search

nginxinc / docker-nginx-controller

Docker support for NGINX Controller Agent in Containers
Apache License 2.0
29 stars 26 forks source link

Using TLSv1.3 #75

Open benshalev849 opened 2 years ago

benshalev849 commented 2 years ago

I have been trying for a while to use TLSv1.3 with this nginx image. Tried installing openssl 1.1.1 directly into the image via the following lines:

# Install openssl 1.1.1
RUN wget https://ftp.openssl.org/source/openssl-1.1.1k.tar.gz
RUN tar -xzvf openssl-1.1.1k.tar.gz
RUN /openssl-1.1.1k/config --prefix=/usr --openssldir=/etc/ssl --libdir=lib no-shared zlib-dynamic
RUN make
RUN make install
ENV LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib64

Also tried to use a centos8 image, but the controller is not compatible with it.

This is the configuration:

# Generated by NGINX Controller 1666183879 [ADC-1533cd2c-7a02-4ed1-9ac6-7a2f7a456004] - instance:pdns-all:unspecified;
user nginx;
worker_processes auto;
worker_shutdown_timeout 60s;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
#load_module /etc/nginx/modules/ngx_http_f5_metrics_module.so;
#load_module /etc/nginx/modules/ngx_stream_f5_metrics_module.so;
events {
        worker_connections 8196;
}
http {
        types {
                text/html html htm shtml;
                text/css css;
                text/xml xml;
                image/gif gif;
                image/jpeg jpeg jpg;
                application/javascript js;
                application/atom+xml atom;
                application/rss+xml rss;
                text/mathml mml;
                text/plain txt;
                text/vnd.sun.j2me.app-descriptor jad;
                text/vnd.wap.wml wml;
                text/x-component htc;
                image/png png;
                image/svg+xml svg svgz;
                image/tiff tif tiff;
                image/vnd.wap.wbmp wbmp;
                image/webp webp;
                image/x-icon ico;
                image/x-jng jng;
                image/x-ms-bmp bmp;
                application/font-woff woff;
                application/java-archive jar war ear;
                application/json json;
                application/mac-binhex40 hqx;
                application/msword doc;
                application/pdf pdf;
                application/postscript ps eps ai;
                application/rtf rtf;
                application/vnd.apple.mpegurl m3u8;
                application/vnd.google-earth.kml+xml kml;
                application/vnd.google-earth.kmz kmz;
                application/vnd.ms-excel xls;
                application/vnd.ms-fontobject eot;
                application/vnd.ms-powerpoint ppt;
                application/vnd.oasis.opendocument.graphics odg;
                application/vnd.oasis.opendocument.presentation odp;
                application/vnd.oasis.opendocument.spreadsheet ods;
                application/vnd.oasis.opendocument.text odt;
                application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
                application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
                application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
                application/vnd.wap.wmlc wmlc;
                application/x-7z-compressed 7z;
                application/x-cocoa cco;
                application/x-java-archive-diff jardiff;
                application/x-java-jnlp-file jnlp;
                application/x-makeself run;
                application/x-perl pl pm;
                application/x-pilot prc pdb;
                application/x-rar-compressed rar;
                application/x-redhat-package-manager rpm;
                application/x-sea sea;
                application/x-shockwave-flash swf;
                application/x-stuffit sit;
                application/x-tcl tcl tk;
                application/x-x509-ca-cert der pem crt;
                application/x-xpinstall xpi;
                application/xhtml+xml xhtml;
                application/xspf+xml xspf;
                application/zip zip;
                application/octet-stream bin exe dll;
                application/octet-stream deb;
                application/octet-stream dmg;
                application/octet-stream iso img;
                application/octet-stream msi msp msm;
                audio/midi mid midi kar;
                audio/mpeg mp3;
                audio/ogg ogg;
                audio/x-m4a m4a;
                audio/x-realaudio ra;
                video/3gpp 3gpp 3gp;
                video/mp2t ts;
                video/mp4 mp4;
                video/mpeg mpeg mpg;
                video/quicktime mov;
                video/webm webm;
                video/x-flv flv;
                video/x-m4v m4v;
                video/x-mng mng;
                video/x-ms-asf asx asf;
                video/x-ms-wmv wmv;
                video/x-msvideo avi;
        }
        default_type application/octet-stream;
        log_format controller_recommended_log_format '$remote_addr - "$remote_user" [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for" "$host" sn="$server_name" rt="$request_time" ua="$upstream_addr" us="$upstream_status" ut="$upstream_response_time" ul="$upstream_response_length" cs="$upstream_cache_status" pa="$f5_published_api"';
        access_log /var/log/nginx/access.log controller_recommended_log_format;
        error_log /var/log/nginx/error.log;
        sendfile on;
        keepalive_timeout 65;
        server_tokens off;
        server_names_hash_bucket_size 128;
        map $http_upgrade $connection_upgrade {
                default upgrade;
                '' close;
        }
        ssl_session_timeout 1h;
#       upstream test_http_f7b67c7e-59e1-4a13-9897-8a20a73f879f {
#               zone test_http_f7b67c7e-59e1-4a13-9897-8a20a73f879f 160k;
#               least_conn;
#               server 127.0.0.1:49151 backup;
#               keepalive 100000;
#               keepalive_requests 100000;
#               keepalive_timeout 60s;
#       }
        map $host $f5_published_api {
                default -;
        }
        server {
                server_name test.ben.com;
                listen 443 ssl reuseport;
                ssl_protocols TLSv1.3;
                ssl_certificate /etc/controller-agent/configurator/auxfiles/d2e29ee9-b6f2-4977-ac12-8ef44f0c0e0a.crt;
                ssl_certificate_key /etc/controller-agent/configurator/auxfiles/d2e29ee9-b6f2-4977-ac12-8ef44f0c0e0a.key;
                ssl_session_cache off;
                ssl_prefer_server_ciphers on;
                set $f5_gateway ben-gateway;
                set $f5_environment testtls1v3;
        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }

#               location / {
#                       access_log /var/log/nginx/access.log controller_recommended_log_format;
#                       set $f5_app ben-app;
#                       set $f5_component ben-comp;
#                       client_max_body_size 999999m;
#                       proxy_set_header X-Forwarded-For $remote_addr;
#                       proxy_set_header Host $host;
#                       proxy_http_version 1.1;
#                       proxy_ssl_server_name on;
#                       proxy_ssl_name $host;
#                       proxy_set_header Connection $connection_upgrade;
#                       proxy_set_header Upgrade $http_upgrade;
#                       proxy_pass http://test_http_f7b67c7e-59e1-4a13-9897-8a20a73f879f;
#               }
#               location = /_health_check_test_http_f7b67c7e-59e1-4a13-9897-8a20a73f879f {
#                       internal;
#                       proxy_set_header Host $host;
#                       proxy_set_header Connection '';
#                       proxy_pass http://test_http_f7b67c7e-59e1-4a13-9897-8a20a73f879f;
#               }
        }
        server {
                server_name 127.0.0.1;
                listen 127.0.0.1:49151;
                access_log off;
                location /api {
                }
        }
}
worker_cpu_affinity auto;

When having the configuration on a VM it works and i get TLSv1.3 communication. When using the docker image built it does not work (With the same configuration same everything). Is there a way for me to be able to use TLSv1.3 with the controller and this image?

ninaforsyth commented 2 years ago

Are you trying to create a container to use with NGINX Controller or just for NGINX OSS/Plus?

benshalev849 commented 2 years ago

Are you trying to create a container to use with NGINX Controller or just for NGINX OSS/Plus?

Tried creating a container connected to the NGINX Controller. Built the image via the README supplied in this repo.

jnewfield commented 2 years ago

Judging by the posted NGINX+ configuration you are not experiencing any issues with your NGINX Controller managing control-plane communications, is this correct? # Generated by NGINX Controller 1666183879 [ADC-1533cd2c-7a02-4ed1-9ac6-7a2f7a456004] - instance:pdns-all:unspecified; I find TLSv1.3 does not work with a CentOS7 (RHEL7) vm, with or without openssl 1.1.1 installed. TLSv1.3 does work with RedHat8 (RHEL8) out of the box This is expected behavior given that openssl on RHEL7 does not support TLSv1.3 while openssl on RHEL8 does support TLSv1.3 I find creating a container based on an image from Ubuntu 20.04 that TLSv1.3 works without issue (out of the box)

# This dockerfile also support Ubuntu 16.04
# To use Ubuntu 16.04 replace base image with below one:
#FROM ubuntu:16.04
#FROM ubuntu:18.04
FROM ubuntu:20.04

LABEL maintainer="NGINX Controller Engineering"
...

Does that work for you?