7 жил өмнө · f05f7a0ff9
--- a/README.md
+++ b/README.md
@@ -205,7 +205,7 @@ and `CERT_NAME=shared` will then use this shared cert.
 
															 The SSL cipher configuration is based on the [Mozilla nginx intermediate profile](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx) which
														
 
															 should provide compatibility with clients back to Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1,
														
 
															 Windows XP IE8, Android 2.3, Java 7.  Note that the DES-based TLS ciphers were removed for security.
														
 
															-The configuration also enables HSTS, PFS, and SSL session caches.  Currently TLS 1.0, 1.1 and 1.2
														
 
															+The configuration also enables HSTS, PFS, OCSP stapling and SSL session caches.  Currently TLS 1.0, 1.1 and 1.2
														
 
															 are supported.  TLS 1.0 is deprecated but its end of life is not until June 30, 2018.  It is being 
														
 
															 included because the following browsers will stop working when it is removed: Chrome < 22, Firefox < 27,
														
 
															 IE < 11, Safari < 7, iOS < 5, Android Browser < 5.
														
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -18,6 +18,13 @@ fi
 
															 # Note: if $DHPARAM_BITS is not defined, generate-dhparam.sh will use 2048 as a default
														
 
															 /app/generate-dhparam.sh $DHPARAM_BITS
														
 
															+# Compute the DNS resolvers for use in the templates
														
 
															+export RESOLVERS=$(awk '$1 == "nameserver" {print $2}' ORS=' ' /etc/resolv.conf | sed 's/ *$//g')
														
 
															+if [ "x$RESOLVERS" = "x" ]; then
														
 
															+    echo "Warning: unable to determine DNS resolvers for nginx" >&2
														
 
															+    unset RESOLVERS
														
 
															+fi
														
 
															+
														
 
															 # If the user has run the default command and the socket doesn't exist, fail
														
 
															 if [ "$socketMissing" = 1 -a "$1" = forego -a "$2" = start -a "$3" = '-r' ]; then
														
 
															 	exit 1
														
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -58,6 +58,10 @@ log_format vhost '$host $remote_addr - $remote_user [$time_local] '
 
															 access_log off;
														
 
															+{{ if $.Env.RESOLVERS }}
														
 
															+resolver {{ $.Env.RESOLVERS }};
														
 
															+{{ end }}
														
 
															+
														
 
															 {{ if (exists "/etc/nginx/proxy.conf") }}
														
 
															 include /etc/nginx/proxy.conf;
														
 
															 {{ else }}
														
@@ -198,6 +202,12 @@ server {
 
															 	ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }};
														
 
															 	{{ end }}
														
 
															+	{{ if (exists (printf "/etc/nginx/certs/%s.chain.crt" $cert)) }}
														
 
															+	ssl_stapling on;
														
 
															+	ssl_stapling_verify on;
														
 
															+	ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.crt" $cert }};
														
 
															+	{{ end }}
														
 
															+
														
 
															 	{{ if (ne $https_method "noredirect") }}
														
 
															 	add_header Strict-Transport-Security "max-age=31536000";
														
 
															 	{{ end }}