nginx docker tls handshakes

Author: DeagleGross

build/trend-scenarios.yml

@@ -113,7 +113,10 @@ parameters:
 
   - displayName: "Kestrel Linux: TLS Handshakes"
     arguments: --scenario tls-handshakes-kestrel $(tlsJobs) --property scenario=KestrelTLSHandshakes --application.options.requiredOperatingSystem linux
-    
+
+  - displayName: "Nginx: TLS Handshakes"
+    arguments: --scenario tls-handshakes-nginx $(tlsJobs) --property scenario=NginxTLSHandshakes --application.options.requiredOperatingSystem linux
+
   - displayName: "Kestrel Linux: mTLS Handshakes"
     arguments: --scenario mTls-handshakes-kestrel $(tlsJobs) --property scenario=KestrelMutualTLSHandshakes --application.options.requiredOperatingSystem linux
 

scenarios/tls.benchmarks.yml

@@ -130,6 +130,24 @@ scenarios:
         certPwd: testPassword
         sslProtocol: tls12
 
+# Nginx
+
+  tls-handshakes-docker-nginx:
+    application:
+      job: dockerLinuxNginxServer
+      buildArguments:
+      - CERT_KEY_LENGTH=2048
+      - ENABLE_FIPS_MODE=true
+    load:
+      job: httpclient
+      variables:
+        path: /hello-world
+        serverPort: 8080
+        presetHeaders: connectionclose
+        connections: 32
+        serverScheme: https
+        sslProtocol: tls12
+
 # Kestrel
 
   tls-handshakes-kestrel:
@@ -253,19 +271,4 @@ scenarios:
         presetHeaders: connectionclose
         connections: 32
         serverScheme: https
-        sslProtocol: tls12
-
-  tls-handshakes-docker-nginx:
-    application:
-      job: dockerLinuxNginxServer
-      buildArguments:
-      - CERT_KEY_LENGTH=2048
-    load:
-      job: httpclient
-      variables:
-        path: /hello-world
-        serverPort: 8080
-        presetHeaders: connectionclose
-        connections: 32
-        serverScheme: https
-        sslProtocol: tls12
+        sslProtocol: tls12

src/BenchmarksApps/TLS/Nginx/Dockerfile

@@ -1,7 +1,10 @@
 FROM nginx:latest
 
 # or 4096 key length
-ARG CERT_KEY_LENGTH=2048 
+ARG CERT_KEY_LENGTH=2048
+ARG ENABLE_FIPS_MODE=false
+ARG OPENSSL_CIPHER_STRING=TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
+ARG OPENSSL_GROUPS=P-384:P-256:P-521
 
 # Copy configuration
 COPY Nginx/config/nginx.conf /etc/nginx/nginx.conf
@@ -11,6 +14,25 @@ COPY Nginx/config/start-nginx.sh /start-nginx.sh
 COPY Certificates/${CERT_KEY_LENGTH}/cert.pem /etc/nginx/certs/cert.pem
 COPY Certificates/${CERT_KEY_LENGTH}/key.pem /etc/nginx/certs/key.pem
 
+# Configure OpenSSL for FIPS-compliant cipher suites if $ENABLE_FIPS_MODE
+RUN if [ "$ENABLE_FIPS_MODE" = "true" ]; then \
+        echo "=== FIPS MODE ENABLED - Configuring OpenSSL ===" && \
+        cat /etc/ssl/openssl.cnf && \
+        echo "" >> /etc/ssl/openssl.cnf && \
+        echo "openssl_conf = openssl_init" >> /etc/ssl/openssl.cnf && \
+        echo "[openssl_init]" >> /etc/ssl/openssl.cnf && \
+        echo "ssl_conf = ssl_sect" >> /etc/ssl/openssl.cnf && \
+        echo "[ssl_sect]" >> /etc/ssl/openssl.cnf && \
+        echo "system_default = system_default_sect" >> /etc/ssl/openssl.cnf && \
+        echo "[system_default_sect]" >> /etc/ssl/openssl.cnf && \
+        echo "CipherString = $OPENSSL_CIPHER_STRING" >> /etc/ssl/openssl.cnf && \
+        echo "Groups = $OPENSSL_GROUPS" >> /etc/ssl/openssl.cnf && \
+        echo "=== FIPS Configuration Applied ===" && \
+        tail -15 /etc/ssl/openssl.cnf; \
+    else \
+        echo "=== FIPS MODE DISABLED ==="; \
+    fi
+
 # Make the script executable
 RUN chmod +x /start-nginx.sh