Merge pull request #2274 from nginx-proxy/ssl-policies

New AWS SSL policies

README.md

@@ -347,7 +347,80 @@ The default SSL cipher configuration is based on the [Mozilla intermediate profi
 
 If you don't require backward compatibility, you can use the [Mozilla modern profile](https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility) profile instead by including the environment variable `SSL_POLICY=Mozilla-Modern` to the nginx-proxy container or to your container. This profile is compatible with clients back to Firefox 63, Android 10.0, Chrome 70, Edge 75, Java 11, OpenSSL 1.1.1, Opera 57, and Safari 12.1.  Note that this profile is **not** compatible with any version of Internet Explorer.
 
-Other policies available through the `SSL_POLICY` environment variable are [`Mozilla-Old`](https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility) and the [AWS ELB Security Policies](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html) `AWS-TLS-1-2-2017-01`, `AWS-TLS-1-1-2017-01`, `AWS-2016-08`, `AWS-2015-05`, `AWS-2015-03` and `AWS-2015-02`.
+Complete list of policies available through the `SSL_POLICY` environment variable, including the [AWS ELB Security Policies](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies) and [AWS Classic ELB security policies](https://docs.aws.amazon.com/fr_fr/elasticloadbalancing/latest/classic/elb-security-policy-table.html):
+
+<details>
+  <summary>Mozilla policies</summary>
+  <ul>
+    <li>
+      <a href="https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility" target="_blank">
+        <code>Mozilla-Modern</code>
+      </a>
+    </li>
+    <li>
+      <a href="https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29" target="_blank">
+        <code>Mozilla-Intermediate</code>
+      </a>
+    </li>
+    <li>
+      <a href="https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility" target="_blank">
+        <code>Mozilla-Old</code>
+      </a>
+    </li>
+  </ul>
+</details>
+<details>
+  <summary>AWS ELB FS supported policies</summary>
+  <ul>
+    <li>
+      <code>AWS-FS-1-2-Res-2020-10</code>
+    </li>
+    <li>
+      <code>AWS-FS-1-2-Res-2019-08</code>
+    </li>
+    <li>
+      <code>AWS-FS-1-2-2019-08</code>
+    </li>
+    <li>
+      <code>AWS-FS-1-1-2019-08</code>
+    </li>
+    <li>
+      <code>AWS-FS-2018-06</code>
+    </li>
+  </ul>
+</details>
+<details>
+  <summary>AWS ELB TLS 1.0 - 1.2 security policies</summary>
+  <ul>
+    <li>
+      <code>AWS-TLS-1-2-Ext-2018-06</code>
+    </li>
+    <li>
+      <code>AWS-TLS-1-2-2017-01</code>
+    </li>
+    <li>
+      <code>AWS-TLS-1-1-2017-01</code>
+    </li>
+    <li>
+      <code>AWS-2016-08</code>
+    </li>
+  </ul>
+</details>
+<details>
+  <summary>AWS Classic ELB security policies</summary>
+  <ul>
+     <li>
+      <code>AWS-2015-05</code>
+    </li>
+    <li>
+      <code>AWS-2015-03</code>
+    </li>
+    <li>
+      <code>AWS-2015-02</code>
+    </li>
+  </ul>
+</details>
+</br>
 
 Note that the `Mozilla-Old` policy should use a 1024 bits DH key for compatibility but this container provides a 4096 bits key. The [Diffie-Hellman Groups](#diffie-hellman-groups) section details different methods of bypassing this, either globally or per virtual-host.
 

nginx.tmpl

@@ -144,12 +144,11 @@
     ssl_protocols TLSv1.3;
         {{- /*
              * nginx currently lacks ability to choose ciphers in TLS 1.3 in
-             * configuration; see https://trac.nginx.org/nginx/ticket/1529.  A
-             * possible workaround can be modify /etc/ssl/openssl.cnf to change
-             * it globally (see
-             * https://trac.nginx.org/nginx/ticket/1529#comment:12).  Explicitly
-             * set ngnix default value in order to allow single servers to
-             * override the global http value.
+             * configuration, see https://trac.nginx.org/nginx/ticket/1529.
+             * A possible workaround can be modify /etc/ssl/openssl.cnf to change
+             * it globally (see https://trac.nginx.org/nginx/ticket/1529#comment:12).
+             * Explicitly set nginx default value in order to allow single servers
+             * to override the global http value.
              */}}
     ssl_ciphers HIGH:!aNULL:!MD5;
     ssl_prefer_server_ciphers off;
@@ -161,6 +160,30 @@
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
     ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA';
     ssl_prefer_server_ciphers on;
+    {{- else if eq .ssl_policy "AWS-FS-1-2-Res-2020-10" }}
+    ssl_protocols TLSv1.2;
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
+    ssl_prefer_server_ciphers on;
+    {{- else if eq .ssl_policy "AWS-FS-1-2-Res-2019-08" }}
+    ssl_protocols TLSv1.2;
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384';
+    ssl_prefer_server_ciphers on;
+    {{- else if eq .ssl_policy "AWS-FS-1-2-2019-08" }}
+    ssl_protocols TLSv1.2;
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA';
+    ssl_prefer_server_ciphers on;
+    {{- else if eq .ssl_policy "AWS-FS-1-1-2019-08" }}
+    ssl_protocols TLSv1.1 TLSv1.2;
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA';
+    ssl_prefer_server_ciphers on;
+    {{- else if eq .ssl_policy "AWS-FS-2018-06" }}
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA';
+    ssl_prefer_server_ciphers on;
+    {{- else if eq .ssl_policy "AWS-TLS-1-2-Ext-2018-06" }}
+    ssl_protocols TLSv1.2;
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
+    ssl_prefer_server_ciphers on;
     {{- else if eq .ssl_policy "AWS-TLS-1-2-2017-01" }}
     ssl_protocols TLSv1.2 TLSv1.3;
     ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256';