Add post-quantum hybrid ECDHE-MLKEM for TLSv1.3

bwbroersma · bwbroersma · commit c5fcc61fdd57 · 2025-10-04T04:34:37.000+02:00
diff --git a/Makefile b/Makefile
@@ -641,10 +641,6 @@ fix:
 	${DOCKER_COMPOSE_TOOLS_CMD} run --rm tools bin/fix.sh ${pysrcdirs}
 	${DOCKER_COMPOSE_TOOLS_CMD} run --rm tools bin/lint.sh ${pysrcdirs}
 
-check-gixy: env=test
-check-gixy:
-	${DOCKER_COMPOSE_CMD} exec webserver /opt/gixy/bin/gixy /etc/nginx/nginx.conf
-
 build-linttest linttest-build:
 	${DOCKER_COMPOSE_TOOLS_CMD} build tools
 
diff --git a/docker/compose.development.yaml b/docker/compose.development.yaml
@@ -1,7 +1,7 @@
 services:
   # terminate tls so we don't need to have exceptions in the nginx config file for development
   port-expose:
-    image: nginx:1.27.3-alpine
+    image: nginx:1.29.1-alpine3.22
     networks:
       - public-internet
       - internal
diff --git a/docker/compose.integration-tests.yaml b/docker/compose.integration-tests.yaml
@@ -4,7 +4,7 @@ services:
   # from the internal network to the outside
   # also terminate tls so we don't need to have exceptions in the nginx config file for development
   port-expose:
-    image: nginx:1.27.3-alpine
+    image: nginx:1.29.1-alpine3.22
     networks:
       - public-internet
       - port-expose
@@ -96,7 +96,7 @@ services:
       - $RABBITMQ_GUI
 
   test-target:
-    image: nginx:1.27.3-alpine
+    image: nginx:1.29.1-alpine3.22
 
     networks:
       public-internet:
@@ -137,7 +137,7 @@ services:
       MH_SMTP_BIND_ADDR: 0.0.0.0:25
 
   static:
-    image: nginx:1.27.3-alpine
+    image: nginx:1.29.1-alpine3.22
 
     restart: unless-stopped
 
diff --git a/docker/compose.yaml b/docker/compose.yaml
@@ -59,7 +59,7 @@ services:
       - nginx-logs-exporter:/var/log/nginx/prometheus-nginxlog-exporter/
 
     healthcheck:
-      test: ["CMD", "service", "nginx", "status"]
+      test: ["CMD", "curl", "-kfsSo/dev/null", "https://$INTERNETNL_DOMAINNAME", "--resolve", "$INTERNETNL_DOMAINNAME:443:127.0.0.1"]
       interval: $HEALTHCHECK_INTERVAL
       start_interval: $HEALTHCHECK_START_INTERVAL
       start_period: 1m
diff --git a/docker/webserver.Dockerfile b/docker/webserver.Dockerfile
@@ -1,19 +1,13 @@
-FROM nginx:1.27.3
+FROM nginx:1.29.1-alpine3.22
 
-RUN apt-get update && apt-get install -y \
+RUN apk add \
+  # for random quic host key
+  openssl \
   # for htpasswd
   apache2-utils \
-  # for gixy install
-  python3-venv \
-  && rm -rf /var/lib/apt/lists/*
+  # for acme
+  certbot
 
-# install nginx config static analysis tool
-RUN python3 -m venv /opt/gixy
-RUN /opt/gixy/bin/pip install gixy==0.1.21
-
-# install certbot
-RUN python3 -m venv /opt/certbot
-RUN /opt/certbot/bin/pip install certbot==3.0.1
 COPY docker/webserver/certbot.sh /docker-entrypoint.d/
 
 RUN mkdir -p /etc/nginx/htpasswd/
diff --git a/docker/webserver/certbot.sh b/docker/webserver/certbot.sh
@@ -56,7 +56,7 @@ configure_letsencrypt() {
     mv /etc/letsencrypt/live/$domain /etc/letsencrypt/live/$domain.bak
 
     # request new certificate for main domain
-    /opt/certbot/bin/certbot certonly --webroot \
+    certbot certonly --webroot \
       -n \
       --webroot-path /var/www/internet.nl \
       --rsa-key-size 4096 \
@@ -86,7 +86,7 @@ configure_letsencrypt() {
   if [ -f /etc/letsencrypt/renewal/$domain.conf ] && [ ! "$(cat /etc/letsencrypt/.subdomains-configured)" = "$subdomains" ]; then
     # request new certificate for subdomains as well, but in a seperate step so we
     # don't fail if they are not properly setup
-    /opt/certbot/bin/certbot certonly --webroot \
+    certbot certonly --webroot \
       -n \
       --webroot-path /var/www/internet.nl \
       --rsa-key-size 4096 \
@@ -118,4 +118,4 @@ configure_letsencrypt() {
 # check certificates for renewal twice a day, make sure the schedule is a moving window so we
 # don't accidentally fall in line with the busiest time (eg: 00:00) and get errors due to ACME
 # servers being overloaded at that moment
-while sleep 11h; do /opt/certbot/bin/certbot renew --post-hook "nginx -s reload"; done&
+while sleep 11h; do certbot renew --post-hook "nginx -s reload"; done&
diff --git a/docker/webserver/nginx_templates/app.conf.template b/docker/webserver/nginx_templates/app.conf.template
@@ -32,11 +32,9 @@ resolver 127.0.0.11 ipv6=off valid=5s;
 
 root /var/www/internet.nl;
 
-# enable OSCP stapling
-ssl_stapling on;
-ssl_stapling_verify on;
 ssl_protocols TLSv1.2 TLSv1.3;
 ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
+ssl_ecdh_curve SecP384r1MLKEM1024:X25519MLKEM768:SecP256r1MLKEM768:secp521r1:brainpoolP512r1:x448:brainpoolP384r1:secp384r1:x25519:secp256r1:brainpoolP256r1;
 
 http2 on;
 http3 on;
