From 26325e1218ef30f552c2fb85d77e6b07d77c59ca Mon Sep 17 00:00:00 2001 From: Anthony Wang Date: Tue, 4 Jan 2022 09:11:56 -0600 Subject: [PATCH] Move SSL configurtion to a separate file --- cockpit.conf | 9 +-------- collabora-online.conf | 9 +-------- drone.conf | 9 +-------- exozyme.conf | 9 +-------- game.conf | 9 +-------- gitea.conf | 9 +-------- guacamole.conf | 18 ++---------------- jellyfin.conf | 9 +-------- jupyterhub.conf | 9 +-------- mastodon.conf | 9 +-------- nextcloud.conf | 9 +-------- peertube.conf | 9 +-------- server.conf | 9 +-------- ssl | 8 ++++++++ synapse.conf | 9 +-------- ta180m.conf | 9 +-------- 16 files changed, 24 insertions(+), 128 deletions(-) create mode 100644 ssl diff --git a/cockpit.conf b/cockpit.conf index 0620c63..dfe13c8 100644 --- a/cockpit.conf +++ b/cockpit.conf @@ -3,14 +3,7 @@ server { listen [::]:443 ssl http2; server_name portal.exozy.me; - ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - add_header Strict-Transport-Security "max-age=31536000" always; - ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem; - ssl_stapling on; - ssl_stapling_verify on; + include conf.d/ssl; location / { # Required to proxy the connection to Cockpit diff --git a/collabora-online.conf b/collabora-online.conf index 364275a..8cd5638 100644 --- a/collabora-online.conf +++ b/collabora-online.conf @@ -3,14 +3,7 @@ server { listen [::]:443 ssl http2; server_name office.exozy.me; - ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - add_header Strict-Transport-Security "max-age=31536000" always; - ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem; - ssl_stapling on; - ssl_stapling_verify on; + include conf.d/ssl; client_max_body_size 20M; include snippets/coolwsd.conf; diff --git a/drone.conf b/drone.conf index babebbd..503d912 100644 --- a/drone.conf +++ b/drone.conf @@ -3,14 +3,7 @@ server { listen [::]:443 ssl http2; server_name ci.exozy.me; - ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - add_header Strict-Transport-Security "max-age=31536000" always; - ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem; - ssl_stapling on; - ssl_stapling_verify on; + include conf.d/ssl; location / { proxy_pass http://localhost:2080; diff --git a/exozyme.conf b/exozyme.conf index 70ea739..c3e0c55 100644 --- a/exozyme.conf +++ b/exozyme.conf @@ -12,14 +12,7 @@ server { listen [::]:443 ssl http2 default_server; server_name exozy.me; - ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - add_header Strict-Transport-Security "max-age=31536000" always; - ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem; - ssl_stapling on; - ssl_stapling_verify on; + include conf.d/ssl; root /srv/http/exozyme; index index.html; diff --git a/game.conf b/game.conf index 2bbbeb9..9af15bc 100644 --- a/game.conf +++ b/game.conf @@ -3,14 +3,7 @@ server { listen [::]:443 ssl http2; server_name game.exozy.me; - ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - add_header Strict-Transport-Security "max-age=31536000" always; - ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem; - ssl_stapling on; - ssl_stapling_verify on; + include conf.d/ssl; location / { proxy_pass http://localhost:5000; diff --git a/gitea.conf b/gitea.conf index 5da3f62..ef64435 100644 --- a/gitea.conf +++ b/gitea.conf @@ -3,14 +3,7 @@ server { listen [::]:443 ssl http2; server_name git.exozy.me; - ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - add_header Strict-Transport-Security "max-age=31536000" always; - ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem; - ssl_stapling on; - ssl_stapling_verify on; + include conf.d/ssl; location / { proxy_pass http://unix:/run/gitea/gitea.socket; diff --git a/guacamole.conf b/guacamole.conf index b5b7bfc..fa301f4 100644 --- a/guacamole.conf +++ b/guacamole.conf @@ -3,14 +3,7 @@ server { listen [::]:443 ssl http2; server_name desk.exozy.me; - ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - add_header Strict-Transport-Security "max-age=31536000" always; - ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem; - ssl_stapling on; - ssl_stapling_verify on; + include conf.d/ssl; location / { proxy_pass http://localhost:4080/guacamole/; @@ -28,14 +21,7 @@ server { listen [::]:443 ssl http2; server_name 97.88.196.36; - ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - add_header Strict-Transport-Security "max-age=31536000" always; - ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem; - ssl_stapling on; - ssl_stapling_verify on; + include conf.d/ssl; auth_basic "This is a test"; auth_basic_user_file /etc/nginx/.htpasswd; diff --git a/jellyfin.conf b/jellyfin.conf index f9334c9..a1b339a 100644 --- a/jellyfin.conf +++ b/jellyfin.conf @@ -8,14 +8,7 @@ server { # (if you aren't using DNS remove the resolver line and change the variable to point to an IP address e.g `set $jellyfin localhost`) set $jellyfin 127.0.0.1; - ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - add_header Strict-Transport-Security "max-age=31536000" always; - ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem; - ssl_stapling on; - ssl_stapling_verify on; + include conf.d/ssl; # Security / XSS Mitigation Headers add_header X-Frame-Options "SAMEORIGIN"; diff --git a/jupyterhub.conf b/jupyterhub.conf index a6e89ba..e6e2c64 100644 --- a/jupyterhub.conf +++ b/jupyterhub.conf @@ -4,14 +4,7 @@ server { server_name hub.exozy.me; - ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - add_header Strict-Transport-Security "max-age=31536000" always; - ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem; - ssl_stapling on; - ssl_stapling_verify on; + include conf.d/ssl; location ~ ^/user/(.*)/desk/(.*)$ { return 301 /hub/desk/$2; diff --git a/mastodon.conf b/mastodon.conf index 65d481b..f478d0f 100644 --- a/mastodon.conf +++ b/mastodon.conf @@ -18,14 +18,7 @@ server { listen [::]:443 ssl http2; server_name social.exozy.me; - ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - add_header Strict-Transport-Security "max-age=31536000" always; - ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem; - ssl_stapling on; - ssl_stapling_verify on; + include conf.d/ssl; keepalive_timeout 70; sendfile on; diff --git a/nextcloud.conf b/nextcloud.conf index daa7ef9..7cfb99d 100644 --- a/nextcloud.conf +++ b/nextcloud.conf @@ -9,14 +9,7 @@ server { # Use Mozilla's guidelines for SSL/TLS settings # https://mozilla.github.io/server-side-tls/ssl-config-generator/ - ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - add_header Strict-Transport-Security "max-age=31536000" always; - ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem; - ssl_stapling on; - ssl_stapling_verify on; + include conf.d/ssl; # HSTS settings # WARNING: Only add the preload option once you read about diff --git a/peertube.conf b/peertube.conf index 8232caa..e22997a 100644 --- a/peertube.conf +++ b/peertube.conf @@ -19,14 +19,7 @@ server { # Certificates # you need a certificate to run in production. see https://letsencrypt.org/ ## - ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - add_header Strict-Transport-Security "max-age=31536000" always; - ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem; - ssl_stapling on; - ssl_stapling_verify on; + include conf.d/ssl; ## # Application diff --git a/server.conf b/server.conf index 8915be4..117b471 100644 --- a/server.conf +++ b/server.conf @@ -3,14 +3,7 @@ server { listen [::]:443 ssl http2; server_name server.exozy.me; - ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - add_header Strict-Transport-Security "max-age=31536000" always; - ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem; - ssl_stapling on; - ssl_stapling_verify on; + include conf.d/ssl; location / { proxy_pass http://localhost:6000; diff --git a/ssl b/ssl new file mode 100644 index 0000000..ed37c2b --- /dev/null +++ b/ssl @@ -0,0 +1,8 @@ +ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; +ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; +include /etc/letsencrypt/options-ssl-nginx.conf; +ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; +add_header Strict-Transport-Security "max-age=31536000" always; +ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem; +ssl_stapling on; +ssl_stapling_verify on; \ No newline at end of file diff --git a/synapse.conf b/synapse.conf index 66a7ddb..05e1bd0 100644 --- a/synapse.conf +++ b/synapse.conf @@ -4,14 +4,7 @@ server { server_name chat.exozy.me; - ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - add_header Strict-Transport-Security "max-age=31536000" always; - ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem; - ssl_stapling on; - ssl_stapling_verify on; + include conf.d/ssl; location / { proxy_pass http://localhost:8008; diff --git a/ta180m.conf b/ta180m.conf index ddf094d..248f745 100644 --- a/ta180m.conf +++ b/ta180m.conf @@ -3,14 +3,7 @@ server { listen [::]:443 ssl http2; server_name ta180m.exozy.me; - ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - add_header Strict-Transport-Security "max-age=31536000" always; - ssl_trusted_certificate /etc/letsencrypt/live/exozy.me/chain.pem; - ssl_stapling on; - ssl_stapling_verify on; + include conf.d/ssl; root /srv/http/ta180m/public; index index.html;