From 42dab4d9b393180f2b4591018a883034c2a65a11 Mon Sep 17 00:00:00 2001 From: Anthony Wang Date: Wed, 24 Nov 2021 22:08:25 -0600 Subject: [PATCH] Harden SSL configs --- cockpit.conf | 6 ++++++ drone.conf | 6 ++++++ exozyme.conf | 12 ++++++++++-- game.conf | 6 ++++++ gitea.conf | 6 ++++++ guacamole.conf | 12 ++++++++++++ jupyterhub.conf | 6 ++++++ loolwsd.conf | 6 ++++++ mastodon.conf | 14 ++++++-------- nextcloud.conf | 8 +++++++- peertube.conf | 18 ++++-------------- server.conf | 18 ++++++------------ synapse.conf | 6 ++++++ ta180m.conf | 6 ++++++ 14 files changed, 93 insertions(+), 37 deletions(-) diff --git a/cockpit.conf b/cockpit.conf index c6d7a78..0620c63 100644 --- a/cockpit.conf +++ b/cockpit.conf @@ -5,6 +5,12 @@ server { ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + add_header Strict-Transport-Security "max-age=31536000" always; + ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem; + ssl_stapling on; + ssl_stapling_verify on; location / { # Required to proxy the connection to Cockpit diff --git a/drone.conf b/drone.conf index 3590d46..2dd7a6f 100644 --- a/drone.conf +++ b/drone.conf @@ -5,6 +5,12 @@ server { ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + add_header Strict-Transport-Security "max-age=31536000" always; + ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem; + ssl_stapling on; + ssl_stapling_verify on; location / { proxy_pass http://localhost:22080; diff --git a/exozyme.conf b/exozyme.conf index a249438..6a5d291 100644 --- a/exozyme.conf +++ b/exozyme.conf @@ -1,8 +1,10 @@ server { listen 80 default_server; listen [::]:80 default_server; - server_name _; - return 301 https://$host$request_uri; + + location / { + return 301 https://$host$request_uri; + } } server { @@ -12,6 +14,12 @@ server { ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + add_header Strict-Transport-Security "max-age=31536000" always; + ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem; + ssl_stapling on; + ssl_stapling_verify on; root /srv/http/exozyme; index index.html; diff --git a/game.conf b/game.conf index cda0fe0..2bbbeb9 100644 --- a/game.conf +++ b/game.conf @@ -5,6 +5,12 @@ server { ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + add_header Strict-Transport-Security "max-age=31536000" always; + ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem; + ssl_stapling on; + ssl_stapling_verify on; location / { proxy_pass http://localhost:5000; diff --git a/gitea.conf b/gitea.conf index b7a84c1..5da3f62 100644 --- a/gitea.conf +++ b/gitea.conf @@ -5,6 +5,12 @@ server { ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + add_header Strict-Transport-Security "max-age=31536000" always; + ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem; + ssl_stapling on; + ssl_stapling_verify on; location / { proxy_pass http://unix:/run/gitea/gitea.socket; diff --git a/guacamole.conf b/guacamole.conf index 949023b..234a91a 100644 --- a/guacamole.conf +++ b/guacamole.conf @@ -5,6 +5,12 @@ server { ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + add_header Strict-Transport-Security "max-age=31536000" always; + ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem; + ssl_stapling on; + ssl_stapling_verify on; location / { proxy_pass http://localhost:11080/guacamole/; @@ -24,6 +30,12 @@ server { ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + add_header Strict-Transport-Security "max-age=31536000" always; + ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem; + ssl_stapling on; + ssl_stapling_verify on; auth_basic "This is a test"; auth_basic_user_file /etc/nginx/.htpasswd; diff --git a/jupyterhub.conf b/jupyterhub.conf index c70382d..eecf4ae 100644 --- a/jupyterhub.conf +++ b/jupyterhub.conf @@ -6,6 +6,12 @@ server { ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + add_header Strict-Transport-Security "max-age=31536000" always; + ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem; + ssl_stapling on; + ssl_stapling_verify on; location ~ ^/user/(.*)/desk/(.*)$ { return 301 /hub/desk/$2; diff --git a/loolwsd.conf b/loolwsd.conf index 5c9452a..2901f77 100644 --- a/loolwsd.conf +++ b/loolwsd.conf @@ -5,6 +5,12 @@ server { ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + add_header Strict-Transport-Security "max-age=31536000" always; + ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem; + ssl_stapling on; + ssl_stapling_verify on; client_max_body_size 20M; include snippets/loolwsd.conf; diff --git a/mastodon.conf b/mastodon.conf index 9df481a..65d481b 100644 --- a/mastodon.conf +++ b/mastodon.conf @@ -18,14 +18,14 @@ server { listen [::]:443 ssl http2; server_name social.exozy.me; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - - # Uncomment these lines once you acquire a certificate: ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + add_header Strict-Transport-Security "max-age=31536000" always; + ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem; + ssl_stapling on; + ssl_stapling_verify on; keepalive_timeout 70; sendfile on; @@ -42,8 +42,6 @@ server { gzip_http_version 1.1; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; - add_header Strict-Transport-Security "max-age=31536000"; - location / { try_files $uri @proxy; } diff --git a/nextcloud.conf b/nextcloud.conf index d825182..daa7ef9 100644 --- a/nextcloud.conf +++ b/nextcloud.conf @@ -11,6 +11,12 @@ server { # https://mozilla.github.io/server-side-tls/ssl-config-generator/ ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + add_header Strict-Transport-Security "max-age=31536000" always; + ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem; + ssl_stapling on; + ssl_stapling_verify on; # HSTS settings # WARNING: Only add the preload option once you read about @@ -18,7 +24,7 @@ server { # will add the domain to a hardcoded list that is shipped # in all major browsers and getting removed from this list # could take several months. - add_header Strict-Transport-Security "max-age=15768000; includeSubDomains;" always; + #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains;" always; # set max upload size client_max_body_size 16G; diff --git a/peertube.conf b/peertube.conf index 3fa69fd..8232caa 100644 --- a/peertube.conf +++ b/peertube.conf @@ -21,22 +21,12 @@ server { ## ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; - - ## - # Security hardening (as of Nov 15, 2020) - # based on Mozilla Guideline v5.6 - ## - - ssl_protocols TLSv1.2 TLSv1.3; - ssl_prefer_server_ciphers on; - ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4 - ssl_session_timeout 1d; # defaults to 5m - ssl_session_cache shared:SSL:10m; # estimated to 40k sessions - ssl_session_tickets off; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + add_header Strict-Transport-Security "max-age=31536000" always; + ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem; ssl_stapling on; ssl_stapling_verify on; - # HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives - #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; ## # Application diff --git a/server.conf b/server.conf index b60bc02..20c4546 100644 --- a/server.conf +++ b/server.conf @@ -5,20 +5,14 @@ server { ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + add_header Strict-Transport-Security "max-age=31536000" always; + ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem; + ssl_stapling on; + ssl_stapling_verify on; location / { proxy_pass http://localhost:6001; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - - # websocket headers - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_set_header X-Scheme $scheme; - - proxy_buffering off; } } diff --git a/synapse.conf b/synapse.conf index bbf87f6..eadfc6e 100644 --- a/synapse.conf +++ b/synapse.conf @@ -6,6 +6,12 @@ server { ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + add_header Strict-Transport-Security "max-age=31536000" always; + ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem; + ssl_stapling on; + ssl_stapling_verify on; location / { proxy_pass http://localhost:8008; diff --git a/ta180m.conf b/ta180m.conf index 4b5fcb8..ddf094d 100644 --- a/ta180m.conf +++ b/ta180m.conf @@ -5,6 +5,12 @@ server { ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + add_header Strict-Transport-Security "max-age=31536000" always; + ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem; + ssl_stapling on; + ssl_stapling_verify on; root /srv/http/ta180m/public; index index.html;