Merge pull request #45 from Dstack-TEE/ingress-sec

h4x3rotab · web-flow · commit 6c8e0d967831 · 2025-08-04T14:18:57.000-07:00
feat: hardened dstack-ingress
diff --git a/custom-domain/dstack-ingress/README.md b/custom-domain/dstack-ingress/README.md
@@ -10,6 +10,7 @@ This project enables you to run dstack applications with your own custom domain,
 - Cloudflare DNS configuration for CNAME, TXT, and CAA records
 - Nginx reverse proxy to route traffic to your application
 - Certificate evidence generation for verification
+- Strong SSL/TLS configuration with modern cipher suites (AES-GCM and ChaCha20-Poly1305)
 
 ## How It Works
 
@@ -87,16 +88,24 @@ Explanation of environment variables:
 If you prefer to build the image yourself:
 
 1. Clone this repository
-2. Build the Docker image:
+2. Build the Docker image using the provided build script:
 
 ```bash
-docker build -t yourusername/dstack-ingress .
+./build-image.sh yourusername/dstack-ingress:tag
 ```
 
+**Important**: You must use the `build-image.sh` script to build the image. This script ensures reproducible builds with:
+- Specific buildkit version (v0.20.2)
+- Deterministic timestamps (`SOURCE_DATE_EPOCH=0`)
+- Package pinning for consistency
+- Git revision tracking
+
+Direct `docker build` commands will not work properly due to the specialized build requirements.
+
 3. Push to your registry (optional):
 
 ```bash
-docker push yourusername/dstack-ingress
+docker push yourusername/dstack-ingress:tag
 ```
 
 4. Update the docker-compose.yaml file with your image name and deploy
diff --git a/custom-domain/dstack-ingress/scripts/entrypoint.sh b/custom-domain/dstack-ingress/scripts/entrypoint.sh
@@ -16,13 +16,49 @@ setup_nginx_conf() {
     cat <<EOF > /etc/nginx/conf.d/default.conf
 server {
     listen ${PORT} ssl;
+    http2 on;
     server_name ${DOMAIN};
     
+    # SSL certificate configuration
     ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;
     
+    # Modern SSL configuration - TLS 1.2 and 1.3 only
+    ssl_protocols TLSv1.2 TLSv1.3;
+    
+    # Strong cipher suites - Only AES-GCM and ChaCha20-Poly1305
+    ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305';
+    
+    # Prefer server cipher suites
+    ssl_prefer_server_ciphers on;
+    
+    # ECDH curve for ECDHE ciphers
+    ssl_ecdh_curve secp384r1;
+    
+    # Enable OCSP stapling
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
+    resolver 8.8.8.8 8.8.4.4 valid=300s;
+    resolver_timeout 5s;
+    
+    # SSL session configuration
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_tickets off;
+    
+    # SSL buffer size (optimized for TLS 1.3)
+    ssl_buffer_size 4k;
+    
+    # Disable SSL renegotiation
+    ssl_early_data off;
+    
     location / {
         proxy_pass ${TARGET_ENDPOINT};
+        proxy_set_header Host \$host;
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto \$scheme;
     }
 
     location /evidences/ {
