5 files changed, 84 insertions, 24 deletions

diff --git a/Dockerfile b/Dockerfile
index d41862a..20386f0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.17 as builder
+FROM alpine:3.21 as builder
 ENV GOPROXY=https://goproxy.io
 RUN apk update && apk upgrade
 RUN apk add go git
@@ -8,13 +8,6 @@ RUN cd /icanhazallips && go mod download
 COPY *.go /icanhazallips/
 RUN cd /icanhazallips && go build
 
-FROM alpine:3.17 as certbuilder
-RUN apk add openssl
-WORKDIR /certs
-RUN openssl req -nodes -new -x509 -subj="/CN=icanhazallips.terminaldweller.com" -keyout server.key -out server.cert
-
-# FROM gcr.io/distroless/static-debian11
-FROM alpine:3.17
-COPY --from=certbuilder /certs /certs
+FROM alpine:3.21
 COPY --from=builder /icanhazallips/icanhazallips /icanhazallips/icanhazallips
 ENTRYPOINT ["/icanhazallips/icanhazallips"]
diff --git a/Dockerfile_nginx b/Dockerfile_nginx
new file mode 100644
index 0000000..9ecb95b
--- /dev/null
+++ b/Dockerfile_nginx
@@ -0,0 +1,7 @@
+FROM alpine:3.21 as certbuilder
+RUN apk add openssl
+WORKDIR /certs
+RUN openssl req -nodes -new -x509 -subj="/CN=icanhazallips.terminaldweller.com" -keyout server.key -out server.cert
+
+FROM nginx:stable-alpine
+COPY --from=certbuilder /certs /certs
diff --git a/docker-compose.yaml b/docker-compose.yaml
index 54ae340..15b75f7 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -2,15 +2,19 @@ version: "3"
 services:
   icanhazallips:
     image: icanhazallips
+    deploy:
+      resources:
+        limits:
+          memory: 256M
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "100m"
     build:
       context: .
     networks:
-      - mainnet
+      - haznet
     restart: unless-stopped
-    ports:
-      - target: 8080
-        published: 9380
-        mode: host
     entrypoint: ["/icanhazallips/icanhazallips"]
     cap_drop:
       - ALL
@@ -21,6 +25,34 @@ services:
       - APP_READ_TIMEOUT=5
       - APP_WRITE_TIMEOUT=5
       - APP_IDLE_TIMEOUT=5
+  nginx:
+    image: haz_nginx
+    deploy:
+      resources:
+        limits:
+          memory: 256M
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "100m"
+    build:
+      context: .
+      dockerfile: Dockerfile_nginx
+    ports:
+      - "9380:443"
+    networks:
+      - haznet
+    restart: unless-stopped
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - DAC_OVERRIDE
+      - SETGID
+      - SETUID
+      - NET_BIND_SERVICE
+    volumes:
+      - ./nginx.conf:/etc/nginx/nginx.conf:ro
 networks:
-  mainnet:
+  haznet:
     driver: bridge
diff --git a/icanhazallips.go b/icanhazallips.go
index 684fea8..1564ef4 100644
--- a/icanhazallips.go
+++ b/icanhazallips.go
@@ -2,7 +2,6 @@
 package main
 
 import (
-	"crypto/tls"
 	"errors"
 	"log"
 	"net"
@@ -156,12 +155,6 @@ func main() {
 		log.Fatal(errBadConfig)
 	}
 
-	tlsConfig := &tls.Config{
-		MinVersion:               tls.VersionTLS13,
-		CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
-		PreferServerCipherSuites: true,
-	}
-
 	server := http.Server{
 		Addr:              config.Addr,
 		ReadHeaderTimeout: time.Duration(config.ReadHeaderTimeout) * time.Second,
@@ -171,8 +164,7 @@ func main() {
 		TLSNextProto:      nil,
 		ErrorLog:          nil,
 		Handler:           nil,
-		TLSConfig:         tlsConfig,
 	}
 
-	log.Fatal(server.ListenAndServeTLS("/certs/server.cert", "/certs/server.key"))
+	log.Fatal(server.ListenAndServe())
 }
diff --git a/nginx.conf b/nginx.conf
new file mode 100644
index 0000000..5a9c8a3
--- /dev/null
+++ b/nginx.conf
@@ -0,0 +1,36 @@
+events {
+  worker_connections 4096;
+}
+
+http {
+  include /etc/nginx/mime.types;
+  server_tokens off;
+  limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m;
+  server {
+    listen 443 ssl;
+    keepalive_timeout 60;
+    charset utf-8;
+    ssl_certificate /certs/server.cert;
+    ssl_certificate_key /certs/server.key;
+    ssl_ciphers HIGH:!aNULL:!MD5:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_protocols TLSv1.3;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_timeout 1d;
+    ssl_session_tickets off;
+    ssl_prefer_server_ciphers on;
+    tcp_nopush on;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header Content-Security-Policy "default-src 'self';";
+    add_header X-Frame-Options SAMEORIGIN always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "no-referrer";
+    fastcgi_hide_header X-Powered-By;
+
+    error_page 401 403 404 /404.html;
+    location / {
+      proxy_pass http://icanhazallips:8080;
+      proxy_set_header X-Forwaded-For $proxy_add_x_forwarded_for;
+    }
+  }
+}