From 245cf4f44375a7ae2a51d7412a94f46acad2c648 Mon Sep 17 00:00:00 2001 From: Mike Crute Date: Sat, 3 Dec 2022 15:55:51 -0800 Subject: nginx-common: update config --- nginx-common/conf/conf.d/default_hosts.conf.tpl | 63 --------- nginx-common/conf/includes/hardened_ssl.conf | 20 --- .../conf/includes/internal_ip_allow_only.conf | 33 ----- .../conf/includes/internal_ip_cgit_acl.conf | 30 ---- nginx-common/conf/includes/public_key_pin.conf | 4 - nginx-common/conf/includes/star_crute_me_ssl.conf | 2 - .../includes/star_pomonaconsulting_com_ssl.conf | 2 - .../conf/includes/star_sea1_crute_me_ssl.conf | 2 - nginx-common/conf/nginx.conf | 152 +++++++++++++++++---- nginx-common/conf/nginx.conf.tpl | 130 ++++++++++++++++++ 10 files changed, 256 insertions(+), 182 deletions(-) delete mode 100644 nginx-common/conf/conf.d/default_hosts.conf.tpl delete mode 100644 nginx-common/conf/includes/hardened_ssl.conf delete mode 100644 nginx-common/conf/includes/internal_ip_allow_only.conf delete mode 100644 nginx-common/conf/includes/internal_ip_cgit_acl.conf delete mode 100644 nginx-common/conf/includes/public_key_pin.conf delete mode 100644 nginx-common/conf/includes/star_crute_me_ssl.conf delete mode 100644 nginx-common/conf/includes/star_pomonaconsulting_com_ssl.conf delete mode 100644 nginx-common/conf/includes/star_sea1_crute_me_ssl.conf create mode 100644 nginx-common/conf/nginx.conf.tpl diff --git a/nginx-common/conf/conf.d/default_hosts.conf.tpl b/nginx-common/conf/conf.d/default_hosts.conf.tpl deleted file mode 100644 index 7eea7bf..0000000 --- a/nginx-common/conf/conf.d/default_hosts.conf.tpl +++ /dev/null @@ -1,63 +0,0 @@ -map $http_host $can_redirect { - hostnames; - - default 0; - crute.me 1; - *.crute.me 1; - crute.us 1; - *.crute.us 1; - *.pomonaconsulting.com 1; - pomonaconsulting.com 1; - *.pomonaconsulting.net 1; - pomonaconsulting.net 1; - leavenworthsnowmobilerentals.com 1; - *.leavenworthsnowmobilerentals.com 1; - lakewenatcheecabins.net 1; - *.lakewenatcheecabins.net 1; - 59erdiner.com 1; - *.59erdiner.com 1; - as398223.net 1; - *.as398223.net 1; - frompythonimportpodcast.com 1; - *.frompythonimportpodcast.com 1; -} - -server { - listen *:80 default_server; - listen [::]:80 default_server; - - access_log /logs/default_http_vhost.log combined_host; - - location / { - if ($can_redirect) { - rewrite (.*) https://$http_host$1 permanent; - } - - default_type text/plain; - return 404 "not found"; - } -} - -{{ if ne (.Get "NGINX_PP_DISABLE_SSL_DEFAULT") "true" }} -server { - listen *:443 ssl http2 default_server; - listen [::]:443 ssl http2 default_server; - - access_log /logs/default_https_vhost.log combined_host; - - include includes/hardened_ssl.conf; - include includes/hardened_headers.conf; - include includes/default_csp.conf; - - {{ if ne (.Get "NGINX_PP_DEFAULT_SSL_FILE") "" }} - include includes/{{ .Get "NGINX_PP_DEFAULT_SSL_FILE" }}.conf; - {{ else }} - include includes/star_crute_me_ssl.conf; - {{ end }} - - location / { - default_type text/plain; - return 404 "not found"; - } -} -{{ end }} diff --git a/nginx-common/conf/includes/hardened_ssl.conf b/nginx-common/conf/includes/hardened_ssl.conf deleted file mode 100644 index 0f729c7..0000000 --- a/nginx-common/conf/includes/hardened_ssl.conf +++ /dev/null @@ -1,20 +0,0 @@ -ssl_protocols TLSv1.2 TLSv1.3; -ssl_prefer_server_ciphers on; -#ssl_ecdh_curve secp521r1:secp384r1:X25519; - -# These are possibly vulnerable to the ROBOT attack (https://robotattack.org) -# but are also important for backwards compatability for a few older, but still -# frequently used, Android variants. The use of ECDHE in these algorithms may -# mitigate the vulnerability but the conservative approach would be to disable -# them. -# -# !ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES256-SHA384: -# -ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:AES256+EECDH:AES256+EDH:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!aNULL"; - -ssl_stapling on; -ssl_stapling_verify on; -resolver 8.8.4.4 8.8.8.8 valid=300s; -resolver_timeout 5s; - -add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always; diff --git a/nginx-common/conf/includes/internal_ip_allow_only.conf b/nginx-common/conf/includes/internal_ip_allow_only.conf deleted file mode 100644 index 0a4e152..0000000 --- a/nginx-common/conf/includes/internal_ip_allow_only.conf +++ /dev/null @@ -1,33 +0,0 @@ -# Global V4 Internal Network -allow 172.16.0.0/16; -# FKL1 V4 Internal Network -allow 172.18.0.0/16; -# SEA4 V4 Internal Network -allow 172.19.0.0/16; -# ORD1 V4 Internal Network -allow 172.20.0.0/16; -# Mobile V4 Internal Network -allow 172.21.0.0/16; -# PDX1 V6 Network -allow 2600:1f14:f39:e000::/56; -# CMH1 V6 Network -allow 2600:1f16:33:500::/56; -# LHR1 V6 Network -allow 2a05:d01c:7ba:b800::/56; -# SEA1 Internal V6 Network -allow 2602:0803:4070::/48; -# SEA4 Internal V6 Network -allow 2602:0803:4072::/48; -# SEA4 Remote Access VPN V6 Network -allow 2602:0803:4075::/48; -# ORD1 Internal V6 Network -allow 2602:0803:4073::/48; -# FKL1 Internal V6 Network -allow 2602:0803:4074::/48; -# Wireguard RAS V6 Network -allow 2602:0803:4075::/48; -# Mobile V6 Internal Network -allow 2602:0803:4076::/48; - -allow 127.0.0.1; -deny all; diff --git a/nginx-common/conf/includes/internal_ip_cgit_acl.conf b/nginx-common/conf/includes/internal_ip_cgit_acl.conf deleted file mode 100644 index 833d4db..0000000 --- a/nginx-common/conf/includes/internal_ip_cgit_acl.conf +++ /dev/null @@ -1,30 +0,0 @@ -geo $cgit_config { - default "/srv/code/etc/cgit-public.cfg"; - - # Global V4 Internal Network - 172.16.0.0/16 "/srv/code/etc/cgit-private.cfg"; - # FKL1 V4 Internal network - 172.18.0.0/16 "/srv/code/etc/cgit-private.cfg"; - # SEA4 V4 Internal network - 172.19.0.0/16 "/srv/code/etc/cgit-private.cfg"; - # ORD1 V4 Internal network - 172.20.0.0/16 "/srv/code/etc/cgit-private.cfg"; - # Mobile V4 Internal network - 172.21.0.0/16 "/srv/code/etc/cgit-private.cfg"; - # PDX1 V6 Network - 2600:1f14:f39:e000::/56 "/srv/code/etc/cgit-private.cfg"; - # CMH1 V6 Network - 2600:1f16:33:500::/56 "/srv/code/etc/cgit-private.cfg"; - # SEA1 Internal V6 Network - 2602:0803:4070::/48 "/srv/code/etc/cgit-private.cfg"; - # SEA4 Internal V6 Network - 2602:0803:4072::/48 "/srv/code/etc/cgit-private.cfg"; - # ORD1 Internal V6 Network - 2602:0803:4073::/48 "/srv/code/etc/cgit-private.cfg"; - # FKL1 Internal V6 Network - 2602:0803:4074::/48 "/srv/code/etc/cgit-private.cfg"; - # Wireguard RAS V6 Network - 2602:0803:4075::/48 "/srv/code/etc/cgit-private.cfg"; - # Mobile V6 Internal Network - 2602:0803:4076::/48 "/srv/code/etc/cgit-private.cfg"; -} diff --git a/nginx-common/conf/includes/public_key_pin.conf b/nginx-common/conf/includes/public_key_pin.conf deleted file mode 100644 index 80e0e83..0000000 --- a/nginx-common/conf/includes/public_key_pin.conf +++ /dev/null @@ -1,4 +0,0 @@ -# This is not used because it's too risky in the case of CA changes -# -# openssl x509 -in le2 -pubkey | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64 -add_header Public-Key-Pins 'pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="; pin-sha256="633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q="; max-age=0; includeSubDomains' always; diff --git a/nginx-common/conf/includes/star_crute_me_ssl.conf b/nginx-common/conf/includes/star_crute_me_ssl.conf deleted file mode 100644 index 536e8d0..0000000 --- a/nginx-common/conf/includes/star_crute_me_ssl.conf +++ /dev/null @@ -1,2 +0,0 @@ -ssl_certificate /srv/nginx-conf/ssl/letsencrypt_crute_me.pem; -ssl_certificate_key /srv/nginx-conf/ssl/letsencrypt_crute_me_key.pem; diff --git a/nginx-common/conf/includes/star_pomonaconsulting_com_ssl.conf b/nginx-common/conf/includes/star_pomonaconsulting_com_ssl.conf deleted file mode 100644 index d14c833..0000000 --- a/nginx-common/conf/includes/star_pomonaconsulting_com_ssl.conf +++ /dev/null @@ -1,2 +0,0 @@ -ssl_certificate /srv/nginx-conf/ssl/letsencrypt_pomonaconsulting_com.pem; -ssl_certificate_key /srv/nginx-conf/ssl/letsencrypt_pomonaconsulting_com_key.pem; diff --git a/nginx-common/conf/includes/star_sea1_crute_me_ssl.conf b/nginx-common/conf/includes/star_sea1_crute_me_ssl.conf deleted file mode 100644 index af0a3a4..0000000 --- a/nginx-common/conf/includes/star_sea1_crute_me_ssl.conf +++ /dev/null @@ -1,2 +0,0 @@ -ssl_certificate /srv/nginx-conf/ssl/letsencrypt_sea1_crute_me.pem; -ssl_certificate_key /srv/nginx-conf/ssl/letsencrypt_sea1_crute_me_key.pem; diff --git a/nginx-common/conf/nginx.conf b/nginx-common/conf/nginx.conf index c04990a..6b7a47b 100644 --- a/nginx-common/conf/nginx.conf +++ b/nginx-common/conf/nginx.conf @@ -1,3 +1,5 @@ +# vim:ft=nginx + user nginx; worker_processes 1; @@ -5,42 +7,140 @@ error_log /dev/stdout warn; pid /var/run/nginx.pid; events { - worker_connections 1024; + worker_connections 1024; } http { - include mime.types; - default_type application/octet-stream; + include mime.types; + + default_type application/octet-stream; + + log_format combined_host '$host $remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + + access_log /logs/default_server.log combined_host; + + sendfile on; + tcp_nopush on; + server_tokens off; + + keepalive_timeout 128; + + # Try to avoid buffering requests to disk This is about 4MB + client_body_buffer_size 4000k; + + # Try to avoid buffering backend responses to disk This is about 4MB + proxy_buffers 1000 4k; + + gzip on; + gzip_proxied any; + gzip_disable "msie6"; + gzip_types + application/javascript + application/rss+xml + application/x-javascript + application/xhtml+xml + application/xml + image/svg+xml + image/x-icon + text/css + text/javascript + text/plain + text/xml; + + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_dhparam /srv/nginx-conf/ssl/dhparam.pem; + ssl_prefer_server_ciphers on; + #ssl_ecdh_curve secp521r1:secp384r1:X25519; + + # These are possibly vulnerable to the ROBOT attack + # (https://robotattack.org) but are also important for backwards + # compatability for a few older, but still frequently used, Android + # variants. The use of ECDHE in these algorithms may mitigate the + # vulnerability but the conservative approach would be to disable them. + # + # !ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES256-SHA384: + # + ssl_ciphers + 'ECDHE-ECDSA-CHACHA20-POLY1305:' + 'ECDHE-RSA-CHACHA20-POLY1305:' + 'AES256+EECDH:' + 'AES256+EDH:' + '!DHE-RSA-AES256-SHA256:' + '!DHE-RSA-AES256-SHA:' + '!aNULL'; + + ssl_stapling on; + ssl_stapling_verify on; + resolver 8.8.4.4 8.8.8.8 valid=300s; + resolver_timeout 5s; + + + map $http_host $can_redirect { + hostnames; + + default 0; + + crute.me 1; + *.crute.me 1; + crute.us 1; + *.crute.us 1; + *.pomonaconsulting.com 1; + pomonaconsulting.com 1; + *.pomonaconsulting.net 1; + pomonaconsulting.net 1; + leavenworthsnowmobilerentals.com 1; + *.leavenworthsnowmobilerentals.com 1; + lakewenatcheecabins.net 1; + *.lakewenatcheecabins.net 1; + 59erdiner.com 1; + *.59erdiner.com 1; + as398223.net 1; + *.as398223.net 1; + frompythonimportpodcast.com 1; + *.frompythonimportpodcast.com 1; + } + + + server { + listen *:80 default_server; + listen [::]:80 default_server; - log_format combined_host '$host $remote_addr - $remote_user [$time_local] ' - '"$request" $status $body_bytes_sent ' - '"$http_referer" "$http_user_agent"'; + access_log /logs/default_http_vhost.log combined_host; - access_log /logs/default_server.log combined_host; + location / { + if ($can_redirect) { + rewrite (.*) https://$http_host$1 permanent; + } - sendfile on; - tcp_nopush on; - server_tokens off; + default_type text/plain; + return 404 "not found"; + } + } - keepalive_timeout 128; + + server { + listen *:443 ssl http2 default_server; + listen [::]:443 ssl http2 default_server; - # Try to avoid buffering requests to disk - # This is about 4MB - client_body_buffer_size 4000k; + access_log /logs/default_https_vhost.log combined_host; - # Try to avoid buffering backend responses to disk - # This is about 4MB - proxy_buffers 1000 4k; + include includes/hardened_headers.conf; + include includes/default_csp.conf; - gzip on; - gzip_proxied any; - gzip_disable "msie6"; - gzip_types application/javascript application/rss+xml application/x-javascript application/xhtml+xml application/xml image/svg+xml image/x-icon text/css text/javascript text/plain text/xml; + ssl_protocols TLSv1.2 TLSv1.3; + add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always; + ssl_certificate {{ getSSLCert }}; + ssl_certificate_key {{ getSSLKey }}; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - ssl_dhparam /srv/nginx-conf/ssl/dhparam.pem; + location / { + default_type text/plain; + return 404 "not found"; + } + } + - include conf.d/*.conf; - include sites-enabled/*; + include sites-enabled/*; } diff --git a/nginx-common/conf/nginx.conf.tpl b/nginx-common/conf/nginx.conf.tpl new file mode 100644 index 0000000..9f4d3ef --- /dev/null +++ b/nginx-common/conf/nginx.conf.tpl @@ -0,0 +1,130 @@ +# vim:ft=nginx + +user nginx; +worker_processes 1; + +error_log /dev/stdout warn; +pid /var/run/nginx.pid; + +events { + worker_connections 1024; +} + +http { + include mime.types; + + default_type application/octet-stream; + + log_format combined_host '$host $remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + + access_log /logs/default_server.log combined_host; + + sendfile on; + tcp_nopush on; + server_tokens off; + + keepalive_timeout 128; + + # Try to avoid buffering requests to disk This is about 4MB + client_body_buffer_size 4000k; + + # Try to avoid buffering backend responses to disk This is about 4MB + proxy_buffers 1000 4k; + + gzip on; + gzip_proxied any; + gzip_disable "msie6"; + gzip_types + application/javascript + application/rss+xml + application/x-javascript + application/xhtml+xml + application/xml + image/svg+xml + image/x-icon + text/css + text/javascript + text/plain + text/xml; + + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_dhparam /srv/nginx-conf/ssl/dhparam.pem; + ssl_prefer_server_ciphers on; + #ssl_ecdh_curve secp521r1:secp384r1:X25519; + + # These are possibly vulnerable to the ROBOT attack + # (https://robotattack.org) but are also important for backwards + # compatability for a few older, but still frequently used, Android + # variants. The use of ECDHE in these algorithms may mitigate the + # vulnerability but the conservative approach would be to disable them. + # + # !ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES256-SHA384: + # + ssl_ciphers + 'ECDHE-ECDSA-CHACHA20-POLY1305:' + 'ECDHE-RSA-CHACHA20-POLY1305:' + 'AES256+EECDH:' + 'AES256+EDH:' + '!DHE-RSA-AES256-SHA256:' + '!DHE-RSA-AES256-SHA:' + '!aNULL'; + + ssl_stapling on; + ssl_stapling_verify on; + resolver 8.8.4.4 8.8.8.8 valid=300s; + resolver_timeout 5s; + + {{ if .HTTPRedirects }} + map $http_host $can_redirect { + hostnames; + + default 0; + + {{ range $_, $h := .HTTPRedirects -}} + {{ . }} 1; + {{ end -}} + } + {{ end }} + + server { + listen *:80 default_server; + listen [::]:80 default_server; + + access_log /logs/default_http_vhost.log combined_host; + + location / { + {{ if .HTTPRedirects -}} + if ($can_redirect) { + rewrite (.*) https://$http_host$1 permanent; + } + {{- end }} + + default_type text/plain; + return 404 "not found"; + } + } + + {{ if .DefaultSSLVhost }} + server { + listen *:443 ssl http2 default_server; + listen [::]:443 ssl http2 default_server; + + access_log /logs/default_https_vhost.log combined_host; + + include includes/hardened_headers.conf; + include includes/default_csp.conf; + + {{ renderHardenedSSLSlice .DefaultSSLVhost }} + + location / { + default_type text/plain; + return 404 "not found"; + } + } + {{ end }} + + include sites-enabled/*; +} -- cgit v1.2.3