nginx: remove some magic config

author: Mike Crute <mike@crute.us> 2022-12-31 14:42:51 -0800
committer: Mike Crute <mike@crute.us> 2022-12-31 14:42:51 -0800
commit: 77afc05d67281668f1d205e8786e33164695834f (patch)
tree: d736249029b426421a0d5a1948610f50825bf6ce
parent: c0f6c3d4c41d6cf16779605a150dce3e8a266c4d (diff)
download: dockerfiles-77afc05d67281668f1d205e8786e33164695834f.tar.bz2
dockerfiles-77afc05d67281668f1d205e8786e33164695834f.tar.xz
dockerfiles-77afc05d67281668f1d205e8786e33164695834f.zip
6 files changed, 109 insertions, 166 deletions
diff --git a/nginx-common/conf/includes/hardened_ssl.conf b/nginx-common/conf/includes/hardened_ssl.conf
new file mode 100644
index 0000000..0f729c7
--- /dev/null
+++ b/nginx-common/conf/includes/hardened_ssl.conf
@@ -0,0 +1,20 @@
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_prefer_server_ciphers on;
+#ssl_ecdh_curve secp521r1:secp384r1:X25519;
+# These are possibly vulnerable to the ROBOT attack (https://robotattack.org)
+# but are also important for backwards compatability for a few older, but still
+# frequently used, Android variants. The use of ECDHE in these algorithms may
+# mitigate the vulnerability but the conservative approach would be to disable
+# them.
+#
+#     !ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES256-SHA384:
+#
+ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:AES256+EECDH:AES256+EDH:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!aNULL";
+ssl_stapling on;
+ssl_stapling_verify on;
+resolver 8.8.4.4 8.8.8.8 valid=300s;
+resolver_timeout 5s;
+add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
diff --git a/nginx-common/conf/includes/internal_ip_allow_only.conf b/nginx-common/conf/includes/internal_ip_allow_only.conf
new file mode 100644
index 0000000..0a4e152
--- /dev/null
+++ b/nginx-common/conf/includes/internal_ip_allow_only.conf
@@ -0,0 +1,33 @@
+# Global V4 Internal Network
+allow 172.16.0.0/16;
+# FKL1 V4 Internal Network
+allow 172.18.0.0/16;
+# SEA4 V4 Internal Network
+allow 172.19.0.0/16;
+# ORD1 V4 Internal Network
+allow 172.20.0.0/16;
+# Mobile V4 Internal Network
+allow 172.21.0.0/16;
+# PDX1 V6 Network
+allow 2600:1f14:f39:e000::/56;
+# CMH1 V6 Network
+allow 2600:1f16:33:500::/56;
+# LHR1 V6 Network
+allow 2a05:d01c:7ba:b800::/56;
+# SEA1 Internal V6 Network
+allow 2602:0803:4070::/48;
+# SEA4 Internal V6 Network
+allow 2602:0803:4072::/48;
+# SEA4 Remote Access VPN V6 Network
+allow 2602:0803:4075::/48;
+# ORD1 Internal V6 Network
+allow 2602:0803:4073::/48;
+# FKL1 Internal V6 Network
+allow 2602:0803:4074::/48;
+# Wireguard RAS V6 Network
+allow 2602:0803:4075::/48;
+# Mobile V6 Internal Network
+allow 2602:0803:4076::/48;
+allow 127.0.0.1;
+deny  all;
diff --git a/nginx-common/conf/includes/internal_ip_cgit_acl.conf b/nginx-common/conf/includes/internal_ip_cgit_acl.conf
new file mode 100644
index 0000000..833d4db
--- /dev/null
+++ b/nginx-common/conf/includes/internal_ip_cgit_acl.conf
@@ -0,0 +1,30 @@
+geo $cgit_config {
+  default "/srv/code/etc/cgit-public.cfg";
+  # Global V4 Internal Network
+  172.16.0.0/16 "/srv/code/etc/cgit-private.cfg";
+  # FKL1 V4 Internal network
+  172.18.0.0/16 "/srv/code/etc/cgit-private.cfg";
+  # SEA4 V4 Internal network
+  172.19.0.0/16 "/srv/code/etc/cgit-private.cfg";
+  # ORD1 V4 Internal network
+  172.20.0.0/16 "/srv/code/etc/cgit-private.cfg";
+  # Mobile V4 Internal network
+  172.21.0.0/16 "/srv/code/etc/cgit-private.cfg";
+  # PDX1 V6 Network
+  2600:1f14:f39:e000::/56 "/srv/code/etc/cgit-private.cfg";
+  # CMH1 V6 Network
+  2600:1f16:33:500::/56 "/srv/code/etc/cgit-private.cfg";
+  # SEA1 Internal V6 Network
+  2602:0803:4070::/48 "/srv/code/etc/cgit-private.cfg";
+  # SEA4 Internal V6 Network
+  2602:0803:4072::/48 "/srv/code/etc/cgit-private.cfg";
+  # ORD1 Internal V6 Network
+  2602:0803:4073::/48 "/srv/code/etc/cgit-private.cfg";
+  # FKL1 Internal V6 Network
+  2602:0803:4074::/48 "/srv/code/etc/cgit-private.cfg";
+  # Wireguard RAS V6 Network
+  2602:0803:4075::/48 "/srv/code/etc/cgit-private.cfg";
+  # Mobile V6 Internal Network
+  2602:0803:4076::/48 "/srv/code/etc/cgit-private.cfg";
+}
diff --git a/nginx-common/conf/nginx.conf b/nginx-common/conf/nginx.conf
index 6b7a47b..33e2ad9 100644
--- a/nginx-common/conf/nginx.conf
+++ b/nginx-common/conf/nginx.conf
@@ -63,46 +63,36 @@ http {
    #
    #     !ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES256-SHA384:
    #
-    ssl_ciphers
+    ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:AES256+EECDH:AES256+EDH:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!aNULL";
-        'ECDHE-ECDSA-CHACHA20-POLY1305:'
-        'ECDHE-RSA-CHACHA20-POLY1305:'
-        'AES256+EECDH:'
-        'AES256+EDH:'
-        '!DHE-RSA-AES256-SHA256:'
-        '!DHE-RSA-AES256-SHA:'
-        '!aNULL';
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.4.4 8.8.8.8 valid=300s;
    resolver_timeout 5s;
-    
    map $http_host $can_redirect {
        hostnames;
-        default 0;
+        default                            0;
+        crute.me                           1;
-        crute.me 1;
+        *.crute.me                         1;
-        *.crute.me 1;
+        crute.us                           1;
-        crute.us 1;
+        *.crute.us                         1;
-        *.crute.us 1;
+        *.pomonaconsulting.com             1;
-        *.pomonaconsulting.com 1;
+        pomonaconsulting.com               1;
-        pomonaconsulting.com 1;
+        *.pomonaconsulting.net             1;
-        *.pomonaconsulting.net 1;
+        pomonaconsulting.net               1;
-        pomonaconsulting.net 1;
+        leavenworthsnowmobilerentals.com   1;
-        leavenworthsnowmobilerentals.com 1;
        *.leavenworthsnowmobilerentals.com 1;
-        lakewenatcheecabins.net 1;
+        lakewenatcheecabins.net            1;
-        *.lakewenatcheecabins.net 1;
+        *.lakewenatcheecabins.net          1;
-        59erdiner.com 1;
+        59erdiner.com                      1;
-        *.59erdiner.com 1;
+        *.59erdiner.com                    1;
-        as398223.net 1;
+        as398223.net                       1;
-        *.as398223.net 1;
+        *.as398223.net                     1;
-        frompythonimportpodcast.com 1;
+        frompythonimportpodcast.com        1;
-        *.frompythonimportpodcast.com 1;
+        *.frompythonimportpodcast.com      1;
-        }
+    }
-    
    server {
        listen *:80 default_server;
@@ -120,27 +110,24 @@ http {
        }
    }
-    
    server {
        listen *:443 ssl http2 default_server;
        listen [::]:443 ssl http2 default_server;
        access_log /logs/default_https_vhost.log combined_host;
+        include includes/hardened_ssl.conf;
        include includes/hardened_headers.conf;
        include includes/default_csp.conf;
-        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_certificate /srv/nginx-conf/ssl/letsencrypt_crute_me.pem;
-        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
+        ssl_certificate_key /srv/nginx-conf/ssl/letsencrypt_crute_me_key.pem;
-        ssl_certificate {{ getSSLCert }};
-        ssl_certificate_key {{ getSSLKey }};
        location / {
            default_type text/plain;
            return 404 "not found";
        }
    }
-    
    include sites-enabled/*;
 }
diff --git a/nginx-common/conf/nginx.conf.tpl b/nginx-common/conf/nginx.conf.tpl
deleted file mode 100644
index 9f4d3ef..0000000
--- a/nginx-common/conf/nginx.conf.tpl
+++ /dev/null
@@ -1,130 +0,0 @@
-# vim:ft=nginx
-user nginx;
-worker_processes 1;
-error_log /dev/stdout warn;
-pid /var/run/nginx.pid;
-events {
-    worker_connections 1024;
-}
-http {
-    include mime.types;
-    default_type application/octet-stream;
-    log_format combined_host '$host $remote_addr - $remote_user [$time_local] '
-        '"$request" $status $body_bytes_sent '
-        '"$http_referer" "$http_user_agent"';
-    access_log /logs/default_server.log combined_host;
-    sendfile on;
-    tcp_nopush on;
-    server_tokens off;
-    keepalive_timeout 128;
-    # Try to avoid buffering requests to disk This is about 4MB
-    client_body_buffer_size 4000k;
-    # Try to avoid buffering backend responses to disk This is about 4MB
-    proxy_buffers 1000 4k;
-    gzip on;
-    gzip_proxied any;
-    gzip_disable "msie6";
-    gzip_types 
-        application/javascript
-        application/rss+xml
-        application/x-javascript
-        application/xhtml+xml
-        application/xml
-        image/svg+xml
-        image/x-icon
-        text/css
-        text/javascript
-        text/plain
-        text/xml;
-    ssl_session_cache shared:SSL:10m;
-    ssl_session_timeout 10m;
-    ssl_dhparam /srv/nginx-conf/ssl/dhparam.pem;
-    ssl_prefer_server_ciphers on;
-    #ssl_ecdh_curve secp521r1:secp384r1:X25519;
-    # These are possibly vulnerable to the ROBOT attack
-    # (https://robotattack.org) but are also important for backwards
-    # compatability for a few older, but still frequently used, Android
-    # variants. The use of ECDHE in these algorithms may mitigate the
-    # vulnerability but the conservative approach would be to disable them.
-    #
-    #     !ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES256-SHA384:
-    #
-    ssl_ciphers
-        'ECDHE-ECDSA-CHACHA20-POLY1305:'
-        'ECDHE-RSA-CHACHA20-POLY1305:'
-        'AES256+EECDH:'
-        'AES256+EDH:'
-        '!DHE-RSA-AES256-SHA256:'
-        '!DHE-RSA-AES256-SHA:'
-        '!aNULL';
-    ssl_stapling on;
-    ssl_stapling_verify on;
-    resolver 8.8.4.4 8.8.8.8 valid=300s;
-    resolver_timeout 5s;
-    {{ if .HTTPRedirects }}
-    map $http_host $can_redirect {
-        hostnames;
-        default 0;
-        {{ range $_, $h := .HTTPRedirects -}}
-        {{ . }} 1;
-        {{ end -}}
-    }
-    {{ end }}
-    server {
-        listen *:80 default_server;
-        listen [::]:80 default_server;
-        access_log /logs/default_http_vhost.log combined_host;
-        location / {
-            {{ if .HTTPRedirects -}}
-            if ($can_redirect) {
-                rewrite (.*) https://$http_host$1 permanent;
-            }
-            {{- end }}
-            default_type text/plain;
-            return 404 "not found";
-        }
-    }
-    {{ if .DefaultSSLVhost }}
-    server {
-        listen *:443 ssl http2 default_server;
-        listen [::]:443 ssl http2 default_server;
-        access_log /logs/default_https_vhost.log combined_host;
-        include includes/hardened_headers.conf;
-        include includes/default_csp.conf;
-        {{ renderHardenedSSLSlice .DefaultSSLVhost }}
-        location / {
-            default_type text/plain;
-            return 404 "not found";
-        }
-    }
-    {{ end }}
-    include sites-enabled/*;
-}
diff --git a/nginx-common/main.go b/nginx-common/main.go
index 4b86a38..0b82128 100644
--- a/nginx-common/main.go
+++ b/nginx-common/main.go
@@ -83,6 +83,9 @@ func processTemplate(filepath string) {
 }
 func shouldIncludeFile(filepath string, info os.FileInfo) bool {
+        if info == nil {
+                return false
+        }
        return !info.IsDir() && !strings.Contains(filepath, "/.git/") && info.Mode()&os.ModeType == 0
 }
author	Mike Crute <mike@crute.us>	2022-12-31 14:42:51 -0800
committer	Mike Crute <mike@crute.us>	2022-12-31 14:42:51 -0800
commit	77afc05d67281668f1d205e8786e33164695834f (patch)
tree	d736249029b426421a0d5a1948610f50825bf6ce
parent	c0f6c3d4c41d6cf16779605a150dce3e8a266c4d (diff)
download	dockerfiles-77afc05d67281668f1d205e8786e33164695834f.tar.bz2 dockerfiles-77afc05d67281668f1d205e8786e33164695834f.tar.xz dockerfiles-77afc05d67281668f1d205e8786e33164695834f.zip

diff --git a/nginx-common/conf/includes/hardened_ssl.conf b/nginx-common/conf/includes/hardened_ssl.conf new file mode 100644 index 0000000..0f729c7 --- /dev/null +++ b/nginx-common/conf/includes/hardened_ssl.conf
@@ -0,0 +1,20 @@
		1	ssl_protocols TLSv1.2 TLSv1.3;
		2	ssl_prefer_server_ciphers on;
		3	#ssl_ecdh_curve secp521r1:secp384r1:X25519;
		4
		5	# These are possibly vulnerable to the ROBOT attack (https://robotattack.org)
		6	# but are also important for backwards compatability for a few older, but still
		7	# frequently used, Android variants. The use of ECDHE in these algorithms may
		8	# mitigate the vulnerability but the conservative approach would be to disable
		9	# them.
		10	#
		11	# !ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES256-SHA384:
		12	#
		13	ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:AES256+EECDH:AES256+EDH:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!aNULL";
		14
		15	ssl_stapling on;
		16	ssl_stapling_verify on;
		17	resolver 8.8.4.4 8.8.8.8 valid=300s;
		18	resolver_timeout 5s;
		19
		20	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;


diff --git a/nginx-common/conf/includes/internal_ip_allow_only.conf b/nginx-common/conf/includes/internal_ip_allow_only.conf new file mode 100644 index 0000000..0a4e152 --- /dev/null +++ b/nginx-common/conf/includes/internal_ip_allow_only.conf
@@ -0,0 +1,33 @@
		1	# Global V4 Internal Network
		2	allow 172.16.0.0/16;
		3	# FKL1 V4 Internal Network
		4	allow 172.18.0.0/16;
		5	# SEA4 V4 Internal Network
		6	allow 172.19.0.0/16;
		7	# ORD1 V4 Internal Network
		8	allow 172.20.0.0/16;
		9	# Mobile V4 Internal Network
		10	allow 172.21.0.0/16;
		11	# PDX1 V6 Network
		12	allow 2600:1f14:f39:e000::/56;
		13	# CMH1 V6 Network
		14	allow 2600:1f16:33:500::/56;
		15	# LHR1 V6 Network
		16	allow 2a05:d01c:7ba:b800::/56;
		17	# SEA1 Internal V6 Network
		18	allow 2602:0803:4070::/48;
		19	# SEA4 Internal V6 Network
		20	allow 2602:0803:4072::/48;
		21	# SEA4 Remote Access VPN V6 Network
		22	allow 2602:0803:4075::/48;
		23	# ORD1 Internal V6 Network
		24	allow 2602:0803:4073::/48;
		25	# FKL1 Internal V6 Network
		26	allow 2602:0803:4074::/48;
		27	# Wireguard RAS V6 Network
		28	allow 2602:0803:4075::/48;
		29	# Mobile V6 Internal Network
		30	allow 2602:0803:4076::/48;
		31
		32	allow 127.0.0.1;
		33	deny all;


diff --git a/nginx-common/conf/includes/internal_ip_cgit_acl.conf b/nginx-common/conf/includes/internal_ip_cgit_acl.conf new file mode 100644 index 0000000..833d4db --- /dev/null +++ b/nginx-common/conf/includes/internal_ip_cgit_acl.conf
@@ -0,0 +1,30 @@
		1	geo $cgit_config {
		2	default "/srv/code/etc/cgit-public.cfg";
		3
		4	# Global V4 Internal Network
		5	172.16.0.0/16 "/srv/code/etc/cgit-private.cfg";
		6	# FKL1 V4 Internal network
		7	172.18.0.0/16 "/srv/code/etc/cgit-private.cfg";
		8	# SEA4 V4 Internal network
		9	172.19.0.0/16 "/srv/code/etc/cgit-private.cfg";
		10	# ORD1 V4 Internal network
		11	172.20.0.0/16 "/srv/code/etc/cgit-private.cfg";
		12	# Mobile V4 Internal network
		13	172.21.0.0/16 "/srv/code/etc/cgit-private.cfg";
		14	# PDX1 V6 Network
		15	2600:1f14:f39:e000::/56 "/srv/code/etc/cgit-private.cfg";
		16	# CMH1 V6 Network
		17	2600:1f16:33:500::/56 "/srv/code/etc/cgit-private.cfg";
		18	# SEA1 Internal V6 Network
		19	2602:0803:4070::/48 "/srv/code/etc/cgit-private.cfg";
		20	# SEA4 Internal V6 Network
		21	2602:0803:4072::/48 "/srv/code/etc/cgit-private.cfg";
		22	# ORD1 Internal V6 Network
		23	2602:0803:4073::/48 "/srv/code/etc/cgit-private.cfg";
		24	# FKL1 Internal V6 Network
		25	2602:0803:4074::/48 "/srv/code/etc/cgit-private.cfg";
		26	# Wireguard RAS V6 Network
		27	2602:0803:4075::/48 "/srv/code/etc/cgit-private.cfg";
		28	# Mobile V6 Internal Network
		29	2602:0803:4076::/48 "/srv/code/etc/cgit-private.cfg";
		30	}


diff --git a/nginx-common/conf/nginx.conf b/nginx-common/conf/nginx.conf index 6b7a47b..33e2ad9 100644 --- a/nginx-common/conf/nginx.conf +++ b/nginx-common/conf/nginx.conf
@@ -63,46 +63,36 @@ http {
63	#	63	#
64	# !ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES256-SHA384:	64	# !ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES256-SHA384:
65	#	65	#
66	ssl_ciphers	66	ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:AES256+EECDH:AES256+EDH:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!aNULL";
67	'ECDHE-ECDSA-CHACHA20-POLY1305:'
68	'ECDHE-RSA-CHACHA20-POLY1305:'
69	'AES256+EECDH:'
70	'AES256+EDH:'
71	'!DHE-RSA-AES256-SHA256:'
72	'!DHE-RSA-AES256-SHA:'
73	'!aNULL';
74		67
75	ssl_stapling on;	68	ssl_stapling on;
76	ssl_stapling_verify on;	69	ssl_stapling_verify on;
77	resolver 8.8.4.4 8.8.8.8 valid=300s;	70	resolver 8.8.4.4 8.8.8.8 valid=300s;
78	resolver_timeout 5s;	71	resolver_timeout 5s;
79		72
80
81	map $http_host $can_redirect {	73	map $http_host $can_redirect {
82	hostnames;	74	hostnames;
83		75
84	default 0;	76	default 0;
85		77	crute.me 1;
86	crute.me 1;	78	*.crute.me 1;
87	*.crute.me 1;	79	crute.us 1;
88	crute.us 1;	80	*.crute.us 1;
89	*.crute.us 1;	81	*.pomonaconsulting.com 1;
90	*.pomonaconsulting.com 1;	82	pomonaconsulting.com 1;
91	pomonaconsulting.com 1;	83	*.pomonaconsulting.net 1;
92	*.pomonaconsulting.net 1;	84	pomonaconsulting.net 1;
93	pomonaconsulting.net 1;	85	leavenworthsnowmobilerentals.com 1;
94	leavenworthsnowmobilerentals.com 1;
95	*.leavenworthsnowmobilerentals.com 1;	86	*.leavenworthsnowmobilerentals.com 1;
96	lakewenatcheecabins.net 1;	87	lakewenatcheecabins.net 1;
97	*.lakewenatcheecabins.net 1;	88	*.lakewenatcheecabins.net 1;
98	59erdiner.com 1;	89	59erdiner.com 1;
99	*.59erdiner.com 1;	90	*.59erdiner.com 1;
100	as398223.net 1;	91	as398223.net 1;
101	*.as398223.net 1;	92	*.as398223.net 1;
102	frompythonimportpodcast.com 1;	93	frompythonimportpodcast.com 1;
103	*.frompythonimportpodcast.com 1;	94	*.frompythonimportpodcast.com 1;
104	}	95	}
105
106		96
107	server {	97	server {
108	listen *:80 default_server;	98	listen *:80 default_server;
@@ -120,27 +110,24 @@ http {
120	}	110	}
121	}	111	}
122		112
123
124	server {	113	server {
125	listen *:443 ssl http2 default_server;	114	listen *:443 ssl http2 default_server;
126	listen [::]:443 ssl http2 default_server;	115	listen [::]:443 ssl http2 default_server;
127		116
128	access_log /logs/default_https_vhost.log combined_host;	117	access_log /logs/default_https_vhost.log combined_host;
129		118
		119	include includes/hardened_ssl.conf;
130	include includes/hardened_headers.conf;	120	include includes/hardened_headers.conf;
131	include includes/default_csp.conf;	121	include includes/default_csp.conf;
132		122
133	ssl_protocols TLSv1.2 TLSv1.3;	123	ssl_certificate /srv/nginx-conf/ssl/letsencrypt_crute_me.pem;
134	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;	124	ssl_certificate_key /srv/nginx-conf/ssl/letsencrypt_crute_me_key.pem;
135	ssl_certificate {{ getSSLCert }};
136	ssl_certificate_key {{ getSSLKey }};
137		125
138	location / {	126	location / {
139	default_type text/plain;	127	default_type text/plain;
140	return 404 "not found";	128	return 404 "not found";
141	}	129	}
142	}	130	}
143
144		131
145	include sites-enabled/*;	132	include sites-enabled/*;
146	}	133	}


diff --git a/nginx-common/conf/nginx.conf.tpl b/nginx-common/conf/nginx.conf.tpl deleted file mode 100644 index 9f4d3ef..0000000 --- a/nginx-common/conf/nginx.conf.tpl +++ /dev/null
@@ -1,130 +0,0 @@
1	# vim:ft=nginx
2
3	user nginx;
4	worker_processes 1;
5
6	error_log /dev/stdout warn;
7	pid /var/run/nginx.pid;
8
9	events {
10	worker_connections 1024;
11	}
12
13	http {
14	include mime.types;
15
16	default_type application/octet-stream;
17
18	log_format combined_host '$host $remote_addr - $remote_user [$time_local] '
19	'"$request" $status $body_bytes_sent '
20	'"$http_referer" "$http_user_agent"';
21
22	access_log /logs/default_server.log combined_host;
23
24	sendfile on;
25	tcp_nopush on;
26	server_tokens off;
27
28	keepalive_timeout 128;
29
30	# Try to avoid buffering requests to disk This is about 4MB
31	client_body_buffer_size 4000k;
32
33	# Try to avoid buffering backend responses to disk This is about 4MB
34	proxy_buffers 1000 4k;
35
36	gzip on;
37	gzip_proxied any;
38	gzip_disable "msie6";
39	gzip_types
40	application/javascript
41	application/rss+xml
42	application/x-javascript
43	application/xhtml+xml
44	application/xml
45	image/svg+xml
46	image/x-icon
47	text/css
48	text/javascript
49	text/plain
50	text/xml;
51
52	ssl_session_cache shared:SSL:10m;
53	ssl_session_timeout 10m;
54	ssl_dhparam /srv/nginx-conf/ssl/dhparam.pem;
55	ssl_prefer_server_ciphers on;
56	#ssl_ecdh_curve secp521r1:secp384r1:X25519;
57
58	# These are possibly vulnerable to the ROBOT attack
59	# (https://robotattack.org) but are also important for backwards
60	# compatability for a few older, but still frequently used, Android
61	# variants. The use of ECDHE in these algorithms may mitigate the
62	# vulnerability but the conservative approach would be to disable them.
63	#
64	# !ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES256-SHA384:
65	#
66	ssl_ciphers
67	'ECDHE-ECDSA-CHACHA20-POLY1305:'
68	'ECDHE-RSA-CHACHA20-POLY1305:'
69	'AES256+EECDH:'
70	'AES256+EDH:'
71	'!DHE-RSA-AES256-SHA256:'
72	'!DHE-RSA-AES256-SHA:'
73	'!aNULL';
74
75	ssl_stapling on;
76	ssl_stapling_verify on;
77	resolver 8.8.4.4 8.8.8.8 valid=300s;
78	resolver_timeout 5s;
79
80	{{ if .HTTPRedirects }}
81	map $http_host $can_redirect {
82	hostnames;
83
84	default 0;
85
86	{{ range $_, $h := .HTTPRedirects -}}
87	{{ . }} 1;
88	{{ end -}}
89	}
90	{{ end }}
91
92	server {
93	listen *:80 default_server;
94	listen [::]:80 default_server;
95
96	access_log /logs/default_http_vhost.log combined_host;
97
98	location / {
99	{{ if .HTTPRedirects -}}
100	if ($can_redirect) {
101	rewrite (.*) https://$http_host$1 permanent;
102	}
103	{{- end }}
104
105	default_type text/plain;
106	return 404 "not found";
107	}
108	}
109
110	{{ if .DefaultSSLVhost }}
111	server {
112	listen *:443 ssl http2 default_server;
113	listen [::]:443 ssl http2 default_server;
114
115	access_log /logs/default_https_vhost.log combined_host;
116
117	include includes/hardened_headers.conf;
118	include includes/default_csp.conf;
119
120	{{ renderHardenedSSLSlice .DefaultSSLVhost }}
121
122	location / {
123	default_type text/plain;
124	return 404 "not found";
125	}
126	}
127	{{ end }}
128
129	include sites-enabled/*;
130	}


diff --git a/nginx-common/main.go b/nginx-common/main.go index 4b86a38..0b82128 100644 --- a/nginx-common/main.go +++ b/nginx-common/main.go
@@ -83,6 +83,9 @@ func processTemplate(filepath string) {
83	}	83	}
84		84
85	func shouldIncludeFile(filepath string, info os.FileInfo) bool {	85	func shouldIncludeFile(filepath string, info os.FileInfo) bool {
		86	if info == nil {
		87	return false
		88	}
86	return !info.IsDir() && !strings.Contains(filepath, "/.git/") && info.Mode()&os.ModeType == 0	89	return !info.IsDir() && !strings.Contains(filepath, "/.git/") && info.Mode()&os.ModeType == 0
87	}	90	}
88		91