Skip to content

Cannot specify ciphers? #564

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sbazzell opened this issue Aug 17, 2020 · 14 comments
Open

Cannot specify ciphers? #564

sbazzell opened this issue Aug 17, 2020 · 14 comments

Comments

@sbazzell
Copy link

sbazzell commented Aug 17, 2020
edited
Loading

Whenever I try to specify ciphers the way I would normally do using nginx vanilla, the proxy host goes to offline status.

So does

ssl_ciphers 'insert cipher list here';

and

ssl_prefer_server_ciphers on;

not work?
@dash74
Copy link

dash74 commented Aug 27, 2020

It looks like the only was too edit the ciphers would be to edit /etc/nginx/conf.d/include/ssl-ciphers.conf inside the docker container. You can do this by running docker exec -it "docker-name" bash. After editing the file you type exit. You'll have to commit the changes to a new file by running sudo docker commit [CONTAINER_ID] [new_image_name].

@Mattie112
Copy link

Yes I also want to change the ciphers. Any chance we can have this also exported in a volume just like the (optional) config files.

@Mattie112
Copy link

Mattie112 commented Sep 7, 2020
edited
Loading

I did find a solution / workaround.

Simply create your own cipher file (outside of the container), for example generate it here https://ssl-config.mozilla.org/ but only use the protocols/ciphers part.

Now simply mount this file into the container
/etc/nginx/conf.d/include/ssl-ciphers.conf:/path/to/local/file/myown-custom-ssl-ciphers.conf

And now you have your own ciphers. Downside is that this no longer benefits from updates from the NPM itself. So you might want to check https://github.com/jc21/nginx-proxy-manager/blob/master/docker/rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf from time to time to check your file is up to date.

@Nate-09 Nate-09 mentioned this issue Jul 21, 2021
Closed
@Kopernikus1979
Copy link

I did find a solution / workaround.

Simply create your own cipher file (outside of the container), for example generate it here https://ssl-config.mozilla.org/ but only use the protocols/ciphers part.

Now simply mount this file into the container /etc/nginx/conf.d/include/ssl-ciphers.conf:/path/to/local/file/myown-custom-ssl-ciphers.conf

And now you have your own ciphers. Downside is that this no longer benefits from updates from the NPM itself. So you might want to check https://github.com/jc21/nginx-proxy-manager/blob/master/docker/rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf from time to time to check your file is up to date.

@Mattie112

Could you help me mount /etc/nginx/conf.d/include/ssl-ciphers.conf:/path/to/local/file/myown-custom-ssl-ciphers.conf?
I 'm using Unraid and tried it but I only seem to be able to mount a directory not a file.

Thx

@Mattie112
Copy link

image

You should be able to just type it in :)

@Kopernikus1979
Copy link

image

You should be able to just type it in :)

Hi,

Tried it, but I get this error in my docker log:

Schermafbeelding 2022-04-05 153922

If I go to /etc/nginx/conf.d/include/ssl-ciphers.conf I see it's my new modded file, however settings are not loaded when doing cryptcheck.fr for my domain

@Mattie112
Copy link

Can you run docker inspect NginxProxyManager

And check the following part:

        "HostConfig": {
            "Binds": [
                "/mnt/user/appdata/NginxProxyManager/matthijs-custom-ssl-ciphers.conf:/etc/nginx/conf.d/include/ssl-ciphers.conf:rw",
                "/mnt/user/appdata/NginxProxyManager:/config:rw"
            ],

You can see how I have it and that does work. Does it look different for you?

@Kopernikus1979
Copy link

Kopernikus1979 commented Apr 5, 2022
edited
Loading

I got this:

"Mounts": [
           {
               "Type": "bind",
               "Source": "/tmp/Nginx-Proxy-Manager-Official/var/log",
               "Destination": "/var/log",
               "Mode": "rw",
               "RW": true,
               "Propagation": "rprivate"
           },
           {
               "Type": "bind",
               "Source": "/mnt/user/appdata/Nginx-Proxy-Manager-Official/custom-ssl-ciphers.conf",
               "Destination": "/etc/nginx/conf.d/include/ssl-ciphers.conf",
               "Mode": "rw",
               "RW": true,
               "Propagation": "rprivate"
           },
           {
               "Type": "bind",
               "Source": "/mnt/user/appdata/Nginx-Proxy-Manager-Official/data",
               "Destination": "/data",
               "Mode": "rw",
               "RW": true,
               "Propagation": "rprivate"
           },
           {
               "Type": "bind",
               "Source": "/mnt/user/appdata/Nginx-Proxy-Manager-Official/letsencrypt",
               "Destination": "/etc/letsencrypt",
               "Mode": "rw",
               "RW": true,
               "Propagation": "rprivate"

@Kopernikus1979
Copy link

Just found something strange seems in the lastest version of NPM the ciphers are already compliant with the latest mozilla recommends, however when doing a check it still uses old ciphers, can you do a cryptcheck to see your result?

@Mattie112
Copy link

Ah yeah might be fair to say I use this repo:

https://github.com/Mattie112/docker-nginx-proxy-manager (and that is a fork of https://github.com/jlesage/docker-nginx-proxy-manager)

I think it uses / used to use this project but yeah that was a while ago..... So it could be that here the paths are changed, sorry can't keep track on what repo I use exactly :p

Anyway, my file:

ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;

# intermediate configuration. tweak to your needs.
    # intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

I always use https://www.ssllabs.com/ssltest/ for checking (A+ for me) but here is the output from your site:

image

@Kopernikus1979
Copy link

Kopernikus1979 commented Apr 7, 2022
edited
Loading

@Mattie112

Hi,

I found the problem.
See my bug report:

#1982

@Mattie112
Copy link

Mattie112 commented Apr 7, 2022
edited
Loading

Yeah I'm doing that manually from time to time XD Have to look into github pipelines (or whatever it is called) at some point.

I just pushed mattie112/docker-nginx-proxy-manager:latest (and :master and :v1.26.0) to be up-to-date with jlesage again :)

(And the reason I made my own fork because I kinda liked the all-in-one solution but I needed 80/443 so yeah I just choose this solution).

edit:
You can always drop me a message if you need some changes to be merged just open an issue on my fork :)

This was referenced Apr 17, 2023
Open
Open
@github-actions GitHub Actions
Copy link

Issue is now considered stale. If you want to keep it open, please comment 👍

@github-actions github-actions bot added the stale label Mar 26, 2024
@Xyz00777
Copy link

this is as far as i know still not working :(
when does these can be fixed?

@github-actions github-actions bot removed the stale label Dec 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Mattie112 @dash74 @sbazzell @Xyz00777 @Kopernikus1979