Open sbazzell opened 4 years ago
dash74
commented
4 years ago It looks like the only was too edit the ciphers would be to edit /etc/nginx/conf.d/include/ssl-ciphers.conf inside the docker container. You can do this by running docker exec -it "docker-name" bash. After editing the file you type exit. You'll have to commit the changes to a new file by running sudo docker commit [CONTAINER_ID] [new_image_name].
Mattie112
commented
4 years ago Yes I also want to change the ciphers. Any chance we can have this also exported in a volume just like the (optional) config files.
Mattie112
commented
4 years ago I did find a solution / workaround.
Simply create your own cipher file (outside of the container), for example generate it here https://ssl-config.mozilla.org/ but only use the protocols/ciphers part.
Now simply mount this file into the container
/etc/nginx/conf.d/include/ssl-ciphers.conf:/path/to/local/file/myown-custom-ssl-ciphers.conf
And now you have your own ciphers. Downside is that this no longer benefits from updates from the NPM itself. So you might want to check https://github.com/jc21/nginx-proxy-manager/blob/master/docker/rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf from time to time to check your file is up to date.
Kopernikus1979
commented
2 years ago I did find a solution / workaround.
Simply create your own cipher file (outside of the container), for example generate it here https://ssl-config.mozilla.org/ but only use the protocols/ciphers part.
Now simply mount this file into the container
/etc/nginx/conf.d/include/ssl-ciphers.conf:/path/to/local/file/myown-custom-ssl-ciphers.confAnd now you have your own ciphers. Downside is that this no longer benefits from updates from the NPM itself. So you might want to check https://github.com/jc21/nginx-proxy-manager/blob/master/docker/rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf from time to time to check your file is up to date.
@Mattie112
Could you help me mount /etc/nginx/conf.d/include/ssl-ciphers.conf:/path/to/local/file/myown-custom-ssl-ciphers.conf? I 'm using Unraid and tried it but I only seem to be able to mount a directory not a file.
Thx
Mattie112
commented
2 years ago 
You should be able to just type it in :)
Kopernikus1979
commented
2 years ago
You should be able to just type it in :)
Hi,
Tried it, but I get this error in my docker log:
If I go to /etc/nginx/conf.d/include/ssl-ciphers.conf I see it's my new modded file, however settings are not loaded when doing cryptcheck.fr for my domain
Mattie112
commented
2 years ago Can you run docker inspect NginxProxyManager
And check the following part:
"HostConfig": {
"Binds": [
"/mnt/user/appdata/NginxProxyManager/matthijs-custom-ssl-ciphers.conf:/etc/nginx/conf.d/include/ssl-ciphers.conf:rw",
"/mnt/user/appdata/NginxProxyManager:/config:rw"
],You can see how I have it and that does work. Does it look different for you?
Kopernikus1979
commented
2 years ago I got this:
"Mounts": [
{
"Type": "bind",
"Source": "/tmp/Nginx-Proxy-Manager-Official/var/log",
"Destination": "/var/log",
"Mode": "rw",
"RW": true,
"Propagation": "rprivate"
},
{
"Type": "bind",
"Source": "/mnt/user/appdata/Nginx-Proxy-Manager-Official/custom-ssl-ciphers.conf",
"Destination": "/etc/nginx/conf.d/include/ssl-ciphers.conf",
"Mode": "rw",
"RW": true,
"Propagation": "rprivate"
},
{
"Type": "bind",
"Source": "/mnt/user/appdata/Nginx-Proxy-Manager-Official/data",
"Destination": "/data",
"Mode": "rw",
"RW": true,
"Propagation": "rprivate"
},
{
"Type": "bind",
"Source": "/mnt/user/appdata/Nginx-Proxy-Manager-Official/letsencrypt",
"Destination": "/etc/letsencrypt",
"Mode": "rw",
"RW": true,
"Propagation": "rprivate"Just found something strange seems in the lastest version of NPM the ciphers are already compliant with the latest mozilla recommends, however when doing a check it still uses old ciphers, can you do a cryptcheck to see your result?
Mattie112
commented
2 years ago Ah yeah might be fair to say I use this repo:
https://github.com/Mattie112/docker-nginx-proxy-manager (and that is a fork of https://github.com/jlesage/docker-nginx-proxy-manager)
I think it uses / used to use this project but yeah that was a while ago..... So it could be that here the paths are changed, sorry can't keep track on what repo I use exactly :p
Anyway, my file:
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
# intermediate configuration. tweak to your needs.
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
I always use https://www.ssllabs.com/ssltest/ for checking (A+ for me) but here is the output from your site:
Kopernikus1979
commented
2 years ago @Mattie112
Hi,
I found the problem. See my bug report:
https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1982
Mattie112
commented
2 years ago Yeah I'm doing that manually from time to time XD Have to look into github pipelines (or whatever it is called) at some point.
I just pushed mattie112/docker-nginx-proxy-manager:latest (and :master and :v1.26.0) to be up-to-date with jlesage again :)
(And the reason I made my own fork because I kinda liked the all-in-one solution but I needed 80/443 so yeah I just choose this solution).
edit: You can always drop me a message if you need some changes to be merged just open an issue on my fork :)
github-actions[bot]
commented
5 months ago Issue is now considered stale. If you want to keep it open, please comment :+1:
Whenever I try to specify ciphers the way I would normally do using nginx vanilla, the proxy host goes to offline status.
So does
and
not work?