfs, in this case, since they're a shared volume, wouldn't be better to have them in :ro instead of :Z?
I mean the one for nginx-terminate.
I think this project needs to user the Dockerfile build methods and can't just switch to nginx:alpine. ngx_stream_ssl_module / ngx_stream_ssl_preread_module aren't built by default, but are used by both images.
So #28 looks like the correct path for updating the nginx version.
@abscondment, sorry, not sure to understand:
I think this project needs to user the Dockerfile build methods and can't just switch to nginx:alpine. ngx_stream_ssl_module / ngx_stream_ssl_preread_module aren't built by default, but are used by both images.
The modules are already present in the alpine image:
$ docker run -it nginx:alpine nginx -V | tr ' ' '\n' | grep ssl
--with-http_ssl_module
--with-mail_ssl_module
--with-stream_ssl_module
--with-stream_ssl_preread_module
@abscondment, sorry, not sure to understand:
I think this project needs to user the Dockerfile build methods and can't just switch to nginx:alpine. ngx_stream_ssl_module / ngx_stream_ssl_preread_module aren't built by default, but are used by both images.
The modules are already present in the alpine image:
$ docker run -it nginx:alpine nginx -V | tr ' ' '\n' | grep ssl --with-http_ssl_module --with-mail_ssl_module --with-stream_ssl_module --with-stream_ssl_preread_module
With that excellent one-liner, I can also confirm that also the rootless image contains the required modules:
$ docker run -it nginxinc/nginx-unprivileged nginx -V | tr ' ' '\n' | grep ssl
--with-http_ssl_module
--with-mail_ssl_module
--with-stream_ssl_module
--with-stream_ssl_preread_module
Yes, I came here wanting to mention this too. Speaking of attack surfaces: there are two flavours of nginx docker images published by nginxinc themselves, with or without root. The ones which runs without root could also be a possibility:
nginxinc/nginx-unprivileged. With the unprivileged image, the default port is 8080.
Do you have a working config for the rootless container?
I have the root container working with privileges dropped and what not, but I couldn't get the rootless one working. I could try again though when I have time, though it would be nice if someone has a working config ready.
I was about to file a bug to do exactly what this PR does. The current state of having the nginx versions hardcoded in the source code is difficult to maintain and leads to security bugs. Using nginx:latest or nginx:alpine as this PR does is the obvious solution.
+1 to merge this.
