diff options
author | Mike Crute <mike@crute.us> | 2022-12-31 14:42:51 -0800 |
---|---|---|
committer | Mike Crute <mike@crute.us> | 2022-12-31 14:42:51 -0800 |
commit | 77afc05d67281668f1d205e8786e33164695834f (patch) | |
tree | d736249029b426421a0d5a1948610f50825bf6ce | |
parent | c0f6c3d4c41d6cf16779605a150dce3e8a266c4d (diff) | |
download | dockerfiles-77afc05d67281668f1d205e8786e33164695834f.tar.bz2 dockerfiles-77afc05d67281668f1d205e8786e33164695834f.tar.xz dockerfiles-77afc05d67281668f1d205e8786e33164695834f.zip |
nginx: remove some magic config
-rw-r--r-- | nginx-common/conf/includes/hardened_ssl.conf | 20 | ||||
-rw-r--r-- | nginx-common/conf/includes/internal_ip_allow_only.conf | 33 | ||||
-rw-r--r-- | nginx-common/conf/includes/internal_ip_cgit_acl.conf | 30 | ||||
-rw-r--r-- | nginx-common/conf/nginx.conf | 59 | ||||
-rw-r--r-- | nginx-common/conf/nginx.conf.tpl | 130 | ||||
-rw-r--r-- | nginx-common/main.go | 3 |
6 files changed, 109 insertions, 166 deletions
diff --git a/nginx-common/conf/includes/hardened_ssl.conf b/nginx-common/conf/includes/hardened_ssl.conf new file mode 100644 index 0000000..0f729c7 --- /dev/null +++ b/nginx-common/conf/includes/hardened_ssl.conf | |||
@@ -0,0 +1,20 @@ | |||
1 | ssl_protocols TLSv1.2 TLSv1.3; | ||
2 | ssl_prefer_server_ciphers on; | ||
3 | #ssl_ecdh_curve secp521r1:secp384r1:X25519; | ||
4 | |||
5 | # These are possibly vulnerable to the ROBOT attack (https://robotattack.org) | ||
6 | # but are also important for backwards compatability for a few older, but still | ||
7 | # frequently used, Android variants. The use of ECDHE in these algorithms may | ||
8 | # mitigate the vulnerability but the conservative approach would be to disable | ||
9 | # them. | ||
10 | # | ||
11 | # !ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES256-SHA384: | ||
12 | # | ||
13 | ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:AES256+EECDH:AES256+EDH:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!aNULL"; | ||
14 | |||
15 | ssl_stapling on; | ||
16 | ssl_stapling_verify on; | ||
17 | resolver 8.8.4.4 8.8.8.8 valid=300s; | ||
18 | resolver_timeout 5s; | ||
19 | |||
20 | add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always; | ||
diff --git a/nginx-common/conf/includes/internal_ip_allow_only.conf b/nginx-common/conf/includes/internal_ip_allow_only.conf new file mode 100644 index 0000000..0a4e152 --- /dev/null +++ b/nginx-common/conf/includes/internal_ip_allow_only.conf | |||
@@ -0,0 +1,33 @@ | |||
1 | # Global V4 Internal Network | ||
2 | allow 172.16.0.0/16; | ||
3 | # FKL1 V4 Internal Network | ||
4 | allow 172.18.0.0/16; | ||
5 | # SEA4 V4 Internal Network | ||
6 | allow 172.19.0.0/16; | ||
7 | # ORD1 V4 Internal Network | ||
8 | allow 172.20.0.0/16; | ||
9 | # Mobile V4 Internal Network | ||
10 | allow 172.21.0.0/16; | ||
11 | # PDX1 V6 Network | ||
12 | allow 2600:1f14:f39:e000::/56; | ||
13 | # CMH1 V6 Network | ||
14 | allow 2600:1f16:33:500::/56; | ||
15 | # LHR1 V6 Network | ||
16 | allow 2a05:d01c:7ba:b800::/56; | ||
17 | # SEA1 Internal V6 Network | ||
18 | allow 2602:0803:4070::/48; | ||
19 | # SEA4 Internal V6 Network | ||
20 | allow 2602:0803:4072::/48; | ||
21 | # SEA4 Remote Access VPN V6 Network | ||
22 | allow 2602:0803:4075::/48; | ||
23 | # ORD1 Internal V6 Network | ||
24 | allow 2602:0803:4073::/48; | ||
25 | # FKL1 Internal V6 Network | ||
26 | allow 2602:0803:4074::/48; | ||
27 | # Wireguard RAS V6 Network | ||
28 | allow 2602:0803:4075::/48; | ||
29 | # Mobile V6 Internal Network | ||
30 | allow 2602:0803:4076::/48; | ||
31 | |||
32 | allow 127.0.0.1; | ||
33 | deny all; | ||
diff --git a/nginx-common/conf/includes/internal_ip_cgit_acl.conf b/nginx-common/conf/includes/internal_ip_cgit_acl.conf new file mode 100644 index 0000000..833d4db --- /dev/null +++ b/nginx-common/conf/includes/internal_ip_cgit_acl.conf | |||
@@ -0,0 +1,30 @@ | |||
1 | geo $cgit_config { | ||
2 | default "/srv/code/etc/cgit-public.cfg"; | ||
3 | |||
4 | # Global V4 Internal Network | ||
5 | 172.16.0.0/16 "/srv/code/etc/cgit-private.cfg"; | ||
6 | # FKL1 V4 Internal network | ||
7 | 172.18.0.0/16 "/srv/code/etc/cgit-private.cfg"; | ||
8 | # SEA4 V4 Internal network | ||
9 | 172.19.0.0/16 "/srv/code/etc/cgit-private.cfg"; | ||
10 | # ORD1 V4 Internal network | ||
11 | 172.20.0.0/16 "/srv/code/etc/cgit-private.cfg"; | ||
12 | # Mobile V4 Internal network | ||
13 | 172.21.0.0/16 "/srv/code/etc/cgit-private.cfg"; | ||
14 | # PDX1 V6 Network | ||
15 | 2600:1f14:f39:e000::/56 "/srv/code/etc/cgit-private.cfg"; | ||
16 | # CMH1 V6 Network | ||
17 | 2600:1f16:33:500::/56 "/srv/code/etc/cgit-private.cfg"; | ||
18 | # SEA1 Internal V6 Network | ||
19 | 2602:0803:4070::/48 "/srv/code/etc/cgit-private.cfg"; | ||
20 | # SEA4 Internal V6 Network | ||
21 | 2602:0803:4072::/48 "/srv/code/etc/cgit-private.cfg"; | ||
22 | # ORD1 Internal V6 Network | ||
23 | 2602:0803:4073::/48 "/srv/code/etc/cgit-private.cfg"; | ||
24 | # FKL1 Internal V6 Network | ||
25 | 2602:0803:4074::/48 "/srv/code/etc/cgit-private.cfg"; | ||
26 | # Wireguard RAS V6 Network | ||
27 | 2602:0803:4075::/48 "/srv/code/etc/cgit-private.cfg"; | ||
28 | # Mobile V6 Internal Network | ||
29 | 2602:0803:4076::/48 "/srv/code/etc/cgit-private.cfg"; | ||
30 | } | ||
diff --git a/nginx-common/conf/nginx.conf b/nginx-common/conf/nginx.conf index 6b7a47b..33e2ad9 100644 --- a/nginx-common/conf/nginx.conf +++ b/nginx-common/conf/nginx.conf | |||
@@ -63,46 +63,36 @@ http { | |||
63 | # | 63 | # |
64 | # !ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES256-SHA384: | 64 | # !ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES256-SHA384: |
65 | # | 65 | # |
66 | ssl_ciphers | 66 | ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:AES256+EECDH:AES256+EDH:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!aNULL"; |
67 | 'ECDHE-ECDSA-CHACHA20-POLY1305:' | ||
68 | 'ECDHE-RSA-CHACHA20-POLY1305:' | ||
69 | 'AES256+EECDH:' | ||
70 | 'AES256+EDH:' | ||
71 | '!DHE-RSA-AES256-SHA256:' | ||
72 | '!DHE-RSA-AES256-SHA:' | ||
73 | '!aNULL'; | ||
74 | 67 | ||
75 | ssl_stapling on; | 68 | ssl_stapling on; |
76 | ssl_stapling_verify on; | 69 | ssl_stapling_verify on; |
77 | resolver 8.8.4.4 8.8.8.8 valid=300s; | 70 | resolver 8.8.4.4 8.8.8.8 valid=300s; |
78 | resolver_timeout 5s; | 71 | resolver_timeout 5s; |
79 | 72 | ||
80 | |||
81 | map $http_host $can_redirect { | 73 | map $http_host $can_redirect { |
82 | hostnames; | 74 | hostnames; |
83 | 75 | ||
84 | default 0; | 76 | default 0; |
85 | 77 | crute.me 1; | |
86 | crute.me 1; | 78 | *.crute.me 1; |
87 | *.crute.me 1; | 79 | crute.us 1; |
88 | crute.us 1; | 80 | *.crute.us 1; |
89 | *.crute.us 1; | 81 | *.pomonaconsulting.com 1; |
90 | *.pomonaconsulting.com 1; | 82 | pomonaconsulting.com 1; |
91 | pomonaconsulting.com 1; | 83 | *.pomonaconsulting.net 1; |
92 | *.pomonaconsulting.net 1; | 84 | pomonaconsulting.net 1; |
93 | pomonaconsulting.net 1; | 85 | leavenworthsnowmobilerentals.com 1; |
94 | leavenworthsnowmobilerentals.com 1; | ||
95 | *.leavenworthsnowmobilerentals.com 1; | 86 | *.leavenworthsnowmobilerentals.com 1; |
96 | lakewenatcheecabins.net 1; | 87 | lakewenatcheecabins.net 1; |
97 | *.lakewenatcheecabins.net 1; | 88 | *.lakewenatcheecabins.net 1; |
98 | 59erdiner.com 1; | 89 | 59erdiner.com 1; |
99 | *.59erdiner.com 1; | 90 | *.59erdiner.com 1; |
100 | as398223.net 1; | 91 | as398223.net 1; |
101 | *.as398223.net 1; | 92 | *.as398223.net 1; |
102 | frompythonimportpodcast.com 1; | 93 | frompythonimportpodcast.com 1; |
103 | *.frompythonimportpodcast.com 1; | 94 | *.frompythonimportpodcast.com 1; |
104 | } | 95 | } |
105 | |||
106 | 96 | ||
107 | server { | 97 | server { |
108 | listen *:80 default_server; | 98 | listen *:80 default_server; |
@@ -120,27 +110,24 @@ http { | |||
120 | } | 110 | } |
121 | } | 111 | } |
122 | 112 | ||
123 | |||
124 | server { | 113 | server { |
125 | listen *:443 ssl http2 default_server; | 114 | listen *:443 ssl http2 default_server; |
126 | listen [::]:443 ssl http2 default_server; | 115 | listen [::]:443 ssl http2 default_server; |
127 | 116 | ||
128 | access_log /logs/default_https_vhost.log combined_host; | 117 | access_log /logs/default_https_vhost.log combined_host; |
129 | 118 | ||
119 | include includes/hardened_ssl.conf; | ||
130 | include includes/hardened_headers.conf; | 120 | include includes/hardened_headers.conf; |
131 | include includes/default_csp.conf; | 121 | include includes/default_csp.conf; |
132 | 122 | ||
133 | ssl_protocols TLSv1.2 TLSv1.3; | 123 | ssl_certificate /srv/nginx-conf/ssl/letsencrypt_crute_me.pem; |
134 | add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always; | 124 | ssl_certificate_key /srv/nginx-conf/ssl/letsencrypt_crute_me_key.pem; |
135 | ssl_certificate {{ getSSLCert }}; | ||
136 | ssl_certificate_key {{ getSSLKey }}; | ||
137 | 125 | ||
138 | location / { | 126 | location / { |
139 | default_type text/plain; | 127 | default_type text/plain; |
140 | return 404 "not found"; | 128 | return 404 "not found"; |
141 | } | 129 | } |
142 | } | 130 | } |
143 | |||
144 | 131 | ||
145 | include sites-enabled/*; | 132 | include sites-enabled/*; |
146 | } | 133 | } |
diff --git a/nginx-common/conf/nginx.conf.tpl b/nginx-common/conf/nginx.conf.tpl deleted file mode 100644 index 9f4d3ef..0000000 --- a/nginx-common/conf/nginx.conf.tpl +++ /dev/null | |||
@@ -1,130 +0,0 @@ | |||
1 | # vim:ft=nginx | ||
2 | |||
3 | user nginx; | ||
4 | worker_processes 1; | ||
5 | |||
6 | error_log /dev/stdout warn; | ||
7 | pid /var/run/nginx.pid; | ||
8 | |||
9 | events { | ||
10 | worker_connections 1024; | ||
11 | } | ||
12 | |||
13 | http { | ||
14 | include mime.types; | ||
15 | |||
16 | default_type application/octet-stream; | ||
17 | |||
18 | log_format combined_host '$host $remote_addr - $remote_user [$time_local] ' | ||
19 | '"$request" $status $body_bytes_sent ' | ||
20 | '"$http_referer" "$http_user_agent"'; | ||
21 | |||
22 | access_log /logs/default_server.log combined_host; | ||
23 | |||
24 | sendfile on; | ||
25 | tcp_nopush on; | ||
26 | server_tokens off; | ||
27 | |||
28 | keepalive_timeout 128; | ||
29 | |||
30 | # Try to avoid buffering requests to disk This is about 4MB | ||
31 | client_body_buffer_size 4000k; | ||
32 | |||
33 | # Try to avoid buffering backend responses to disk This is about 4MB | ||
34 | proxy_buffers 1000 4k; | ||
35 | |||
36 | gzip on; | ||
37 | gzip_proxied any; | ||
38 | gzip_disable "msie6"; | ||
39 | gzip_types | ||
40 | application/javascript | ||
41 | application/rss+xml | ||
42 | application/x-javascript | ||
43 | application/xhtml+xml | ||
44 | application/xml | ||
45 | image/svg+xml | ||
46 | image/x-icon | ||
47 | text/css | ||
48 | text/javascript | ||
49 | text/plain | ||
50 | text/xml; | ||
51 | |||
52 | ssl_session_cache shared:SSL:10m; | ||
53 | ssl_session_timeout 10m; | ||
54 | ssl_dhparam /srv/nginx-conf/ssl/dhparam.pem; | ||
55 | ssl_prefer_server_ciphers on; | ||
56 | #ssl_ecdh_curve secp521r1:secp384r1:X25519; | ||
57 | |||
58 | # These are possibly vulnerable to the ROBOT attack | ||
59 | # (https://robotattack.org) but are also important for backwards | ||
60 | # compatability for a few older, but still frequently used, Android | ||
61 | # variants. The use of ECDHE in these algorithms may mitigate the | ||
62 | # vulnerability but the conservative approach would be to disable them. | ||
63 | # | ||
64 | # !ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES256-SHA384: | ||
65 | # | ||
66 | ssl_ciphers | ||
67 | 'ECDHE-ECDSA-CHACHA20-POLY1305:' | ||
68 | 'ECDHE-RSA-CHACHA20-POLY1305:' | ||
69 | 'AES256+EECDH:' | ||
70 | 'AES256+EDH:' | ||
71 | '!DHE-RSA-AES256-SHA256:' | ||
72 | '!DHE-RSA-AES256-SHA:' | ||
73 | '!aNULL'; | ||
74 | |||
75 | ssl_stapling on; | ||
76 | ssl_stapling_verify on; | ||
77 | resolver 8.8.4.4 8.8.8.8 valid=300s; | ||
78 | resolver_timeout 5s; | ||
79 | |||
80 | {{ if .HTTPRedirects }} | ||
81 | map $http_host $can_redirect { | ||
82 | hostnames; | ||
83 | |||
84 | default 0; | ||
85 | |||
86 | {{ range $_, $h := .HTTPRedirects -}} | ||
87 | {{ . }} 1; | ||
88 | {{ end -}} | ||
89 | } | ||
90 | {{ end }} | ||
91 | |||
92 | server { | ||
93 | listen *:80 default_server; | ||
94 | listen [::]:80 default_server; | ||
95 | |||
96 | access_log /logs/default_http_vhost.log combined_host; | ||
97 | |||
98 | location / { | ||
99 | {{ if .HTTPRedirects -}} | ||
100 | if ($can_redirect) { | ||
101 | rewrite (.*) https://$http_host$1 permanent; | ||
102 | } | ||
103 | {{- end }} | ||
104 | |||
105 | default_type text/plain; | ||
106 | return 404 "not found"; | ||
107 | } | ||
108 | } | ||
109 | |||
110 | {{ if .DefaultSSLVhost }} | ||
111 | server { | ||
112 | listen *:443 ssl http2 default_server; | ||
113 | listen [::]:443 ssl http2 default_server; | ||
114 | |||
115 | access_log /logs/default_https_vhost.log combined_host; | ||
116 | |||
117 | include includes/hardened_headers.conf; | ||
118 | include includes/default_csp.conf; | ||
119 | |||
120 | {{ renderHardenedSSLSlice .DefaultSSLVhost }} | ||
121 | |||
122 | location / { | ||
123 | default_type text/plain; | ||
124 | return 404 "not found"; | ||
125 | } | ||
126 | } | ||
127 | {{ end }} | ||
128 | |||
129 | include sites-enabled/*; | ||
130 | } | ||
diff --git a/nginx-common/main.go b/nginx-common/main.go index 4b86a38..0b82128 100644 --- a/nginx-common/main.go +++ b/nginx-common/main.go | |||
@@ -83,6 +83,9 @@ func processTemplate(filepath string) { | |||
83 | } | 83 | } |
84 | 84 | ||
85 | func shouldIncludeFile(filepath string, info os.FileInfo) bool { | 85 | func shouldIncludeFile(filepath string, info os.FileInfo) bool { |
86 | if info == nil { | ||
87 | return false | ||
88 | } | ||
86 | return !info.IsDir() && !strings.Contains(filepath, "/.git/") && info.Mode()&os.ModeType == 0 | 89 | return !info.IsDir() && !strings.Contains(filepath, "/.git/") && info.Mode()&os.ModeType == 0 |
87 | } | 90 | } |
88 | 91 | ||