From 9b32329f415c87333bab4d0f68ba8610f9fa474b Mon Sep 17 00:00:00 2001
From: Jamie Curnow <jc@jc21.com>
Date: Mon, 24 Jul 2023 08:08:05 +1000
Subject: [PATCH] Apply fixes from v2

---
 docker/rootfs/etc/nginx/conf.d/default.conf              | 1 +
 docker/rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf  | 6 ++----
 docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv46.sh | 4 ++--
 3 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/docker/rootfs/etc/nginx/conf.d/default.conf b/docker/rootfs/etc/nginx/conf.d/default.conf
index b31b0072..4d700733 100644
--- a/docker/rootfs/etc/nginx/conf.d/default.conf
+++ b/docker/rootfs/etc/nginx/conf.d/default.conf
@@ -16,6 +16,7 @@ server {
 server {
 	listen 443 ssl default;
 	server_name localhost;
+	include conf.d/include/ssl-ciphers.conf;
 	include conf.d/include/block-exploits.conf;
 	access_log /data/logs/default.log proxy;
 	ssl_reject_handshake on;
diff --git a/docker/rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf b/docker/rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf
index bd905d31..233abb6e 100644
--- a/docker/rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf
+++ b/docker/rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf
@@ -3,7 +3,5 @@ ssl_session_cache shared:SSL:50m;
 
 # intermediate configuration. tweak to your needs.
 ssl_protocols TLSv1.2 TLSv1.3;
-ssl_ciphers 'EECDH+AESGCM:AES256+EECDH:AES256+EDH:EDH+AESGCM:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-
-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AE
-S128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES';
-ssl_prefer_server_ciphers on;
+ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
+ssl_prefer_server_ciphers off;
diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv46.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv46.sh
index 1a36badd..0199e4e5 100755
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv46.sh
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv46.sh
@@ -32,7 +32,7 @@ process_folder () {
 	for FILE in $FILES
 	do
 		echo "  - ${FILE}"
-		sed -E -i "$SED_REGEX" "$FILE" || true
+		echo "$(sed -E "$SED_REGEX" "$FILE")" > $FILE
 	done
 
 	# IPV6 ...
@@ -47,7 +47,7 @@ process_folder () {
 	for FILE in $FILES
 	do
 		echo "  - ${FILE}"
-		sed -E -i "$SED_REGEX" "$FILE" || true
+		echo "$(sed -E "$SED_REGEX" "$FILE")" > $FILE
 	done
 
 	# ensure the files are still owned by the npm user