From fddaa14b17e30fd700e4bacfd46c66d282af996b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Ricks?= <bjoern.ricks@greenbone.net>
Date: Fri, 27 Feb 2026 14:02:15 +0100
Subject: [PATCH 1/3] Change: Update compose file for new gvm-config container

The container now renders/creates full nginx config files and not nginx
templates anymore. This also has the advantage we can use sane defaults
which don't need to be set as environment variables.
---
 src/_static/compose.yaml | 20 +++++---------------
 1 file changed, 5 insertions(+), 15 deletions(-)

diff --git a/src/_static/compose.yaml b/src/_static/compose.yaml
index abf436af..7f1c358c 100644
--- a/src/_static/compose.yaml
+++ b/src/_static/compose.yaml
@@ -139,29 +139,19 @@ services:
   gvm-config:
     image: registry.community.greenbone.net/community/gvm-config:latest
     environment:
-      ENABLE_NGINX_CONFIG: 1
-      ENABLE_TLS_GENERATION: 1
+      ENABLE_NGINX_CONFIG: true
+      ENABLE_TLS_GENERATION: true
     volumes:
-      - nginx_templates_vol:/mnt/nginx/templates
+      - nginx_config_vol:/mnt/nginx/configs
       - nginx_certificates_vol:/mnt/nginx/certs
 
   nginx:
     image: nginx
-    environment:
-      NGINX_HOST: "localhost"
-      NGINX_HTTP_PORT: 9392
-      NGINX_HTTPS_PORT: 443
-      NGINX_SERVER_CERT: "/etc/nginx/certs/server.cert.pem"
-      NGINX_SERVER_KEY: "/etc/nginx/certs/server.key"
-      NGINX_ACCESS_CONTROL_ALLOW_ORIGIN_HEADER: "https://localhost"
-      NGINX_X_FRAME_OPTIONS_HEADER: "SAMEORIGIN"
-      NGINX_CONTENT_SECURITY_POLICY_HEADER: "default-src 'none'; object-src 'none'; base-uri 'none'; connect-src 'self'; script-src 'self'; script-src-elem 'self' 'unsafe-inline';frame-ancestors 'none'; form-action 'self'; style-src-elem 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self';img-src 'self' blob: data:;"
-      NGINX_STRICT_TRANSPORT_SECURITY_HEADER: "max-age=31536000; includeSubDomains;"
     ports:
       - 127.0.0.1:443:443
       - 127.0.0.1:9392:9392
     volumes:
-      - nginx_templates_vol:/etc/nginx/templates:ro
+      - nginx_config_vol:/etc/nginx/conf.d:ro
       - nginx_certificates_vol:/etc/nginx/certs:ro
       - gsa_data_vol:/usr/share/nginx/html:ro
     depends_on:
@@ -305,5 +295,5 @@ volumes:
   openvas_data_vol:
   openvas_log_data_vol:
   gsa_data_vol:
-  nginx_templates_vol:
+  nginx_config_vol:
   nginx_certificates_vol:

From e8bfebc0c5d79f0fa8a4914c3f0240d1a966618c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Ricks?= <bjoern.ricks@greenbone.net>
Date: Fri, 27 Feb 2026 14:09:03 +0100
Subject: [PATCH 2/3] Change: Update workflows for nginx and gvm-config
 container changes

Adapt the workflows to the new setup.
---
 src/22.4/container/workflows.md | 38 +++++++++++----------------------
 1 file changed, 13 insertions(+), 25 deletions(-)

diff --git a/src/22.4/container/workflows.md b/src/22.4/container/workflows.md
index cbb1348b..193766e9 100644
--- a/src/22.4/container/workflows.md
+++ b/src/22.4/container/workflows.md
@@ -210,33 +210,31 @@ interfaces of the host, the compose file must be modified to configure the web
 server {command}`nginx` to listen on all network interfaces.
 
 The following change of the docker compose file can be applied (it also changes
-to the default http port 80 as an example):
+to the default http port to port 80 as an example):
 
 ```{code-block} diff
 ---
 caption: Allowing access on all host interfaces
 ---
 ...
-  nginx:
-    image: nginx
+  gvm-config:
+    image: registry.community.greenbone.net/community/gvm-config:latest
     environment:
-      NGINX_HOST: "localhost"
--     NGINX_HTTP_PORT: 9392
+      NGINX_HOST: "<your-ip-or-domain>"
 +     NGINX_HTTP_PORT: 80
-      NGINX_HTTPS_PORT: 443
-      NGINX_SERVER_CERT: "/etc/nginx/certs/server.cert.pem"
-      NGINX_SERVER_KEY: "/etc/nginx/certs/server.key"
-      NGINX_ACCESS_CONTROL_ALLOW_ORIGIN_HEADER: "https://localhost"
-      NGINX_X_FRAME_OPTIONS_HEADER: "SAMEORIGIN"
-      NGINX_CONTENT_SECURITY_POLICY_HEADER: "default-src 'none'; object-src 'none'; base-uri 'none'; connect-src 'self'; script-src 'self'; script-src-elem 'self' 'unsafe-inline';frame-ancestors 'none'; form-action 'self'; style-src-elem 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self';img-src 'self' blob: data:;"
-      NGINX_STRICT_TRANSPORT_SECURITY_HEADER: "max-age=31536000; includeSubDomains;"
++     NGINX_ACCESS_CONTROL_ALLOW_ORIGIN_HEADER: "https://<your-ip-or-domain>"
+
+...
+
+  nginx:
+    image: nginx
     ports:
 -     - 127.0.0.1:443:443
 -     - 127.0.0.1:9392:9392
 +     - 80:80
 +     - 443:443
     volumes:
-      - nginx_templates_vol:/etc/nginx/templates:ro
+      - nginx_config_vol:/etc/nginx/templates:ro
       - nginx_certificates_vol:/etc/nginx/certs:ro
       - gsa_data_vol:/usr/share/nginx/html:ro
     depends_on:
@@ -452,22 +450,12 @@ Sample `nginx` service settings to use own TLS certificate files:
 ```diff
   nginx:
     image: nginx
-    environment:
-      NGINX_HOST: "localhost"
-      NGINX_HTTP_PORT: 9392
-      NGINX_HTTPS_PORT: 443
-      NGINX_SERVER_CERT: "/etc/nginx/certs/server.cert.pem"
-      NGINX_SERVER_KEY: "/etc/nginx/certs/server.key"
-      NGINX_ACCESS_CONTROL_ALLOW_ORIGIN_HEADER: "https://localhost"
-      NGINX_X_FRAME_OPTIONS_HEADER: "SAMEORIGIN"
-      NGINX_CONTENT_SECURITY_POLICY_HEADER: "default-src 'none'; object-src 'none'; base-uri 'none'; connect-src 'self'; script-src 'self'; script-src-elem 'self' 'unsafe-inline';frame-ancestors 'none'; form-action 'self'; style-src-elem 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self';img-src 'self' blob: data:;"
-      NGINX_STRICT_TRANSPORT_SECURITY_HEADER: "max-age=31536000; includeSubDomains;"
     ports:
       - 127.0.0.1:443:443
       - 127.0.0.1:9392:9392
     volumes:
-      - nginx_templates_vol:/etc/nginx/templates:ro
-      - nginx_certificates_vol:/etc/nginx/certs:ro
+      - nginx_config_vol:/etc/nginx/templates:ro
+-     - nginx_certificates_vol:/etc/nginx/certs:ro
 +     - /home/<username>/.ssl/:/etc/nginx/certs:ro
       - gsa_data_vol:/usr/share/nginx/html:ro
     depends_on:

From 09a3f3a308bdec171f794bf7460ae6ba4d846908 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Ricks?= <bjoern.ricks@greenbone.net>
Date: Fri, 27 Feb 2026 14:09:29 +0100
Subject: [PATCH 3/3] Change: GSA is available at https on port 443 now by
 default

Adapt opening a browser window to new default settings.
---
 src/22.4/container/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/22.4/container/index.md b/src/22.4/container/index.md
index f948eba5..d2afeb53 100644
--- a/src/22.4/container/index.md
+++ b/src/22.4/container/index.md
@@ -87,7 +87,7 @@ the {term}`Greenbone Security Assistant web interface – GSA –<GSA>` can be o
 ---
 caption: Opening Greenbone Security Assistant in the browser
 ---
-xdg-open "http://127.0.0.1:9392" 2>/dev/null >/dev/null &
+xdg-open "https://127.0.0.1" 2>/dev/null >/dev/null &
 ```
 
 The browser will show the login page of GSA and after using the credentials