privsec.dev/content/apps/Update your Signal TLS Proxy.md

title	date	tags	author
Update your Signal TLS Proxy	2022-10-15	Applications Linux Container Censorship Evasion	Tommy

Given the current censorship situation in Iran, I decided to have a look at the Signal TLS Proxy.

One thing immediately jumped out - the NGINX image has not been updated for years. In fact, NGINX 1.18 is so old that it has gone end of life a year and a half as of this writing.

If you are thinking of deploying or maintaining a Signal TLS Proxy, I highly recommend that you use the upstream nginx:alpine image.

My Docker Compose setup can be found here. I have also fixed the missing :Z flag for mountpoints and and dropped privileges to reduce the attack surface there. I made a couple of pull requests for these changes, but Signal is taking their time to review and merge them, so... yeah.

• Drop capabilities
• Use upstream NGINX image
• Add :Z for SELinux