privsec.dev/content/posts/proxies/Update your Signal TLS Proxy.md

---
title: "Update your Signal TLS Proxy"
date: 2022-10-15
tags: ['Proxies', 'Containers', 'Security']
author: Tommy
---

![Signal](/images/plz-merge.jpg)

Given the current censorship situation in Iran, I decided to have a look at the [Signal TLS Proxy](https://github.com/signalapp/Signal-TLS-Proxy).

One thing immediately jumped out - the NGINX image has not been updated [for years](https://github.com/signalapp/Signal-TLS-Proxy/blob/ac94d6b869f942ec05d7ef76840287a1d1f487f9/nginx-relay/Dockerfile#L9). In fact, NGINX 1.18 is so old that it has gone end of life for [a year and a half](https://endoflife.date/nginx) as of this writing.

If you are deploying or maintaining a Signal TLS Proxy, I highly recommend that you use the upstream `nginx:alpine` image instead.

My Docker Compose setup can be found [here](https://github.com/ArcticFoxes-net/Signal-TLS-Proxy). I have also fixed the missing `:Z` flag for mountpoints and and dropped privileges to reduce the attack surface. I made a couple of pull requests for these changes, but Signal is being very slow on reviewing and merging them, so... yeah.

- [Drop capabilities](https://github.com/signalapp/Signal-TLS-Proxy/pull/24)
- [Use upstream NGINX image](https://github.com/signalapp/Signal-TLS-Proxy/pull/23)
- [Add :Z for SELinux](https://github.com/signalapp/Signal-TLS-Proxy/pull/22)
Update your Signal TLS Proxy (#71) Signal TLS Proxy Signed-off-by: Tommy <contact@tommytran.io> 2022-10-15 17:12:30 -04:00			`---`
			`title: "Update your Signal TLS Proxy"`
			`date: 2022-10-15`
Update tags Signed-off-by: Tommy <contact@tommytran.io> 2022-10-17 19:21:25 -04:00			`tags: ['Proxies', 'Containers', 'Security']`
Update your Signal TLS Proxy (#71) Signal TLS Proxy Signed-off-by: Tommy <contact@tommytran.io> 2022-10-15 17:12:30 -04:00			`author: Tommy`
			`---`

			`![Signal](/images/plz-merge.jpg)`

			`Given the current censorship situation in Iran, I decided to have a look at the [Signal TLS Proxy](https://github.com/signalapp/Signal-TLS-Proxy).`

Grammar Fixes Signed-off-by: Tommy <contact@tommytran.io> 2022-10-15 19:58:43 -04:00			`One thing immediately jumped out - the NGINX image has not been updated [for years](https://github.com/signalapp/Signal-TLS-Proxy/blob/ac94d6b869f942ec05d7ef76840287a1d1f487f9/nginx-relay/Dockerfile#L9). In fact, NGINX 1.18 is so old that it has gone end of life for [a year and a half](https://endoflife.date/nginx) as of this writing.`
Update your Signal TLS Proxy (#71) Signal TLS Proxy Signed-off-by: Tommy <contact@tommytran.io> 2022-10-15 17:12:30 -04:00
Grammar Fixes Signed-off-by: Tommy <contact@tommytran.io> 2022-10-15 19:58:43 -04:00			If you are deploying or maintaining a Signal TLS Proxy, I highly recommend that you use the upstream `nginx:alpine` image instead.
Update your Signal TLS Proxy (#71) Signal TLS Proxy Signed-off-by: Tommy <contact@tommytran.io> 2022-10-15 17:12:30 -04:00
Update Repo URL Signed-off-by: Tommy <contact@tommytran.io> 2023-03-13 16:19:15 -04:00			My Docker Compose setup can be found [here](https://github.com/ArcticFoxes-net/Signal-TLS-Proxy). I have also fixed the missing `:Z` flag for mountpoints and and dropped privileges to reduce the attack surface. I made a couple of pull requests for these changes, but Signal is being very slow on reviewing and merging them, so... yeah.
Update your Signal TLS Proxy (#71) Signal TLS Proxy Signed-off-by: Tommy <contact@tommytran.io> 2022-10-15 17:12:30 -04:00
			`- [Drop capabilities](https://github.com/signalapp/Signal-TLS-Proxy/pull/24)`
			`- [Use upstream NGINX image](https://github.com/signalapp/Signal-TLS-Proxy/pull/23)`
Grammar Fixes Signed-off-by: Tommy <contact@tommytran.io> 2022-10-15 19:58:43 -04:00			`- [Add :Z for SELinux](https://github.com/signalapp/Signal-TLS-Proxy/pull/22)`