1

So I’m not sure where to start with this but our secops team said it detected tls 1.1 over port 443 on this server. Checking with the dev who installed Docker and set up the container, he has no idea how to disable that other than telling me here’s the config for the container. I’ve been researching how to do TLS settings for Docker but they all seem to be going to settings on the OS rather than inside the container. I’m not sure where to even start with this as I’m not a Docker expert by any stretch.

Here’s the config json he gave me for this container. Any help/guidance is appreciated.

{
“StreamConfig”: {},
“State”: {
“Running”: true,
“Paused”: false,
“Restarting”: false,
“OOMKilled”: false,
“RemovalInProgress”: false,
“Dead”: false,
“Pid”: 2192,
“ExitCode”: 0,
“Error”: “”,
“StartedAt”: “2022-10-23T02:20:55.233142989Z”,
“FinishedAt”: “2022-10-22T22:20:53.016410944-04:00”,
“Health”: null
},
“ID”: “69c87ced8527a742063bf1f8ffbffd503aead1ba3c3b76c066015f73c9c8aa83”,
“Created”: “2022-02-15T15:30:12.558139307Z”,
“Managed”: false,
“Path”: “/docker-entrypoint.sh”,
“Args”: [
“nginx”,
“-g”,
“daemon off;”
],
“Config”: {
“Hostname”: “69c87ced8527”,
“Domainname”: “”,
“User”: “”,
“AttachStdin”: false,
“AttachStdout”: false,
“AttachStderr”: false,
“ExposedPorts”: {
“443/tcp”: {},
“80/tcp”: {}
},
“Tty”: false,
“OpenStdin”: false,
“StdinOnce”: false,
“Env”: [
“PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin”,
“NGINX_VERSION=1.19.5”,
“NJS_VERSION=0.4.4”,
“PKG_RELEASE=1”,
“SSL_CERT=/etc/secrets/certificate.crt”,
“SSL_KEY=/etc/secrets/certificate.key”
],
“Cmd”: [
“nginx”,
“-g”,
“daemon off;”
],
“Image”: “nginx_image”,
“Volumes”: null,
“WorkingDir”: “”,
“Entrypoint”: [
“/docker-entrypoint.sh”
],
“OnBuild”: null,
“Labels”: {
“maintainer”: “NGINX Docker Maintainers docker-maint@nginx.com
},
“StopSignal”: “SIGTERM”
},
“Image”: “sha256:a0028c293cbca9cedc75385f619c134908b3a04ff844093de231b9f2fa5a9cce”,
“NetworkSettings”: {
“Bridge”: “”,
“SandboxID”: “1fe06055cf79d44bb8b63bae5be60e7f2c8dc1c4d688001c4e480878cf72df28”,
“HairpinMode”: false,
“LinkLocalIPv6Address”: “”,
“LinkLocalIPv6PrefixLen”: 0,
“Networks”: {
“jupyterhub-network”: {
“IPAMConfig”: {},
“Links”: null,
“Aliases”: [
“69c87ced8527”
],
“NetworkID”: “8edb3118e12c7caf0c9de03418e4b5d5f6d0fafbb4634cf8051c1d410b3b9102”,
“EndpointID”: “bda8cbffdb827d9f3b4d780de8181fa1e8dac13575daebf3359d75163948b9d9”,
“Gateway”: “172.18.0.1”,
“IPAddress”: “172.18.0.2”,
“IPPrefixLen”: 16,
“IPv6Gateway”: “”,
“GlobalIPv6Address”: “”,
“GlobalIPv6PrefixLen”: 0,
“MacAddress”: “02:42:ac:12:00:02”,
“DriverOpts”: {},
“IPAMOperational”: false
}
},
“Service”: null,
“Ports”: {
“443/tcp”: [
{
“HostIp”: “0.0.0.0”,
“HostPort”: “443”
}
],
“80/tcp”: null
},
“SandboxKey”: “/var/run/docker/netns/1fe06055cf79”,
“SecondaryIPAddresses”: null,
“SecondaryIPv6Addresses”: null,
“IsAnonymousEndpoint”: false,
“HasSwarmEndpoint”: false
},
“LogPath”: “/var/lib/docker/containers/69c87ced8527a742063bf1f8ffbffd503aead1ba3c3b76c066015f73c9c8aa83/69c87ced8527a742063bf1f8ffbffd503aead1ba3c3b76c066015f73c9c8aa83-json.log”,
“Name”: “/nginx_jupyter”,
“Driver”: “devicemapper”,
“OS”: “linux”,
“MountLabel”: “”,
“ProcessLabel”: “”,
“RestartCount”: 0,
“HasBeenStartedBefore”: true,
“HasBeenManuallyStopped”: false,
“MountPoints”: {},
“SecretReferences”: null,
“ConfigReferences”: null,
“AppArmorProfile”: “”,
“HostnamePath”: “/var/lib/docker/containers/69c87ced8527a742063bf1f8ffbffd503aead1ba3c3b76c066015f73c9c8aa83/hostname”,
“HostsPath”: “/var/lib/docker/containers/69c87ced8527a742063bf1f8ffbffd503aead1ba3c3b76c066015f73c9c8aa83/hosts”,
“ShmPath”: “”,
“ResolvConfPath”: “/var/lib/docker/containers/69c87ced8527a742063bf1f8ffbffd503aead1ba3c3b76c066015f73c9c8aa83/resolv.conf”,
“SeccompProfile”: “”,
“NoNewPrivileges”: true,
“LocalLogCacheMeta”: {
“HaveNotifyEnabled”: false
}
}

6 Spice ups
2

I would disable TLS 1.0 / 1.1 and enable TLS 1.3 , you can achive that by the method below:

Might neededit at least two different configuration files:

/etc/nginx/nginx.conf
/etc/nginx/sites-available/example.com (or /default)

Just in case if you use something like certbot or let’s encrypt, you may need to edit :

/etc/letsencrypt/options-ssl-nginx.conf

So Now let’s get to the editing part !!!
Always do a backup as best practice (you never know when it may help)

sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.backup-tls

i prefer using nano as editor , you can use vim or other editor which you are comfortable with:

sudo nano /etc/nginx/nginx.conf

find for the following line within a http { } block. This line may (or may not) be commented after a hash as follows:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3

So u just need to remove TLSv1 TLSv1.1 and add TLSv1.3 - the line now should look like this:

ssl_protocols TLSv1.2 TLSv1.3;

Just save the file and check if the nginx config is valid by :

nginx -t

If all is good then just reload the nginx by:

sudo service nginx reload

Hope it helps !!!

3

Thing is there’s no nginx running locally on the server. It may be installed but it’s not actually running. It’s in Docker. I can edit the local nginx.conf but if it’s not started as a service on the OS itself, would those changes still affect what’s running in the container? Attached screenshot shows:

systemctl status nginx - OS can’t find it

/etc/nginx/conf/nginx.conf - this file does exist, so nginx is installe but not enabled

systemctl list-unit-files | grep nginx - no output, so not installed as service

docker ps - last container is the one with nginx

7e8598dd-19d4-4b9c-9f5d-b1e40f343efc-tls.PNG
7e8598dd-19d4-4b9c-9f5d-b1e40f343efc-tls.PNG1490×361 92.3 KB
4

For those who are not aware of it, the Mozilla SSL Configurator ( ) is a great tool to use to reconfigure your Linux web server SSL for current best practices.
Plug in the details about versions of things and it generates a copy-paste-able configuration file for you.

5

I don’t know how to apply those settings inside a Docker container. Nginx is not running at the OS level.

6

#OP - did you figure this out? I am trying to do the same thing. All the help on this is for when nginx is running on the server…not in docker, and the config files seem to be different.

7

So, simplified, docker containers are like VMs, and so editing anything on the host won’t change anything inside the VM for the most part.

The “recipe” to make a VM is called a Dockerfile, you build a Dockerfile to create an image, and an instance of an image is a container.

Since docker is so lightweight, containers are often blown away, and things are not persisted inside of them. Thus, there are two ways to get the changes you want into your docker container:

  • mount the file from the host into the docker container

  • modify the Dockerfile and rebuild the image, so that all future containers using that image have the modifications

You can see running containers with docker ps and you can essentially shell into them with docker exec -it [container_name or id] bash

From there you can browse around the files and see what is running. When a container starts, it has a primary process, and if that process stops for any reason, the container is removed by the host/docker engine. So for nginx, it will start the container with the nginx process, and it will be assigned PID 1. So if you run kill 1 you will suddenly find you are booted out of the shell and the container is gone (it’s actually just turned off, you can start it again, but i digress). Why do I mention all of this? To say you can’t just restart the nginx process, if it is killed, the container will turn off. Luckily, nginx supports signals, and you can run nginx -s reload and it will reload without terminating the main parent process. And why do I mention all of this? So that you can proof-of-concept show yourself that this will all work…

So, get a shell into the container and then run apt update && apt install -y nano nmap to get nmap and an editor,

first, test/confirm that tls 1.0/1.1 is a problem: nmap --script ssl-enum-ciphers -p 443 localhost

edit nano /etc/nginx/nginx.conf as mentioned above (no need to sudo, you will be running as root by default already)

Simply find the http { block, and add a line ssl_protocols TLSv1.2 TLSv1.3;

once edited, you should be able to run run nginx -s reload to get those changes

finally you can test it with nmap nmap --script ssl-enum-ciphers -p 443 localhost

output should look something like:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-03-01 19:44 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000033s latency).
Other addresses for localhost (not scanned): ::1

PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CCM_8 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CCM_8 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 2048) - A
| compressors:
| NULL
| cipher preference: client
|_ least strength: A

Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds

as a final wrap-up, now that you know how to check the problem, fix it, and confirm it works… you just have to make sure it persists. So, get a full copy of your nginx.conf file from the container cat /etc/nginx/nginx.conf and copy it onto your host into a file.

either find the Dockerfile that was used to create your nginx image and provide an ‘nginx.conf’ file to it via the COPY [src] [dest] format at build time, or, assuming you are booting this image with docker-compose, you could just mount over the top of the nginx.conf file in the container whenever it runs, which would look something like:

version: '3'

services:
  nginx:
    image: nginx
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf

good luck!