diff --git a/etc/nginx/conf.d/default-quic.conf b/etc/nginx/conf.d/default-quic.conf index 132ddd3..8204c03 100644 --- a/etc/nginx/conf.d/default-quic.conf +++ b/etc/nginx/conf.d/default-quic.conf @@ -6,6 +6,7 @@ server { server_name hostname.of.your.server; + include snippets/hsts.conf; include snippets/quic.conf; include snippets/robots.conf; include snippets/universal_paths.conf; diff --git a/etc/nginx/conf.d/sites_miniflux.conf b/etc/nginx/conf.d/sites_miniflux.conf index d3e4b28..285580d 100644 --- a/etc/nginx/conf.d/sites_miniflux.conf +++ b/etc/nginx/conf.d/sites_miniflux.conf @@ -10,6 +10,7 @@ server { ssl_certificate_key /etc/letsencrypt/live/miniflux.yourdomain.tld/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/miniflux.yourdomain.tld/chain.pem; + include snippets/hsts.conf; include snippets/security.conf; include snippets/cross-origin-security.conf; include snippets/quic.conf; diff --git a/etc/nginx/conf.d/sites_nextcloud.conf b/etc/nginx/conf.d/sites_nextcloud.conf index e447aad..7256189 100644 --- a/etc/nginx/conf.d/sites_nextcloud.conf +++ b/etc/nginx/conf.d/sites_nextcloud.conf @@ -10,6 +10,7 @@ server { ssl_certificate_key /etc/letsencrypt/live/cloud.yourdomain.tld/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/cloud.yourdomain.tld/chain.pem; + include snippets/hsts.conf; include snippets/security.conf; include snippets/quic.conf; include snippets/proxy.conf; diff --git a/etc/nginx/conf.d/sites_uptime-kuma.conf b/etc/nginx/conf.d/sites_uptime-kuma.conf index 7b68172..741cb11 100644 --- a/etc/nginx/conf.d/sites_uptime-kuma.conf +++ b/etc/nginx/conf.d/sites_uptime-kuma.conf @@ -10,6 +10,7 @@ server { ssl_certificate_key /etc/letsencrypt/live/uptime.yourdomain.tld/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/uptime.yourdomain.tld/chain.pem; + include snippets/hsts.conf; include snippets/security.conf; include snippets/cross-origin-security.conf; include snippets/quic.conf; diff --git a/etc/nginx/conf.d/sites_vaultwarden.conf b/etc/nginx/conf.d/sites_vaultwarden.conf index c734b8b..cd7b078 100644 --- a/etc/nginx/conf.d/sites_vaultwarden.conf +++ b/etc/nginx/conf.d/sites_vaultwarden.conf @@ -10,6 +10,7 @@ server { ssl_certificate_key /etc/letsencrypt/live/vault.yourdomain.tld/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/vault.yourdomain.tld/chain.pem; + include snippets/hsts.conf; include snippets/security.conf; include snippets/cross-origin-security.conf; include snippets/quic.conf; diff --git a/etc/nginx/snippets/hsts.conf b/etc/nginx/snippets/hsts.conf new file mode 100644 index 0000000..42edd6f --- /dev/null +++ b/etc/nginx/snippets/hsts.conf @@ -0,0 +1,4 @@ +# Enable HSTS header +# Only add this to server blocks with TLS +proxy_hide_header Strict-Transport-Security; +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; \ No newline at end of file diff --git a/setup.sh b/setup.sh index 06d0b55..9f3b46c 100644 --- a/setup.sh +++ b/setup.sh @@ -125,6 +125,7 @@ sudo systemctl enable --now nginx-rotate-session-ticket-keys.timer unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/default.conf | sudo tee /etc/nginx/conf.d/default.conf > /dev/null sudo mkdir -p /etc/nginx/snippets +unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/hsts.conf | sudo tee /etc/nginx/snippets/hsts.conf > /dev/null unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/proxy.conf | sudo tee /etc/nginx/snippets/proxy.conf > /dev/null unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/quic.conf | sudo tee /etc/nginx/snippets/quic.conf > /dev/null unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/security.conf | sudo tee /etc/nginx/snippets/security.conf > /dev/null