From 1b30fed65f467f59639c76dd0eb4450e847a5374 Mon Sep 17 00:00:00 2001 From: Anthony Wang Date: Thu, 11 Jan 2024 17:43:59 +0000 Subject: [PATCH] Improve SSL config --- cockpit.conf | 5 ++++- exozyme.conf | 6 ++++-- forgejo.conf | 9 ++++++++- guacamole.conf | 5 ++++- iacore.conf | 2 ++ jupyterhub.conf | 6 ++++-- mastodon.conf | 5 ++++- mdwalters.conf | 9 ++++++++- nextcloud.conf | 7 +++++-- nvpie.conf | 2 ++ pages.conf | 10 ++++++++-- peertube.conf | 5 ++++- pranav.conf | 2 ++ redirect.conf | 5 ++++- safetwitch.conf | 5 ++++- ssl | 8 -------- synapse.conf | 6 ++++-- woodpecker.conf | 5 ++++- xtex.conf | 4 ++++ 19 files changed, 79 insertions(+), 27 deletions(-) delete mode 100644 ssl diff --git a/cockpit.conf b/cockpit.conf index dae2122..e519591 100644 --- a/cockpit.conf +++ b/cockpit.conf @@ -3,7 +3,10 @@ server { listen [::]:443 ssl; server_name portal.exozy.me; - include conf.d/ssl; + ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; location / { # Required to proxy the connection to Cockpit diff --git a/exozyme.conf b/exozyme.conf index f3f633e..b350496 100644 --- a/exozyme.conf +++ b/exozyme.conf @@ -10,10 +10,12 @@ server { server { listen 443 ssl default_server; listen [::]:443 ssl default_server; - server_name exozy.me; - include conf.d/ssl; + ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; root /srv/http/exozyme; index index.html; diff --git a/forgejo.conf b/forgejo.conf index d1ca301..b1d1dcb 100644 --- a/forgejo.conf +++ b/forgejo.conf @@ -3,7 +3,14 @@ server { listen [::]:443 ssl; server_name git.exozy.me; - include conf.d/ssl; + ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + if ($http_user_agent = "Mozilla/5.0 (Linux; Android 5.0) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; Bytespider; spider-feedback@bytedance.com)") { + return 444; + } location / { proxy_pass http://unix:/run/forgejo/forgejo.sock; diff --git a/guacamole.conf b/guacamole.conf index c334773..6705466 100644 --- a/guacamole.conf +++ b/guacamole.conf @@ -3,7 +3,10 @@ server { listen [::]:443 ssl; server_name desk.exozy.me; - include conf.d/ssl; + ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; location / { proxy_pass http://localhost:4080/guacamole/; diff --git a/iacore.conf b/iacore.conf index ebfd1ca..b42b20b 100644 --- a/iacore.conf +++ b/iacore.conf @@ -5,6 +5,8 @@ server { ssl_certificate /etc/letsencrypt/live/www2.1a-insec.net/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www2.1a-insec.net/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; location / { proxy_pass http://unix:/srv/http/pages/xrablnhmov; diff --git a/jupyterhub.conf b/jupyterhub.conf index 10035c0..e1c5169 100644 --- a/jupyterhub.conf +++ b/jupyterhub.conf @@ -1,10 +1,12 @@ server { listen 443 ssl; listen [::]:443 ssl; - server_name hub.exozy.me; - include conf.d/ssl; + ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; location ~ ^/user/(.*)/desk/(.*)$ { return 301 /hub/desk/$2; diff --git a/mastodon.conf b/mastodon.conf index 772b22d..89045e0 100644 --- a/mastodon.conf +++ b/mastodon.conf @@ -26,7 +26,10 @@ server { listen [::]:443 ssl; server_name social.exozy.me; - include conf.d/ssl; + ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; keepalive_timeout 70; sendfile on; diff --git a/mdwalters.conf b/mdwalters.conf index 4db884d..0e1acbf 100644 --- a/mdwalters.conf +++ b/mdwalters.conf @@ -5,6 +5,8 @@ server { ssl_certificate /etc/letsencrypt/live/mdwalters.exozy.me/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/mdwalters.exozy.me/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; location / { proxy_pass http://localhost:5173; @@ -22,6 +24,8 @@ server { ssl_certificate /etc/letsencrypt/live/mdwalters.exozy.me/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/mdwalters.exozy.me/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; location / { proxy_pass http://localhost:1342; @@ -39,6 +43,8 @@ server { ssl_certificate /etc/letsencrypt/live/mdwalters.exozy.me/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/mdwalters.exozy.me/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; location / { proxy_pass http://localhost:1341; @@ -61,6 +67,8 @@ server { ssl_certificate /etc/letsencrypt/live/mdwalters.exozy.me/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/mdwalters.exozy.me/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; location / { proxy_pass http://localhost:1351; @@ -68,6 +76,5 @@ server { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; - } } diff --git a/nextcloud.conf b/nextcloud.conf index 854eba0..374fe28 100644 --- a/nextcloud.conf +++ b/nextcloud.conf @@ -22,7 +22,10 @@ server { # Use Mozilla's guidelines for SSL/TLS settings # https://mozilla.github.io/server-side-tls/ssl-config-generator/ - include conf.d/ssl; + ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # HSTS settings # WARNING: Only add the preload option once you read about @@ -30,7 +33,7 @@ server { # will add the domain to a hardcoded list that is shipped # in all major browsers and getting removed from this list # could take several months. - #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always; # set max upload size and increase upload timeout: client_max_body_size 16G; diff --git a/nvpie.conf b/nvpie.conf index a9b4005..c67d4d4 100644 --- a/nvpie.conf +++ b/nvpie.conf @@ -5,6 +5,8 @@ server { ssl_certificate /etc/letsencrypt/live/neovoid.is-cool.dev/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/neovoid.is-cool.dev/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; location / { proxy_pass http://unix:/srv/http/pages/nvpie; diff --git a/pages.conf b/pages.conf index 37276d8..bec2640 100644 --- a/pages.conf +++ b/pages.conf @@ -3,7 +3,10 @@ server { listen [::]:443 ssl; server_name ~^(\d)\.exozy\.me; - include conf.d/ssl; + ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; index index.html; @@ -27,7 +30,10 @@ server { listen [::]:443 ssl; server_name ~^(?.+)\.exozy\.me; - include conf.d/ssl; + ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; root /srv/http/pages/$page; index index.html; diff --git a/peertube.conf b/peertube.conf index 06721b3..c97be45 100644 --- a/peertube.conf +++ b/peertube.conf @@ -15,7 +15,10 @@ server { # Certificates # you need a certificate to run in production. see https://letsencrypt.org/ ## - include conf.d/ssl; + ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; ## # Application diff --git a/pranav.conf b/pranav.conf index 3150f4d..5ed44f9 100644 --- a/pranav.conf +++ b/pranav.conf @@ -5,6 +5,8 @@ server { ssl_certificate /home/pranav/.local/share/cert/karawale.in/fullchain.pem; ssl_certificate_key /home/pranav/.local/share/cert/karawale.in/key.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; location / { proxy_pass http://unix:/srv/http/pages/pranav; diff --git a/redirect.conf b/redirect.conf index 989b308..0dbe295 100644 --- a/redirect.conf +++ b/redirect.conf @@ -3,7 +3,10 @@ server { listen [::]:443 ssl; server_name ta180m.exozy.me; - include conf.d/ssl; + ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; location / { return 301 https://a.exozy.me$request_uri; diff --git a/safetwitch.conf b/safetwitch.conf index 14ca9bc..fb9da44 100644 --- a/safetwitch.conf +++ b/safetwitch.conf @@ -3,7 +3,10 @@ server { listen [::]:443 ssl; server_name safetwitch.exozy.me; - include conf.d/ssl; + ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; root /srv/http/pages/safetwitch; index index.html; diff --git a/ssl b/ssl deleted file mode 100644 index eed7fdb..0000000 --- a/ssl +++ /dev/null @@ -1,8 +0,0 @@ -ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; -ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; -include /etc/letsencrypt/options-ssl-nginx.conf; -ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; -add_header Strict-Transport-Security "max-age=31536000" always; -ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem; -ssl_stapling on; -ssl_stapling_verify on; diff --git a/synapse.conf b/synapse.conf index 39df602..4a5e188 100644 --- a/synapse.conf +++ b/synapse.conf @@ -1,10 +1,12 @@ server { listen 443 ssl; listen [::]:443 ssl; - server_name chat.exozy.me; - include conf.d/ssl; + ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; location / { proxy_pass http://localhost:8008; diff --git a/woodpecker.conf b/woodpecker.conf index c7e459d..d0eaafc 100644 --- a/woodpecker.conf +++ b/woodpecker.conf @@ -3,7 +3,10 @@ server { listen [::]:443 ssl; server_name ci.exozy.me; - include conf.d/ssl; + ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; location / { proxy_set_header X-Forwarded-For $remote_addr; diff --git a/xtex.conf b/xtex.conf index 163fe36..2b83434 100644 --- a/xtex.conf +++ b/xtex.conf @@ -5,6 +5,8 @@ server { ssl_certificate /etc/letsencrypt/live/xtexx.eu.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/xtexx.eu.org/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; add_header Server exozyme; @@ -29,6 +31,8 @@ server { ssl_certificate /etc/letsencrypt/live/xtexx.eu.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/xtexx.eu.org/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; add_header Server exozyme;