From 6a64919d0f9168b1277e71f060318470acec1420 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Ricks?= Date: Fri, 27 Feb 2026 14:02:15 +0100 Subject: [PATCH 1/4] Change: Update compose file for new gvm-config container The container now renders/creates full nginx config files and not nginx templates anymore. This also has the advantage we can use sane defaults which don't need to be set as environment variables. Additionally our own nginx container image is used which supports auto reloading when a config file has changed. --- src/_static/compose.yaml | 22 ++++++---------------- 1 file changed, 6 insertions(+), 16 deletions(-) diff --git a/src/_static/compose.yaml b/src/_static/compose.yaml index abf436af..712b693e 100644 --- a/src/_static/compose.yaml +++ b/src/_static/compose.yaml @@ -139,29 +139,19 @@ services: gvm-config: image: registry.community.greenbone.net/community/gvm-config:latest environment: - ENABLE_NGINX_CONFIG: 1 - ENABLE_TLS_GENERATION: 1 + ENABLE_NGINX_CONFIG: true + ENABLE_TLS_GENERATION: true volumes: - - nginx_templates_vol:/mnt/nginx/templates + - nginx_config_vol:/mnt/nginx/configs - nginx_certificates_vol:/mnt/nginx/certs nginx: - image: nginx - environment: - NGINX_HOST: "localhost" - NGINX_HTTP_PORT: 9392 - NGINX_HTTPS_PORT: 443 - NGINX_SERVER_CERT: "/etc/nginx/certs/server.cert.pem" - NGINX_SERVER_KEY: "/etc/nginx/certs/server.key" - NGINX_ACCESS_CONTROL_ALLOW_ORIGIN_HEADER: "https://localhost" - NGINX_X_FRAME_OPTIONS_HEADER: "SAMEORIGIN" - NGINX_CONTENT_SECURITY_POLICY_HEADER: "default-src 'none'; object-src 'none'; base-uri 'none'; connect-src 'self'; script-src 'self'; script-src-elem 'self' 'unsafe-inline';frame-ancestors 'none'; form-action 'self'; style-src-elem 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self';img-src 'self' blob: data:;" - NGINX_STRICT_TRANSPORT_SECURITY_HEADER: "max-age=31536000; includeSubDomains;" + image: registry.community.greenbone.net/community/nginx:latest ports: - 127.0.0.1:443:443 - 127.0.0.1:9392:9392 volumes: - - nginx_templates_vol:/etc/nginx/templates:ro + - nginx_config_vol:/etc/nginx/conf.d:ro - nginx_certificates_vol:/etc/nginx/certs:ro - gsa_data_vol:/usr/share/nginx/html:ro depends_on: @@ -305,5 +295,5 @@ volumes: openvas_data_vol: openvas_log_data_vol: gsa_data_vol: - nginx_templates_vol: + nginx_config_vol: nginx_certificates_vol: From 43d1a5ceee5d3dec1cc15a2d60ee6a22c86914ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Ricks?= Date: Fri, 27 Feb 2026 14:09:03 +0100 Subject: [PATCH 2/4] Change: Update workflows for nginx and gvm-config container changes Adapt the workflows to the new setup. --- src/22.4/container/workflows.md | 40 ++++++++++++--------------------- 1 file changed, 14 insertions(+), 26 deletions(-) diff --git a/src/22.4/container/workflows.md b/src/22.4/container/workflows.md index cbb1348b..6c9b981f 100644 --- a/src/22.4/container/workflows.md +++ b/src/22.4/container/workflows.md @@ -210,33 +210,31 @@ interfaces of the host, the compose file must be modified to configure the web server {command}`nginx` to listen on all network interfaces. The following change of the docker compose file can be applied (it also changes -to the default http port 80 as an example): +to the default http port to port 80 as an example): ```{code-block} diff --- caption: Allowing access on all host interfaces --- ... - nginx: - image: nginx + gvm-config: + image: registry.community.greenbone.net/community/gvm-config:latest environment: - NGINX_HOST: "localhost" -- NGINX_HTTP_PORT: 9392 + NGINX_HOST: "" + NGINX_HTTP_PORT: 80 - NGINX_HTTPS_PORT: 443 - NGINX_SERVER_CERT: "/etc/nginx/certs/server.cert.pem" - NGINX_SERVER_KEY: "/etc/nginx/certs/server.key" - NGINX_ACCESS_CONTROL_ALLOW_ORIGIN_HEADER: "https://localhost" - NGINX_X_FRAME_OPTIONS_HEADER: "SAMEORIGIN" - NGINX_CONTENT_SECURITY_POLICY_HEADER: "default-src 'none'; object-src 'none'; base-uri 'none'; connect-src 'self'; script-src 'self'; script-src-elem 'self' 'unsafe-inline';frame-ancestors 'none'; form-action 'self'; style-src-elem 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self';img-src 'self' blob: data:;" - NGINX_STRICT_TRANSPORT_SECURITY_HEADER: "max-age=31536000; includeSubDomains;" ++ NGINX_ACCESS_CONTROL_ALLOW_ORIGIN_HEADER: "https://" + +... + + nginx: + image: registry.community.greenbone.net/community/nginx:latest ports: - - 127.0.0.1:443:443 - - 127.0.0.1:9392:9392 + - 80:80 + - 443:443 volumes: - - nginx_templates_vol:/etc/nginx/templates:ro + - nginx_config_vol:/etc/nginx/templates:ro - nginx_certificates_vol:/etc/nginx/certs:ro - gsa_data_vol:/usr/share/nginx/html:ro depends_on: @@ -451,23 +449,13 @@ Sample `nginx` service settings to use own TLS certificate files: ```diff nginx: - image: nginx - environment: - NGINX_HOST: "localhost" - NGINX_HTTP_PORT: 9392 - NGINX_HTTPS_PORT: 443 - NGINX_SERVER_CERT: "/etc/nginx/certs/server.cert.pem" - NGINX_SERVER_KEY: "/etc/nginx/certs/server.key" - NGINX_ACCESS_CONTROL_ALLOW_ORIGIN_HEADER: "https://localhost" - NGINX_X_FRAME_OPTIONS_HEADER: "SAMEORIGIN" - NGINX_CONTENT_SECURITY_POLICY_HEADER: "default-src 'none'; object-src 'none'; base-uri 'none'; connect-src 'self'; script-src 'self'; script-src-elem 'self' 'unsafe-inline';frame-ancestors 'none'; form-action 'self'; style-src-elem 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self';img-src 'self' blob: data:;" - NGINX_STRICT_TRANSPORT_SECURITY_HEADER: "max-age=31536000; includeSubDomains;" + image: registry.community.greenbone.net/community/nginx:latest ports: - 127.0.0.1:443:443 - 127.0.0.1:9392:9392 volumes: - - nginx_templates_vol:/etc/nginx/templates:ro - - nginx_certificates_vol:/etc/nginx/certs:ro + - nginx_config_vol:/etc/nginx/templates:ro +- - nginx_certificates_vol:/etc/nginx/certs:ro + - /home//.ssl/:/etc/nginx/certs:ro - gsa_data_vol:/usr/share/nginx/html:ro depends_on: From 19b221fd67c0757aefbbfc96e4aa03491b1b999d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Ricks?= Date: Fri, 27 Feb 2026 14:09:29 +0100 Subject: [PATCH 3/4] Change: GSA is available at https on port 443 now by default Adapt opening a browser window to new default settings. --- src/22.4/container/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/22.4/container/index.md b/src/22.4/container/index.md index f948eba5..d2afeb53 100644 --- a/src/22.4/container/index.md +++ b/src/22.4/container/index.md @@ -87,7 +87,7 @@ the {term}`Greenbone Security Assistant web interface – GSA –` can be o --- caption: Opening Greenbone Security Assistant in the browser --- -xdg-open "http://127.0.0.1:9392" 2>/dev/null >/dev/null & +xdg-open "https://127.0.0.1" 2>/dev/null >/dev/null & ``` The browser will show the login page of GSA and after using the credentials From 5b6cfc0757d0b8ec6e0bd078f66f2f29ffd2f8f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Ricks?= Date: Tue, 3 Mar 2026 08:56:53 +0100 Subject: [PATCH 4/4] Improve workflow for accessing the web interface remotely Add examples in comments. --- src/22.4/container/workflows.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/22.4/container/workflows.md b/src/22.4/container/workflows.md index 6c9b981f..c95bd11b 100644 --- a/src/22.4/container/workflows.md +++ b/src/22.4/container/workflows.md @@ -220,8 +220,13 @@ caption: Allowing access on all host interfaces gvm-config: image: registry.community.greenbone.net/community/gvm-config:latest environment: - NGINX_HOST: "" + ENABLE_NGINX_CONFIG: true + ENABLE_TLS_GENERATION: true ++ # e.g. "greenbone.your-domain.com" (default is localhost) ++ NGINX_HOST: "" ++ # change http port to 80 (default is 9392) + NGINX_HTTP_PORT: 80 ++ # e.g. "https://greenbone.your-domain.com:443" (default is https://${NGINX_HOST}:${NGINX_HTTPS_PORT}) + NGINX_ACCESS_CONTROL_ALLOW_ORIGIN_HEADER: "https://" ...