forked from exozyme/nginx
Harden SSL configs
This commit is contained in:
parent
995a082c88
commit
42dab4d9b3
14 changed files with 93 additions and 37 deletions
|
@ -5,6 +5,12 @@ server {
|
|||
|
||||
ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
add_header Strict-Transport-Security "max-age=31536000" always;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
location / {
|
||||
# Required to proxy the connection to Cockpit
|
||||
|
|
|
@ -5,6 +5,12 @@ server {
|
|||
|
||||
ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
add_header Strict-Transport-Security "max-age=31536000" always;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
location / {
|
||||
proxy_pass http://localhost:22080;
|
||||
|
|
12
exozyme.conf
12
exozyme.conf
|
@ -1,8 +1,10 @@
|
|||
server {
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
server_name _;
|
||||
return 301 https://$host$request_uri;
|
||||
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
|
@ -12,6 +14,12 @@ server {
|
|||
|
||||
ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
add_header Strict-Transport-Security "max-age=31536000" always;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
root /srv/http/exozyme;
|
||||
index index.html;
|
||||
|
|
|
@ -5,6 +5,12 @@ server {
|
|||
|
||||
ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
add_header Strict-Transport-Security "max-age=31536000" always;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
location / {
|
||||
proxy_pass http://localhost:5000;
|
||||
|
|
|
@ -5,6 +5,12 @@ server {
|
|||
|
||||
ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
add_header Strict-Transport-Security "max-age=31536000" always;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
location / {
|
||||
proxy_pass http://unix:/run/gitea/gitea.socket;
|
||||
|
|
|
@ -5,6 +5,12 @@ server {
|
|||
|
||||
ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
add_header Strict-Transport-Security "max-age=31536000" always;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
location / {
|
||||
proxy_pass http://localhost:11080/guacamole/;
|
||||
|
@ -24,6 +30,12 @@ server {
|
|||
|
||||
ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
add_header Strict-Transport-Security "max-age=31536000" always;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
auth_basic "This is a test";
|
||||
auth_basic_user_file /etc/nginx/.htpasswd;
|
||||
|
|
|
@ -6,6 +6,12 @@ server {
|
|||
|
||||
ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
add_header Strict-Transport-Security "max-age=31536000" always;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
location ~ ^/user/(.*)/desk/(.*)$ {
|
||||
return 301 /hub/desk/$2;
|
||||
|
|
|
@ -5,6 +5,12 @@ server {
|
|||
|
||||
ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
add_header Strict-Transport-Security "max-age=31536000" always;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
client_max_body_size 20M;
|
||||
include snippets/loolwsd.conf;
|
||||
|
|
|
@ -18,14 +18,14 @@ server {
|
|||
listen [::]:443 ssl http2;
|
||||
server_name social.exozy.me;
|
||||
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
|
||||
# Uncomment these lines once you acquire a certificate:
|
||||
ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
add_header Strict-Transport-Security "max-age=31536000" always;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
keepalive_timeout 70;
|
||||
sendfile on;
|
||||
|
@ -42,8 +42,6 @@ server {
|
|||
gzip_http_version 1.1;
|
||||
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=31536000";
|
||||
|
||||
location / {
|
||||
try_files $uri @proxy;
|
||||
}
|
||||
|
|
|
@ -11,6 +11,12 @@ server {
|
|||
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
|
||||
ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
add_header Strict-Transport-Security "max-age=31536000" always;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
# HSTS settings
|
||||
# WARNING: Only add the preload option once you read about
|
||||
|
@ -18,7 +24,7 @@ server {
|
|||
# will add the domain to a hardcoded list that is shipped
|
||||
# in all major browsers and getting removed from this list
|
||||
# could take several months.
|
||||
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains;" always;
|
||||
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains;" always;
|
||||
|
||||
# set max upload size
|
||||
client_max_body_size 16G;
|
||||
|
|
|
@ -21,22 +21,12 @@ server {
|
|||
##
|
||||
ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem;
|
||||
|
||||
##
|
||||
# Security hardening (as of Nov 15, 2020)
|
||||
# based on Mozilla Guideline v5.6
|
||||
##
|
||||
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
|
||||
ssl_session_timeout 1d; # defaults to 5m
|
||||
ssl_session_cache shared:SSL:10m; # estimated to 40k sessions
|
||||
ssl_session_tickets off;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
add_header Strict-Transport-Security "max-age=31536000" always;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
# HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives
|
||||
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
|
||||
|
||||
##
|
||||
# Application
|
||||
|
|
18
server.conf
18
server.conf
|
@ -5,20 +5,14 @@ server {
|
|||
|
||||
ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
add_header Strict-Transport-Security "max-age=31536000" always;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
location / {
|
||||
proxy_pass http://localhost:6001;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
|
||||
# websocket headers
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
proxy_set_header X-Scheme $scheme;
|
||||
|
||||
proxy_buffering off;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -6,6 +6,12 @@ server {
|
|||
|
||||
ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
add_header Strict-Transport-Security "max-age=31536000" always;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
location / {
|
||||
proxy_pass http://localhost:8008;
|
||||
|
|
|
@ -5,6 +5,12 @@ server {
|
|||
|
||||
ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
add_header Strict-Transport-Security "max-age=31536000" always;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
root /srv/http/ta180m/public;
|
||||
index index.html;
|
||||
|
|
Loading…
Reference in a new issue