Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nginx config sub optimal? #66

Closed
mannp opened this issue Sep 8, 2017 · 6 comments
Closed

nginx config sub optimal? #66

mannp opened this issue Sep 8, 2017 · 6 comments

Comments

@mannp
Copy link

mannp commented Sep 8, 2017
edited
Loading

The default settings for nginx in the docker seem too wide?

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

I am no security expert, but TLS1 & TLS1.1 are known to not be safe, so shouldn't the minimum be v1.2 with very strict ciphers?

It will only work on firefox and chrome on the desktop, so these can be very tight with no other platforms to support.

Also, why are there two separate sections for server 80 and server 443?

Shouldn't passbolt always be used on https regardless of it being an internal test server or an external production one?

ssl_protocols TLSv1.2;
@borisnaydis
Copy link

borisnaydis commented Sep 12, 2017
edited
Loading

@mannp Two separate sections are needed to allow use of passbolt behind a reverse proxy such as https://github.com/jwilder/nginx-proxy

@mannp
Copy link
Author

mannp commented Sep 12, 2017

@borisnaydis sure, my nginx reverse proxy has a server definition for port 80 and its a redirect to https.

I cannot believe that http would be suggested for passbolt at all for anything other than local testing, so no proxy involved.

The definitions still need tightening up :)

@dlen
Copy link
Member

dlen commented Sep 12, 2017

Hi everyone!

@mannp the nginx configuration will be reworked at some point. You are right, there is room to improve it but it is not at the top of the priority list currently.

Regarding the http/https discussion @borisnaydis is right, we decided to enable http on the nginx setup for flexibility reasons. Users that would like to plug this container behind, for instance, a load balancer that performs ssl offloading will be able to use http straightforward (just one of the multiple possible scenarios). Of course it is not encouraged to use passbolt for production purposes without a proper SSL setup, mainly to avoid MITM attacks since all passwords are decrypted locally (on the client side) and no password is sent in plain text over the wire. A little explanation on the decisions behind the current passbolt container can be found here

We are always open to feedback and suggestions, though.

@mannp
Copy link
Author

mannp commented Sep 12, 2017
edited
Loading

@dlen Sure, but its not for a reverse proxy reasons specifically, but to allow flexibility for other internal configs, otherwise that would be mad; either way the 80 and 443 settings are sub and should be noted as so for any production or internet exposed setup :)

@dlen dlen closed this as completed in 9674afb Sep 14, 2017
@dlen
Copy link
Member

dlen commented Sep 14, 2017

Hi @mannp,
TLS has been restricted as you suggested. Port 80 has been kept as an option to give flexibility to different user environments but feel free to reopen this ticket if you think that it is needed.

@mannp
Copy link
Author

mannp commented Sep 14, 2017

@dlen Not needed, as I understand the flexibility angle.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dlen @mannp @borisnaydis