From 62f2deecdee9fb046d3afb8e98eda391ef10d379 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Ricks?= <bjoern.ricks@greenbone.net>
Date: Tue, 24 Feb 2026 14:37:38 +0100
Subject: [PATCH] Add: Nginx based setup for providing GSA

Change the docker compose setup to use nginx as the primary web
interface. nginx terminates the TLS connection and provides the static
files of GSA.
---
 src/22.4/container/index.md         |   5 +-
 src/22.4/container/workflows.md     | 165 ++++++++-------
 src/_static/docker-compose-22.4.yml | 258 -----------------------
 src/_static/docker-compose.yml      | 306 +++++++++++++++++++++++++++-
 src/changelog.md                    |   9 +
 5 files changed, 405 insertions(+), 338 deletions(-)
 delete mode 100644 src/_static/docker-compose-22.4.yml
 mode change 120000 => 100644 src/_static/docker-compose.yml

diff --git a/src/22.4/container/index.md b/src/22.4/container/index.md
index e404816f..fc6ed03d 100644
--- a/src/22.4/container/index.md
+++ b/src/22.4/container/index.md
@@ -54,7 +54,10 @@ and their services in detail.
 | pg-gvm              | [postgresql](https://www.postgresql.org/) | A PostgreSQL database cluster setup for use with {term}`gvmd`. The actual data is stored in the `psql_data_vol` volume.                                                                                                                                                          |
 | pg-gvm-migrator     |                                           | A container for migrating the database from one PostgreSQL major version to another                                                                                                                                                                                              |
 | gvmd                | gvmd                                      | A container for {term}`gvmd` that uses unix sockets in volumes to communicate with the PostgreSQL database and ospd-openvas scanner. The downloaded feed data is stored in the `gvmd_data_vol` volume. To verify the feed data, the GPG keyring from the `gpg_data_vol` is used. |
-| gsa                 | gsad                                      | A container running the {term}`gsad` web server for providing the web application {term}`GSA`. The web interface is available at localhost on port 9392. For communication with gvmd, a unix socket in a volume is used.                                                         |
+| gsad                | gsad                                      | A container running the {term}`gsad` service for providing the web API. It translates between http and {term}`GMP`. For communication with gvmd, a unix socket in a volume is used.                                                                                              |
+| gsa                 |                                           | A container that copies the static content for the web application {term}`GSA` to the `gsa_data_vol` volume on startup.                                                                                                                                                          |
+| gvm-config          |                                           | A container providing the nginx config and self-signed certificates for https                                                                                                                                                                                                    |
+| nginx               | nginx                                     | A nginx web server providing {term}`GSA`                                                                                                                                                                                                                                         |
 | ospd-openvas        | ospd-openvas                              | A container providing the vulnerability scanner. The VT data from the feed is stored in the `vt_data_vol` volume. To verify the feed data, the GPG keyring from the `gpg_data_vol` is used. The connection to the redis server is established via a unix socket in a volume.     |
 | gvm-tools           |                                           | A container providing the [gvm-tools](https://github.com/greenbone/gvm-tools/) CLI to query and control gvmd and ospd-openvas.                                                                                                                                                   |
 | gpg-data            |                                           | A container that copies a GPG keyring with Greenbone's public signing keys into the `gpg_data_vol` volume on startup. It exits afterwards.                                                                                                                                       |
diff --git a/src/22.4/container/workflows.md b/src/22.4/container/workflows.md
index a4f7bb36..e9bb3c54 100644
--- a/src/22.4/container/workflows.md
+++ b/src/22.4/container/workflows.md
@@ -207,25 +207,41 @@ Scan config Full and fast (daba56c8-73ec-11df-a475-002264764cea) has been create
 When using the docker compose file, the web server is configured to listen only
 on the local address of the host (127.0.0.1). To allow remote access on all
 interfaces of the host, the compose file must be modified to configure the web
-server {command}`gsad` to listen on all network interfaces.
+server {command}`nginx` to listen on all network interfaces.
 
-The following change of the docker compose file must be applied:
+The following change of the docker compose file can be applied (it also changes
+to the default http port 80 as an example):
 
 ```{code-block} diff
 ---
 caption: Allowing access on all host interfaces
 ---
 ...
-  gsa:
-    image: greenbone/gsa:stable
-    restart: on-failure
+  nginx:
+    image: nginx
+    environment:
+      NGINX_HOST: "localhost"
+-     NGINX_HTTP_PORT: 9392
++     NGINX_HTTP_PORT: 80
+      NGINX_HTTPS_PORT: 443
+      NGINX_SERVER_CERT: "/etc/nginx/certs/server.cert.pem"
+      NGINX_SERVER_KEY: "/etc/nginx/certs/server.key"
     ports:
--      - 127.0.0.1:9392:80
-+      - 9392:80
+-     - 127.0.0.1:443:443
+-     - 127.0.0.1:9392:9392
++     - 80:80
++     - 443:443
     volumes:
-      - gvmd_socket_vol:/run/gvmd
+      - nginx_templates_vol:/etc/nginx/templates:ro
+      - nginx_certificates_vol:/etc/nginx/certs:ro
+      - gsa_data_vol:/usr/share/nginx/html:ro
     depends_on:
-      - gvmd
+      gvm-config:
+        condition: service_completed_successfully
+      gsa:
+        condition: service_healthy
+      gsad:
+        condition: service_started
 ...
 ```
 
@@ -302,28 +318,28 @@ In the next step, the docker compose file must be changed as follows:
     image: greenbone/gvmd:stable
     restart: on-failure
     volumes:
-       - gvmd_data_vol:/var/lib/gvm
-       - vt_data_vol:/var/lib/openvas
-       - psql_data_vol:/var/lib/postgresql
--      - gvmd_socket_vol:/run/gvmd
-+      - /tmp/gvm/gvmd:/run/gvmd
-       - ospd_openvas_socket_vol:/run/ospd
-       - psql_socket_vol:/var/run/postgresql
-     depends_on:
+      - gvmd_data_vol:/var/lib/gvm
+      - vt_data_vol:/var/lib/openvas
+      - psql_data_vol:/var/lib/postgresql
+-     - gvmd_socket_vol:/run/gvmd
++     - /tmp/gvm/gvmd:/run/gvmd
+      - ospd_openvas_socket_vol:/run/ospd
+      - psql_socket_vol:/var/run/postgresql
+    depends_on:
       - pg-gvm
 
 ...
-
-  gsa:
-    image: greenbone/gsa:stable
+  gsad:
+    image: registry.community.greenbone.net/community/gsad:stable
     restart: on-failure
-     ports:
-       - 9392:80
-     volumes:
--      - gvmd_socket_vol:/run/gvmd
-+      - /tmp/gvm/gvmd:/run/gvmd
-     depends_on:
-       - gvmd
+    environment:
+      GSAD_ARGS: "--listen=0.0.0.0 --http-only --api-only -f"
+    volumes:
+-     - gvmd_socket_vol:/run/gvmd
++     - /tmp/gvm/gvmd:/run/gvmd
+    depends_on:
+      gvmd:
+        condition: service_started
 ```
 
 After restarting the containers with
@@ -346,18 +362,19 @@ gvm-cli socket --socketpath /tmp/gvm/gvmd/gvmd.sock --pretty --xml "<get_version
 within compose file or command line. Available variables (for detailed explanation refer
 to [msmtp documentation](https://marlam.de/msmtp/msmtp.html), note that not all
 `mstmp` options implemented in `gvmd` container):
-  - `MTA_HOST`: The SMTP server to send the mail to. (_Mandatory parameter_).
-  - `MTA_PORT`: The port that the SMTP server listens on. (_default = '25'_).
-  - `MTA_TLS`: Enable or disable TLS (_on|off'_).
-  - `MTA_STARTTLS`: TLS variant: start TLS from within the session (_‘on’, default_), or
-tunnel the session through TLS (_‘off’_).
-  - `MTA_TLS_CERTCHECK`: Enable or disable checks of the server certificate. (WARNING: When the checks are disabled, TLS sessions will not be secure!) (_'on'|'off'_).
-  - `MTA_AUTH`: Enable or disable authentication and optionally choose a method to use
-(_'on'|'off'|'method'_).
-  - `MTA_USER`: Username for authentication.
-  - `MTA_PASSWORD`: Password for authentication.
-  - `MTA_FROM`: Set the envelope-from address.
-  - `MTA_LOGFILE`: Enable logging to the specified file.
+
+- `MTA_HOST`: The SMTP server to send the mail to. (_Mandatory parameter_).
+- `MTA_PORT`: The port that the SMTP server listens on. (_default = '25'_).
+- `MTA_TLS`: Enable or disable TLS (_on|off'_).
+- `MTA_STARTTLS`: TLS variant: start TLS from within the session (_‘on’, default_), or
+nnel the session through TLS (_‘off’_).
+- `MTA_TLS_CERTCHECK`: Enable or disable checks of the server certificate. (WARNING: When the checks are disabled, TLS sessions will not be secure!) (_'on'|'off'_).
+- `MTA_AUTH`: Enable or disable authentication and optionally choose a method to use
+'on'|'off'|'method'_).
+- `MTA_USER`: Username for authentication.
+- `MTA_PASSWORD`: Password for authentication.
+- `MTA_FROM`: Set the envelope-from address.
+- `MTA_LOGFILE`: Enable logging to the specified file.
 
 Examples:
 
@@ -402,8 +419,9 @@ caption: Use the Google Mail services with SSL and authorization
 ## Setting up SSL/TLS for GSA
 
 Enabling SSL/TLS for the the web interface ({term}`GSA`) requires generating a
-private key and public certificate, and adjusting the `gsa` container settings
-in the `docker-compose.yml` file.
+private key and public certificate. By default a self signed certificate is
+generated automatically. To provide an own certificate the following steps are
+necessary.
 
 As of September 2020, the maximum validity period for publicly trusted SSL/TLS
 certificates is 398 days. An expiration date of more than 397 days is not valid
@@ -411,7 +429,7 @@ and may cause some browsers to block the connection. OpenSSL can be used to
 generate the private key and certificate:
 
 ```{code-block} yaml
-openssl req -x509 -newkey rsa:4096 -keyout serverkey.pem -out servercert.pem -nodes -days 397
+openssl req -x509 -newkey rsa:4096 -keyout server.key -out servercert.cert.pem -nodes -days 397
 ```
 
 The user that executes the `docker compose` command must have read access to the
@@ -419,47 +437,38 @@ private key and certificate.  So, they must be placed in an appropriate location
 such as the user's home directory or the `tmp` directory.
 
 ```{code-block} yaml
-mkdir $HOME/.ssl && mv serverkey.pem servercert.pem $HOME/.ssl
+mkdir $HOME/.ssl && mv server.key server.cert.pem $HOME/.ssl
 ```
 
-Finally, the {term}`GSA` configuration in the `docker-compose.yml` file must be
-modified to enable SSL/TLS. The changes include:
-
-1. Setting the `GSAD_ARGS` environment variable to initialize SSL/TLS. In the
-example below, three arguments are set. A complete list of {term}`GSAD`
-arguments are in the gsad manpage (execute `gsad --help` from within the GSA
-container), and in the [gsad documentation](https://github.com/greenbone/gsad/tree/main/doc)
-in its GitHub repository. The arguments used in this example are:
-    - `--no-redirect`: Don't redirect HTTP to HTTPS and only allow HTTPS connections to the web interface
-    - `--http-sts`: Enables HSTS (HTTP Strict Transport Security) for the GSAD web-server
-    - `--gnutls-priorities`: Disables insecure versions of TLS (1.0 and 1.1)
-2. Copying the private key and certificate files from the host system into the
-GSA container upon initialization.
-3. Changing the web interface port to the standard SSL/TLS port 443 and
-optionally enabling remote access
+Finally, the nginx configuration in the `docker-compose.yml` file must be
+modified to use the new certificate files.
 
-Sample `gsa` container settings to enable SSL/TLS:
+Sample `nginx` service settings to use own TLS certificate files:
 
 ```diff
-gsa:
-  image: registry.community.greenbone.net/community/gsa:stable
-  restart: on-failure
-+ environment:
-+   - GSAD_ARGS=--no-redirect --http-sts --gnutls-priorities=SECURE256:-VERS-TLS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
-  ports:
--   - 127.0.0.1:9293:80
-    # Make GSA accessible locally on port 443
-+   - 127.0.0.1:443:443
-    # Make GSA accessible remotely on port 443
-+   - 443:443
-  volumes:
-    # Move the private key into the container. Replace <username> with your own.
-+   - /home/<username>/.ssl/serverkey.pem:/var/lib/gvm/private/CA/serverkey.pem
-    # Move the certificate into the container Replace <username> with your own.
-+   - /home/<username>/.ssl/servercert.pem:/var/lib/gvm/CA/servercert.pem
-    - gvmd_socket_vol:/run/gvmd
-  depends_on:
-    - gvmd
+  nginx:
+    image: nginx
+    environment:
+      NGINX_HOST: "localhost"
+      NGINX_HTTP_PORT: 9392
+      NGINX_HTTPS_PORT: 443
+      NGINX_SERVER_CERT: "/etc/nginx/certs/server.cert.pem"
+      NGINX_SERVER_KEY: "/etc/nginx/certs/server.key"
+    ports:
+      - 127.0.0.1:443:443
+      - 127.0.0.1:9392:9392
+    volumes:
+      - nginx_templates_vol:/etc/nginx/templates:ro
+      - nginx_certificates_vol:/etc/nginx/certs:ro
++     - /home/<username>/.ssl/:/etc/nginx/certs:ro
+      - gsa_data_vol:/usr/share/nginx/html:ro
+    depends_on:
+      gvm-config:
+        condition: service_completed_successfully
+      gsa:
+        condition: service_healthy
+      gsad:
+        condition: service_started
 ```
 
 After modifying the `docker-compose.yml` file, restart the containers to enable
diff --git a/src/_static/docker-compose-22.4.yml b/src/_static/docker-compose-22.4.yml
deleted file mode 100644
index a962eb51..00000000
--- a/src/_static/docker-compose-22.4.yml
+++ /dev/null
@@ -1,258 +0,0 @@
-name: greenbone-community-edition
-
-services:
-  vulnerability-tests:
-    image: registry.community.greenbone.net/community/vulnerability-tests
-    environment:
-      FEED_RELEASE: "24.10"
-      KEEP_ALIVE: 1
-    volumes:
-      - vt_data_vol:/mnt
-
-  notus-data:
-    image: registry.community.greenbone.net/community/notus-data
-    environment:
-      KEEP_ALIVE: 1
-    volumes:
-      - notus_data_vol:/mnt
-
-  scap-data:
-    image: registry.community.greenbone.net/community/scap-data
-    environment:
-      KEEP_ALIVE: 1
-    volumes:
-      - scap_data_vol:/mnt
-
-  cert-bund-data:
-    image: registry.community.greenbone.net/community/cert-bund-data
-    environment:
-      KEEP_ALIVE: 1
-    volumes:
-      - cert_data_vol:/mnt
-
-  dfn-cert-data:
-    image: registry.community.greenbone.net/community/dfn-cert-data
-    environment:
-      KEEP_ALIVE: 1
-    volumes:
-      - cert_data_vol:/mnt
-    depends_on:
-      cert-bund-data:
-        condition: service_healthy
-
-  data-objects:
-    image: registry.community.greenbone.net/community/data-objects
-    environment:
-      FEED_RELEASE: "24.10"
-      KEEP_ALIVE: 1
-    volumes:
-      - data_objects_vol:/mnt
-
-  report-formats:
-    image: registry.community.greenbone.net/community/report-formats
-    environment:
-      FEED_RELEASE: "24.10"
-      KEEP_ALIVE: 1
-    volumes:
-      - data_objects_vol:/mnt
-    depends_on:
-      data-objects:
-        condition: service_healthy
-
-  gpg-data:
-    image: registry.community.greenbone.net/community/gpg-data
-    volumes:
-      - gpg_data_vol:/mnt
-
-  redis-server:
-    image: registry.community.greenbone.net/community/redis-server
-    restart: on-failure
-    volumes:
-      - redis_socket_vol:/run/redis/
-
-  pg-gvm:
-    image: registry.community.greenbone.net/community/pg-gvm:stable
-    restart: on-failure:10
-    volumes:
-      - psql_data_vol:/var/lib/postgresql
-      - psql_socket_vol:/var/run/postgresql
-    depends_on:
-      pg-gvm-migrator:
-        condition: service_completed_successfully
-
-  pg-gvm-migrator:
-    image: registry.community.greenbone.net/community/pg-gvm-migrator:stable
-    restart: no
-    volumes:
-      - psql_data_vol:/var/lib/postgresql
-      - psql_socket_vol:/var/run/postgresql
-
-  gvmd:
-    image: registry.community.greenbone.net/community/gvmd:stable
-    restart: on-failure
-    volumes:
-      - gvmd_data_vol:/var/lib/gvm
-      - scap_data_vol:/var/lib/gvm/scap-data/
-      - cert_data_vol:/var/lib/gvm/cert-data
-      - data_objects_vol:/var/lib/gvm/data-objects/gvmd
-      - vt_data_vol:/var/lib/openvas/plugins
-      - psql_data_vol:/var/lib/postgresql
-      - gvmd_socket_vol:/run/gvmd
-      - ospd_openvas_socket_vol:/run/ospd
-      - psql_socket_vol:/var/run/postgresql
-    depends_on:
-      pg-gvm:
-        condition: service_started
-      scap-data:
-        condition: service_healthy
-      cert-bund-data:
-        condition: service_healthy
-      dfn-cert-data:
-        condition: service_healthy
-      data-objects:
-        condition: service_healthy
-      report-formats:
-        condition: service_healthy
-
-  gsa:
-    image: registry.community.greenbone.net/community/gsa:stable
-    restart: on-failure
-    ports:
-      - 127.0.0.1:9392:80
-    volumes:
-      - gvmd_socket_vol:/run/gvmd
-    depends_on:
-      gvmd:
-        condition: service_started
-  # Sets log level of openvas to the set LOG_LEVEL within the env
-  # and changes log output to /var/log/openvas instead /var/log/gvm
-  # to reduce likelyhood of unwanted log interferences
-  configure-openvas:
-    image: registry.community.greenbone.net/community/openvas-scanner:stable
-    volumes:
-      - openvas_data_vol:/mnt
-      - openvas_log_data_vol:/var/log/openvas
-    command:
-      - /bin/sh
-      - -c
-      - |
-        printf "table_driven_lsc = yes\nopenvasd_server = http://openvasd:80\n" > /mnt/openvas.conf
-        sed "s/127/128/" /etc/openvas/openvas_log.conf | sed 's/gvm/openvas/' > /mnt/openvas_log.conf
-        chmod 644 /mnt/openvas.conf
-        chmod 644 /mnt/openvas_log.conf
-        touch /var/log/openvas/openvas.log
-        chmod 666 /var/log/openvas/openvas.log
-
-  # shows logs of openvas
-  openvas:
-    image: registry.community.greenbone.net/community/openvas-scanner:stable
-    restart: on-failure
-    volumes:
-      - openvas_data_vol:/etc/openvas
-      - openvas_log_data_vol:/var/log/openvas
-    command:
-      - /bin/sh
-      - -c
-      - |
-        cat /etc/openvas/openvas.conf
-        tail -f /var/log/openvas/openvas.log
-    depends_on:
-      configure-openvas:
-        condition: service_completed_successfully
-
-  openvasd:
-    image: registry.community.greenbone.net/community/openvas-scanner:stable
-    restart: on-failure
-    environment:
-      # `service_notus` is set to disable everything but notus,
-      # if you want to utilize openvasd directly, remove `OPENVASD_MODE`
-      OPENVASD_MODE: service_notus
-      GNUPGHOME: /etc/openvas/gnupg
-      LISTENING: 0.0.0.0:80
-    volumes:
-      - openvas_data_vol:/etc/openvas
-      - openvas_log_data_vol:/var/log/openvas
-      - gpg_data_vol:/etc/openvas/gnupg
-      - notus_data_vol:/var/lib/notus
-    # enable port forwarding when you want to use the http api from your host machine
-    # ports:
-    #   - 127.0.0.1:3000:80
-    depends_on:
-      vulnerability-tests:
-        condition: service_healthy
-      notus-data:
-        condition: service_healthy
-      configure-openvas:
-        condition: service_completed_successfully
-      gpg-data:
-        condition: service_completed_successfully
-    networks:
-      default:
-        aliases:
-          - openvasd
-
-  ospd-openvas:
-    image: registry.community.greenbone.net/community/ospd-openvas:stable
-    restart: on-failure
-    hostname: ospd-openvas.local
-    cap_add:
-      - NET_ADMIN # for capturing packages in promiscuous mode
-      - NET_RAW # for raw sockets e.g. used for the boreas alive detection
-    security_opt:
-      - seccomp=unconfined
-      - apparmor=unconfined
-    command:
-      [
-        "ospd-openvas",
-        "-f",
-        "--config",
-        "/etc/gvm/ospd-openvas.conf",
-        "--notus-feed-dir",
-        "/var/lib/notus/advisories",
-        "-m",
-        "666",
-      ]
-    volumes:
-      - gpg_data_vol:/etc/openvas/gnupg
-      - vt_data_vol:/var/lib/openvas/plugins
-      - notus_data_vol:/var/lib/notus
-      - ospd_openvas_socket_vol:/run/ospd
-      - redis_socket_vol:/run/redis/
-      - openvas_data_vol:/etc/openvas/
-      - openvas_log_data_vol:/var/log/openvas
-    depends_on:
-      redis-server:
-        condition: service_started
-      gpg-data:
-        condition: service_completed_successfully
-      configure-openvas:
-        condition: service_completed_successfully
-      vulnerability-tests:
-        condition: service_healthy
-      notus-data:
-        condition: service_healthy
-
-  gvm-tools:
-    image: registry.community.greenbone.net/community/gvm-tools
-    volumes:
-      - gvmd_socket_vol:/run/gvmd
-      - ospd_openvas_socket_vol:/run/ospd
-    depends_on:
-      - gvmd
-      - ospd-openvas
-
-volumes:
-  gpg_data_vol:
-  scap_data_vol:
-  cert_data_vol:
-  data_objects_vol:
-  gvmd_data_vol:
-  psql_data_vol:
-  vt_data_vol:
-  notus_data_vol:
-  psql_socket_vol:
-  gvmd_socket_vol:
-  ospd_openvas_socket_vol:
-  redis_socket_vol:
-  openvas_data_vol:
-  openvas_log_data_vol:
diff --git a/src/_static/docker-compose.yml b/src/_static/docker-compose.yml
deleted file mode 120000
index b5365d3a..00000000
--- a/src/_static/docker-compose.yml
+++ /dev/null
@@ -1 +0,0 @@
-docker-compose-22.4.yml
\ No newline at end of file
diff --git a/src/_static/docker-compose.yml b/src/_static/docker-compose.yml
new file mode 100644
index 00000000..45785442
--- /dev/null
+++ b/src/_static/docker-compose.yml
@@ -0,0 +1,305 @@
+name: greenbone-community-edition
+
+services:
+  vulnerability-tests:
+    image: registry.community.greenbone.net/community/vulnerability-tests
+    environment:
+      FEED_RELEASE: "24.10"
+      KEEP_ALIVE: 1
+    volumes:
+      - vt_data_vol:/mnt
+
+  notus-data:
+    image: registry.community.greenbone.net/community/notus-data
+    environment:
+      KEEP_ALIVE: 1
+    volumes:
+      - notus_data_vol:/mnt
+
+  scap-data:
+    image: registry.community.greenbone.net/community/scap-data
+    environment:
+      KEEP_ALIVE: 1
+    volumes:
+      - scap_data_vol:/mnt
+
+  cert-bund-data:
+    image: registry.community.greenbone.net/community/cert-bund-data
+    environment:
+      KEEP_ALIVE: 1
+    volumes:
+      - cert_data_vol:/mnt
+
+  dfn-cert-data:
+    image: registry.community.greenbone.net/community/dfn-cert-data
+    environment:
+      KEEP_ALIVE: 1
+    volumes:
+      - cert_data_vol:/mnt
+    depends_on:
+      cert-bund-data:
+        condition: service_healthy
+
+  data-objects:
+    image: registry.community.greenbone.net/community/data-objects
+    environment:
+      FEED_RELEASE: "24.10"
+      KEEP_ALIVE: 1
+    volumes:
+      - data_objects_vol:/mnt
+
+  report-formats:
+    image: registry.community.greenbone.net/community/report-formats
+    environment:
+      FEED_RELEASE: "24.10"
+      KEEP_ALIVE: 1
+    volumes:
+      - data_objects_vol:/mnt
+    depends_on:
+      data-objects:
+        condition: service_healthy
+
+  gpg-data:
+    image: registry.community.greenbone.net/community/gpg-data
+    volumes:
+      - gpg_data_vol:/mnt
+
+  redis-server:
+    image: registry.community.greenbone.net/community/redis-server
+    restart: on-failure
+    volumes:
+      - redis_socket_vol:/run/redis/
+
+  pg-gvm:
+    image: registry.community.greenbone.net/community/pg-gvm:stable
+    restart: on-failure:10
+    volumes:
+      - psql_data_vol:/var/lib/postgresql
+      - psql_socket_vol:/var/run/postgresql
+    depends_on:
+      pg-gvm-migrator:
+        condition: service_completed_successfully
+
+  pg-gvm-migrator:
+    image: registry.community.greenbone.net/community/pg-gvm-migrator:stable
+    restart: no
+    volumes:
+      - psql_data_vol:/var/lib/postgresql
+      - psql_socket_vol:/var/run/postgresql
+
+  gvmd:
+    image: registry.community.greenbone.net/community/gvmd:stable
+    restart: on-failure
+    volumes:
+      - gvmd_data_vol:/var/lib/gvm
+      - scap_data_vol:/var/lib/gvm/scap-data/
+      - cert_data_vol:/var/lib/gvm/cert-data
+      - data_objects_vol:/var/lib/gvm/data-objects/gvmd
+      - vt_data_vol:/var/lib/openvas/plugins
+      - psql_data_vol:/var/lib/postgresql
+      - gvmd_socket_vol:/run/gvmd
+      - ospd_openvas_socket_vol:/run/ospd
+      - psql_socket_vol:/var/run/postgresql
+    depends_on:
+      pg-gvm:
+        condition: service_started
+      scap-data:
+        condition: service_healthy
+      cert-bund-data:
+        condition: service_healthy
+      dfn-cert-data:
+        condition: service_healthy
+      data-objects:
+        condition: service_healthy
+      report-formats:
+        condition: service_healthy
+
+  gsa:
+    image: registry.community.greenbone.net/community/gsa:stable-slim
+    environment:
+      MOUNT_PATH: "/mnt/web"
+      KEEP_ALIVE: 1
+    healthcheck:
+      test: ["CMD-SHELL", "test -e /run/gsa/copying.done"]
+      start_period: 5s
+    volumes:
+      - gsa_data_vol:/mnt/web
+
+  gsad:
+    image: registry.community.greenbone.net/community/gsad:stable
+    restart: on-failure
+    environment:
+      GSAD_ARGS: "--listen=0.0.0.0 --http-only --api-only -f"
+    volumes:
+      - gvmd_socket_vol:/run/gvmd
+    depends_on:
+      gvmd:
+        condition: service_started
+
+  gvm-config:
+    image: registry.community.greenbone.net/community/gvm-config:latest
+    environment:
+      ENABLE_NGINX_CONFIG: 1
+      ENABLE_TLS_GENERATION: 1
+    volumes:
+      - nginx_templates_vol:/mnt/nginx/templates
+      - nginx_certificates_vol:/mnt/nginx/certs
+
+  nginx:
+    image: nginx
+    environment:
+      NGINX_HOST: "localhost"
+      NGINX_HTTP_PORT: 9392
+      NGINX_HTTPS_PORT: 443
+      NGINX_SERVER_CERT: "/etc/nginx/certs/server.cert.pem"
+      NGINX_SERVER_KEY: "/etc/nginx/certs/server.key"
+    ports:
+      - 127.0.0.1:443:443
+      - 127.0.0.1:9392:9392
+    volumes:
+      - nginx_templates_vol:/etc/nginx/templates:ro
+      - nginx_certificates_vol:/etc/nginx/certs:ro
+      - gsa_data_vol:/usr/share/nginx/html:ro
+    depends_on:
+      gvm-config:
+        condition: service_completed_successfully
+      gsa:
+        condition: service_healthy
+      gsad:
+        condition: service_started
+
+  # Sets log level of openvas to the set LOG_LEVEL within the env
+  # and changes log output to /var/log/openvas instead /var/log/gvm
+  # to reduce likelyhood of unwanted log interferences
+  configure-openvas:
+    image: registry.community.greenbone.net/community/openvas-scanner:stable
+    volumes:
+      - openvas_data_vol:/mnt
+      - openvas_log_data_vol:/var/log/openvas
+    command:
+      - /bin/sh
+      - -c
+      - |
+        printf "table_driven_lsc = yes\nopenvasd_server = http://openvasd:80\n" > /mnt/openvas.conf
+        sed "s/127/128/" /etc/openvas/openvas_log.conf | sed 's/gvm/openvas/' > /mnt/openvas_log.conf
+        chmod 644 /mnt/openvas.conf
+        chmod 644 /mnt/openvas_log.conf
+        touch /var/log/openvas/openvas.log
+        chmod 666 /var/log/openvas/openvas.log
+
+  # shows logs of openvas
+  openvas:
+    image: registry.community.greenbone.net/community/openvas-scanner:stable
+    restart: on-failure
+    volumes:
+      - openvas_data_vol:/etc/openvas
+      - openvas_log_data_vol:/var/log/openvas
+    command:
+      - /bin/sh
+      - -c
+      - |
+        cat /etc/openvas/openvas.conf
+        tail -f /var/log/openvas/openvas.log
+    depends_on:
+      configure-openvas:
+        condition: service_completed_successfully
+
+  openvasd:
+    image: registry.community.greenbone.net/community/openvas-scanner:stable
+    restart: on-failure
+    environment:
+      # `service_notus` is set to disable everything but notus,
+      # if you want to utilize openvasd directly, remove `OPENVASD_MODE`
+      OPENVASD_MODE: service_notus
+      GNUPGHOME: /etc/openvas/gnupg
+      LISTENING: 0.0.0.0:80
+    volumes:
+      - openvas_data_vol:/etc/openvas
+      - openvas_log_data_vol:/var/log/openvas
+      - gpg_data_vol:/etc/openvas/gnupg
+      - notus_data_vol:/var/lib/notus
+    # enable port forwarding when you want to use the http api from your host machine
+    # ports:
+    #   - 127.0.0.1:3000:80
+    depends_on:
+      vulnerability-tests:
+        condition: service_healthy
+      notus-data:
+        condition: service_healthy
+      configure-openvas:
+        condition: service_completed_successfully
+      gpg-data:
+        condition: service_completed_successfully
+    networks:
+      default:
+        aliases:
+          - openvasd
+
+  ospd-openvas:
+    image: registry.community.greenbone.net/community/ospd-openvas:stable
+    restart: on-failure
+    hostname: ospd-openvas.local
+    cap_add:
+      - NET_ADMIN # for capturing packages in promiscuous mode
+      - NET_RAW # for raw sockets e.g. used for the boreas alive detection
+    security_opt:
+      - seccomp=unconfined
+      - apparmor=unconfined
+    command:
+      [
+        "ospd-openvas",
+        "-f",
+        "--config",
+        "/etc/gvm/ospd-openvas.conf",
+        "--notus-feed-dir",
+        "/var/lib/notus/advisories",
+        "-m",
+        "666",
+      ]
+    volumes:
+      - gpg_data_vol:/etc/openvas/gnupg
+      - vt_data_vol:/var/lib/openvas/plugins
+      - notus_data_vol:/var/lib/notus
+      - ospd_openvas_socket_vol:/run/ospd
+      - redis_socket_vol:/run/redis/
+      - openvas_data_vol:/etc/openvas/
+      - openvas_log_data_vol:/var/log/openvas
+    depends_on:
+      redis-server:
+        condition: service_started
+      gpg-data:
+        condition: service_completed_successfully
+      configure-openvas:
+        condition: service_completed_successfully
+      vulnerability-tests:
+        condition: service_healthy
+      notus-data:
+        condition: service_healthy
+
+  gvm-tools:
+    image: registry.community.greenbone.net/community/gvm-tools
+    volumes:
+      - gvmd_socket_vol:/run/gvmd
+      - ospd_openvas_socket_vol:/run/ospd
+    depends_on:
+      - gvmd
+      - ospd-openvas
+
+volumes:
+  gpg_data_vol:
+  scap_data_vol:
+  cert_data_vol:
+  data_objects_vol:
+  gvmd_data_vol:
+  psql_data_vol:
+  vt_data_vol:
+  notus_data_vol:
+  psql_socket_vol:
+  gvmd_socket_vol:
+  ospd_openvas_socket_vol:
+  redis_socket_vol:
+  openvas_data_vol:
+  openvas_log_data_vol:
+  gsa_data_vol:
+  nginx_templates_vol:
+  nginx_certificates_vol:
diff --git a/src/changelog.md b/src/changelog.md
index 9c367369..2f30d54f 100644
--- a/src/changelog.md
+++ b/src/changelog.md
@@ -5,6 +5,15 @@ All notable changes to this documentation will be listed in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Calendar Versioning](https://calver.org).
 
+## Latest
+
+* Only provide a docker-compose.yml file and remove the versioned file. The
+  compose file is a rolling release.
+* Change compose setup to use nginx for serving GSA and run gsad in api only
+  mode. This change introduces a gvm-config container that sets up nginx with a
+  self signed TLS certificate listening on port 443. Port 9392 just redirects to
+  443 now.
+
 ## 26.2.0 - 2026-02-24
 
 * Improve hints about following rustup.sh instructions on Debian and CentOS to