Add TLS v1.3 support to matrix-nginx-proxy

This was mentioned in #27 (Github Pull Request), but it's just now that the nginx Docker image actually supports TLS v1.3 and we can enable it.
6 years ago · cd332d9b4e
parent d5a0f562ba
commit cd332d9b4e
3 changed files with 21 additions and 4 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,18 @@
+# 2019-02-01
+
+## TLS v1.3 support
+
+Now that the [nginx Docker image](https://hub.docker.com/_/nginx) has [added support for TLS v1.3](https://github.com/nginxinc/docker-nginx/issues/190), we have enabled that protocol by default.
+
+When using:
+
+- the **integrated nginx server**: TLS v1.3 support might not kick in immediately, because the nginx version hasn't been bumped and you may have an older build of the nginx Docker image (currently `nginx:1.15.8-alpine`). Typically, we do not re-pull images that you already have. When the nginx version gets bumped in the future, everyone will get the update. Until then, you could manually force-pull the rebuilt Docker image by running this on the server: `docker pull nginx:1.15.8-alpine`.
+
+- **your own external nginx server**: if your external nginx server is too old, the new configuration we generate for you in `/matrix/nginx-proxy/conf.d/` might not work anymore, because it mentions `TLSv1.3` and your nginx version might not support that. You can adjust the SSL protocol list by overriding the `matrix_nginx_proxy_ssl_protocols` variable. Learn more in the documentation page for [Using your own webserver, instead of this playbook's nginx proxy](docs/configuring-playbook-own-webserver.md)
+
+- **another web server**: you don't need to do anything to accommodate this change
+
+
 # 2019-01-31

 ## IRC bridging support
--- a/docs/configuring-playbook-own-webserver.md
+++ b/docs/configuring-playbook-own-webserver.md
@ -14,11 +14,15 @@ All it takes is:

 ```yaml
 matrix_nginx_proxy_enabled: false
+
+# If you use an external nginx, we'll generate some configuration for you in `/matrix/nginx-proxy/conf.d/`.
+# You might need to tweak the protocol list (removing `TLSv1.3`) to suit your nginx version.
+matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3"
 ```

 **Note**: even if you do this, in order [to install](installing.md), this playbook still expects port 80 to be available. **Please manually stop your other webserver while installing**. You can start it back again afterwards.

-**If your own webserver is nginx**, you can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;`
+**If your own webserver is nginx**, you can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;`. Please note that if your nginx version is old, it might not like our default SSL protocols (particularly the fact that `TLSv1.3` is enabled). You can override the protocol list by redefining the `matrix_nginx_proxy_ssl_protocols` variable.

 **If your own webserver is not nginx**, you can still take a look at the sample files in `/matrix/nginx-proxy/conf.d`, and:

--- a/roles/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/matrix-nginx-proxy/defaults/main.yml
@ -57,9 +57,7 @@ matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: []
 matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *"

 # Specifies which SSL protocols to use when serving Riot and Synapse
-# Note TLSv1.3 is not yet available in dockerized nginx
-# See: https://github.com/nginxinc/docker-nginx/issues/190
-matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2"
+matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3"

 # By default, this playbook automatically retrieves and auto-renews
 # free SSL certificates from Let's Encrypt.