nginx-common: update config

10 files changed, 256 insertions, 182 deletions

diff --git a/nginx-common/conf/conf.d/default_hosts.conf.tpl b/nginx-common/conf/conf.d/default_hosts.conf.tpl
deleted file mode 100644
index 7eea7bf..0000000
--- a/nginx-common/conf/conf.d/default_hosts.conf.tpl
+++ /dev/null
@@ -1,63 +0,0 @@
-map $http_host $can_redirect {
-  hostnames;
-
-  default                            0;
-  crute.me                           1;
-  *.crute.me                         1;
-  crute.us                           1;
-  *.crute.us                         1;
-  *.pomonaconsulting.com             1;
-  pomonaconsulting.com               1;
-  *.pomonaconsulting.net             1;
-  pomonaconsulting.net               1;
-  leavenworthsnowmobilerentals.com   1;
-  *.leavenworthsnowmobilerentals.com 1;
-  lakewenatcheecabins.net            1;
-  *.lakewenatcheecabins.net          1;
-  59erdiner.com                      1;
-  *.59erdiner.com                    1;
-  as398223.net                       1;
-  *.as398223.net                     1;
-  frompythonimportpodcast.com        1;
-  *.frompythonimportpodcast.com      1;
-}
-
-server {
-  listen *:80 default_server;
-  listen [::]:80 default_server;
-
-  access_log /logs/default_http_vhost.log combined_host;
-
-  location / {
-    if ($can_redirect) {
-      rewrite (.*) https://$http_host$1 permanent;
-    }
-
-    default_type text/plain;
-    return 404 "not found";
-  }
-}
-
-{{ if ne (.Get "NGINX_PP_DISABLE_SSL_DEFAULT") "true" }}
-server {
-  listen *:443 ssl http2 default_server;
-  listen [::]:443 ssl http2 default_server;
-
-  access_log /logs/default_https_vhost.log combined_host;
-
-  include includes/hardened_ssl.conf;
-  include includes/hardened_headers.conf;
-  include includes/default_csp.conf;
-
-  {{ if ne (.Get "NGINX_PP_DEFAULT_SSL_FILE") "" }}
-  include includes/{{ .Get "NGINX_PP_DEFAULT_SSL_FILE" }}.conf;
-  {{ else }}
-  include includes/star_crute_me_ssl.conf;
-  {{ end }}
-
-  location / {
-    default_type text/plain;
-    return 404 "not found";
-  }
-}
-{{ end }}
diff --git a/nginx-common/conf/includes/hardened_ssl.conf b/nginx-common/conf/includes/hardened_ssl.conf
deleted file mode 100644
index 0f729c7..0000000
--- a/nginx-common/conf/includes/hardened_ssl.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-ssl_protocols TLSv1.2 TLSv1.3;
-ssl_prefer_server_ciphers on;
-#ssl_ecdh_curve secp521r1:secp384r1:X25519;
-
-# These are possibly vulnerable to the ROBOT attack (https://robotattack.org)
-# but are also important for backwards compatability for a few older, but still
-# frequently used, Android variants. The use of ECDHE in these algorithms may
-# mitigate the vulnerability but the conservative approach would be to disable
-# them.
-#
-#     !ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES256-SHA384:
-#
-ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:AES256+EECDH:AES256+EDH:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!aNULL";
-
-ssl_stapling on;
-ssl_stapling_verify on;
-resolver 8.8.4.4 8.8.8.8 valid=300s;
-resolver_timeout 5s;
-
-add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
diff --git a/nginx-common/conf/includes/internal_ip_allow_only.conf b/nginx-common/conf/includes/internal_ip_allow_only.conf
deleted file mode 100644
index 0a4e152..0000000
--- a/nginx-common/conf/includes/internal_ip_allow_only.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-# Global V4 Internal Network
-allow 172.16.0.0/16;
-# FKL1 V4 Internal Network
-allow 172.18.0.0/16;
-# SEA4 V4 Internal Network
-allow 172.19.0.0/16;
-# ORD1 V4 Internal Network
-allow 172.20.0.0/16;
-# Mobile V4 Internal Network
-allow 172.21.0.0/16;
-# PDX1 V6 Network
-allow 2600:1f14:f39:e000::/56;
-# CMH1 V6 Network
-allow 2600:1f16:33:500::/56;
-# LHR1 V6 Network
-allow 2a05:d01c:7ba:b800::/56;
-# SEA1 Internal V6 Network
-allow 2602:0803:4070::/48;
-# SEA4 Internal V6 Network
-allow 2602:0803:4072::/48;
-# SEA4 Remote Access VPN V6 Network
-allow 2602:0803:4075::/48;
-# ORD1 Internal V6 Network
-allow 2602:0803:4073::/48;
-# FKL1 Internal V6 Network
-allow 2602:0803:4074::/48;
-# Wireguard RAS V6 Network
-allow 2602:0803:4075::/48;
-# Mobile V6 Internal Network
-allow 2602:0803:4076::/48;
-
-allow 127.0.0.1;
-deny  all;
diff --git a/nginx-common/conf/includes/internal_ip_cgit_acl.conf b/nginx-common/conf/includes/internal_ip_cgit_acl.conf
deleted file mode 100644
index 833d4db..0000000
--- a/nginx-common/conf/includes/internal_ip_cgit_acl.conf
+++ /dev/null
@@ -1,30 +0,0 @@
-geo $cgit_config {
-  default "/srv/code/etc/cgit-public.cfg";
-
-  # Global V4 Internal Network
-  172.16.0.0/16 "/srv/code/etc/cgit-private.cfg";
-  # FKL1 V4 Internal network
-  172.18.0.0/16 "/srv/code/etc/cgit-private.cfg";
-  # SEA4 V4 Internal network
-  172.19.0.0/16 "/srv/code/etc/cgit-private.cfg";
-  # ORD1 V4 Internal network
-  172.20.0.0/16 "/srv/code/etc/cgit-private.cfg";
-  # Mobile V4 Internal network
-  172.21.0.0/16 "/srv/code/etc/cgit-private.cfg";
-  # PDX1 V6 Network
-  2600:1f14:f39:e000::/56 "/srv/code/etc/cgit-private.cfg";
-  # CMH1 V6 Network
-  2600:1f16:33:500::/56 "/srv/code/etc/cgit-private.cfg";
-  # SEA1 Internal V6 Network
-  2602:0803:4070::/48 "/srv/code/etc/cgit-private.cfg";
-  # SEA4 Internal V6 Network
-  2602:0803:4072::/48 "/srv/code/etc/cgit-private.cfg";
-  # ORD1 Internal V6 Network
-  2602:0803:4073::/48 "/srv/code/etc/cgit-private.cfg";
-  # FKL1 Internal V6 Network
-  2602:0803:4074::/48 "/srv/code/etc/cgit-private.cfg";
-  # Wireguard RAS V6 Network
-  2602:0803:4075::/48 "/srv/code/etc/cgit-private.cfg";
-  # Mobile V6 Internal Network
-  2602:0803:4076::/48 "/srv/code/etc/cgit-private.cfg";
-}
diff --git a/nginx-common/conf/includes/public_key_pin.conf b/nginx-common/conf/includes/public_key_pin.conf
deleted file mode 100644
index 80e0e83..0000000
--- a/nginx-common/conf/includes/public_key_pin.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-# This is not used because it's too risky in the case of CA changes
-#
-# openssl x509 -in le2 -pubkey | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64
-add_header Public-Key-Pins 'pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="; pin-sha256="633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q="; max-age=0; includeSubDomains' always;
diff --git a/nginx-common/conf/includes/star_crute_me_ssl.conf b/nginx-common/conf/includes/star_crute_me_ssl.conf
deleted file mode 100644
index 536e8d0..0000000
--- a/nginx-common/conf/includes/star_crute_me_ssl.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-ssl_certificate /srv/nginx-conf/ssl/letsencrypt_crute_me.pem;
-ssl_certificate_key /srv/nginx-conf/ssl/letsencrypt_crute_me_key.pem;
diff --git a/nginx-common/conf/includes/star_pomonaconsulting_com_ssl.conf b/nginx-common/conf/includes/star_pomonaconsulting_com_ssl.conf
deleted file mode 100644
index d14c833..0000000
--- a/nginx-common/conf/includes/star_pomonaconsulting_com_ssl.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-ssl_certificate /srv/nginx-conf/ssl/letsencrypt_pomonaconsulting_com.pem;
-ssl_certificate_key /srv/nginx-conf/ssl/letsencrypt_pomonaconsulting_com_key.pem;
diff --git a/nginx-common/conf/includes/star_sea1_crute_me_ssl.conf b/nginx-common/conf/includes/star_sea1_crute_me_ssl.conf
deleted file mode 100644
index af0a3a4..0000000
--- a/nginx-common/conf/includes/star_sea1_crute_me_ssl.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-ssl_certificate /srv/nginx-conf/ssl/letsencrypt_sea1_crute_me.pem;
-ssl_certificate_key /srv/nginx-conf/ssl/letsencrypt_sea1_crute_me_key.pem;
diff --git a/nginx-common/conf/nginx.conf b/nginx-common/conf/nginx.conf
index c04990a..6b7a47b 100644
--- a/nginx-common/conf/nginx.conf
+++ b/nginx-common/conf/nginx.conf
@@ -1,3 +1,5 @@
+# vim:ft=nginx
+
 user nginx;
 worker_processes 1;
 
@@ -5,42 +7,140 @@ error_log /dev/stdout warn;
 pid /var/run/nginx.pid;
 
 events {
-  worker_connections 1024;
+    worker_connections 1024;
 }
 
 http {
-  include mime.types;
-  default_type application/octet-stream;
+    include mime.types;
+
+    default_type application/octet-stream;
+
+    log_format combined_host '$host $remote_addr - $remote_user [$time_local] '
+        '"$request" $status $body_bytes_sent '
+        '"$http_referer" "$http_user_agent"';
+
+    access_log /logs/default_server.log combined_host;
+
+    sendfile on;
+    tcp_nopush on;
+    server_tokens off;
+
+    keepalive_timeout 128;
+
+    # Try to avoid buffering requests to disk This is about 4MB
+    client_body_buffer_size 4000k;
+
+    # Try to avoid buffering backend responses to disk This is about 4MB
+    proxy_buffers 1000 4k;
+
+    gzip on;
+    gzip_proxied any;
+    gzip_disable "msie6";
+    gzip_types 
+        application/javascript
+        application/rss+xml
+        application/x-javascript
+        application/xhtml+xml
+        application/xml
+        image/svg+xml
+        image/x-icon
+        text/css
+        text/javascript
+        text/plain
+        text/xml;
+
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+    ssl_dhparam /srv/nginx-conf/ssl/dhparam.pem;
+    ssl_prefer_server_ciphers on;
+    #ssl_ecdh_curve secp521r1:secp384r1:X25519;
+
+    # These are possibly vulnerable to the ROBOT attack
+    # (https://robotattack.org) but are also important for backwards
+    # compatability for a few older, but still frequently used, Android
+    # variants. The use of ECDHE in these algorithms may mitigate the
+    # vulnerability but the conservative approach would be to disable them.
+    #
+    #     !ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES256-SHA384:
+    #
+    ssl_ciphers
+        'ECDHE-ECDSA-CHACHA20-POLY1305:'
+        'ECDHE-RSA-CHACHA20-POLY1305:'
+        'AES256+EECDH:'
+        'AES256+EDH:'
+        '!DHE-RSA-AES256-SHA256:'
+        '!DHE-RSA-AES256-SHA:'
+        '!aNULL';
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    resolver 8.8.4.4 8.8.8.8 valid=300s;
+    resolver_timeout 5s;
+
+    
+    map $http_host $can_redirect {
+        hostnames;
+
+        default 0;
+
+        crute.me 1;
+        *.crute.me 1;
+        crute.us 1;
+        *.crute.us 1;
+        *.pomonaconsulting.com 1;
+        pomonaconsulting.com 1;
+        *.pomonaconsulting.net 1;
+        pomonaconsulting.net 1;
+        leavenworthsnowmobilerentals.com 1;
+        *.leavenworthsnowmobilerentals.com 1;
+        lakewenatcheecabins.net 1;
+        *.lakewenatcheecabins.net 1;
+        59erdiner.com 1;
+        *.59erdiner.com 1;
+        as398223.net 1;
+        *.as398223.net 1;
+        frompythonimportpodcast.com 1;
+        *.frompythonimportpodcast.com 1;
+        }
+    
+
+    server {
+        listen *:80 default_server;
+        listen [::]:80 default_server;
 
-  log_format combined_host '$host $remote_addr - $remote_user [$time_local] '
-                           '"$request" $status $body_bytes_sent '
-                           '"$http_referer" "$http_user_agent"';
+        access_log /logs/default_http_vhost.log combined_host;
 
-  access_log /logs/default_server.log combined_host;
+        location / {
+            if ($can_redirect) {
+                rewrite (.*) https://$http_host$1 permanent;
+            }
 
-  sendfile on;
-  tcp_nopush on;
-  server_tokens off;
+            default_type text/plain;
+            return 404 "not found";
+        }
+    }
 
-  keepalive_timeout 128;
+    
+    server {
+        listen *:443 ssl http2 default_server;
+        listen [::]:443 ssl http2 default_server;
 
-  # Try to avoid buffering requests to disk
-  # This is about 4MB
-  client_body_buffer_size 4000k;
+        access_log /logs/default_https_vhost.log combined_host;
 
-  # Try to avoid buffering backend responses to disk
-  # This is about 4MB
-  proxy_buffers 1000 4k;
+        include includes/hardened_headers.conf;
+        include includes/default_csp.conf;
 
-  gzip on;
-  gzip_proxied any;
-  gzip_disable "msie6";
-  gzip_types application/javascript application/rss+xml application/x-javascript application/xhtml+xml application/xml image/svg+xml image/x-icon text/css text/javascript text/plain text/xml;
+        ssl_protocols TLSv1.2 TLSv1.3;
+        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
+        ssl_certificate {{ getSSLCert }};
+        ssl_certificate_key {{ getSSLKey }};
 
-  ssl_session_cache shared:SSL:10m;
-  ssl_session_timeout 10m;
-  ssl_dhparam /srv/nginx-conf/ssl/dhparam.pem;
+        location / {
+            default_type text/plain;
+            return 404 "not found";
+        }
+    }
+    
 
-  include conf.d/*.conf;
-  include sites-enabled/*;
+    include sites-enabled/*;
 }
diff --git a/nginx-common/conf/nginx.conf.tpl b/nginx-common/conf/nginx.conf.tpl
new file mode 100644
index 0000000..9f4d3ef
--- /dev/null
+++ b/nginx-common/conf/nginx.conf.tpl
@@ -0,0 +1,130 @@
+# vim:ft=nginx
+
+user nginx;
+worker_processes 1;
+
+error_log /dev/stdout warn;
+pid /var/run/nginx.pid;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    include mime.types;
+
+    default_type application/octet-stream;
+
+    log_format combined_host '$host $remote_addr - $remote_user [$time_local] '
+        '"$request" $status $body_bytes_sent '
+        '"$http_referer" "$http_user_agent"';
+
+    access_log /logs/default_server.log combined_host;
+
+    sendfile on;
+    tcp_nopush on;
+    server_tokens off;
+
+    keepalive_timeout 128;
+
+    # Try to avoid buffering requests to disk This is about 4MB
+    client_body_buffer_size 4000k;
+
+    # Try to avoid buffering backend responses to disk This is about 4MB
+    proxy_buffers 1000 4k;
+
+    gzip on;
+    gzip_proxied any;
+    gzip_disable "msie6";
+    gzip_types 
+        application/javascript
+        application/rss+xml
+        application/x-javascript
+        application/xhtml+xml
+        application/xml
+        image/svg+xml
+        image/x-icon
+        text/css
+        text/javascript
+        text/plain
+        text/xml;
+
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+    ssl_dhparam /srv/nginx-conf/ssl/dhparam.pem;
+    ssl_prefer_server_ciphers on;
+    #ssl_ecdh_curve secp521r1:secp384r1:X25519;
+
+    # These are possibly vulnerable to the ROBOT attack
+    # (https://robotattack.org) but are also important for backwards
+    # compatability for a few older, but still frequently used, Android
+    # variants. The use of ECDHE in these algorithms may mitigate the
+    # vulnerability but the conservative approach would be to disable them.
+    #
+    #     !ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES256-SHA384:
+    #
+    ssl_ciphers
+        'ECDHE-ECDSA-CHACHA20-POLY1305:'
+        'ECDHE-RSA-CHACHA20-POLY1305:'
+        'AES256+EECDH:'
+        'AES256+EDH:'
+        '!DHE-RSA-AES256-SHA256:'
+        '!DHE-RSA-AES256-SHA:'
+        '!aNULL';
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    resolver 8.8.4.4 8.8.8.8 valid=300s;
+    resolver_timeout 5s;
+
+    {{ if .HTTPRedirects }}
+    map $http_host $can_redirect {
+        hostnames;
+
+        default 0;
+
+        {{ range $_, $h := .HTTPRedirects -}}
+        {{ . }} 1;
+        {{ end -}}
+    }
+    {{ end }}
+
+    server {
+        listen *:80 default_server;
+        listen [::]:80 default_server;
+
+        access_log /logs/default_http_vhost.log combined_host;
+
+        location / {
+            {{ if .HTTPRedirects -}}
+            if ($can_redirect) {
+                rewrite (.*) https://$http_host$1 permanent;
+            }
+            {{- end }}
+
+            default_type text/plain;
+            return 404 "not found";
+        }
+    }
+
+    {{ if .DefaultSSLVhost }}
+    server {
+        listen *:443 ssl http2 default_server;
+        listen [::]:443 ssl http2 default_server;
+
+        access_log /logs/default_https_vhost.log combined_host;
+
+        include includes/hardened_headers.conf;
+        include includes/default_csp.conf;
+
+        {{ renderHardenedSSLSlice .DefaultSSLVhost }}
+
+        location / {
+            default_type text/plain;
+            return 404 "not found";
+        }
+    }
+    {{ end }}
+
+    include sites-enabled/*;
+}