Merge remote-tracking branch 'origin/main' into development
All checks were successful
ShellCheck / Shell syntax checker (push) Successful in 9s
All checks were successful
ShellCheck / Shell syntax checker (push) Successful in 9s
This commit is contained in:
commit
d6a956eba3
GPG Key ID:
EABC72179C71D4F5
@ -6,7 +6,6 @@ server {
|
||||
|
||||
server_name hostname.of.your.server;
|
||||
|
||||
include snippets/hsts.conf;
|
||||
include snippets/quic.conf;
|
||||
include snippets/robots.conf;
|
||||
include snippets/universal_paths.conf;
|
||||
|
||||
@ -1,3 +1,55 @@
|
||||
# Use http2
|
||||
http2 on;
|
||||
|
||||
# Shared TLS configuration
|
||||
|
||||
## Use strong ciphers
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_conf_command Options PrioritizeChaCha;
|
||||
|
||||
# Use strong ciphers for proxies
|
||||
proxy_ssl_verify on;
|
||||
proxy_ssl_server_name on;
|
||||
proxy_ssl_session_reuse on;
|
||||
proxy_ssl_protocols TLSv1.2 TLSv1.3;
|
||||
proxy_ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
|
||||
proxy_ssl_conf_command Options PrioritizeChaCha;
|
||||
|
||||
## Configure ssl session cache
|
||||
## Improves performance but we don't wanna keep this forever
|
||||
## Session ticket creation and rotation is handled by GrapheneOS's scripts:
|
||||
## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-create-session-ticket-keys
|
||||
## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-rotate-session-ticket-keys
|
||||
|
||||
ssl_session_cache shared:SSL:10m; # About 40000 sessions
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_ticket_key session-ticket-keys/4.key;
|
||||
ssl_session_ticket_key session-ticket-keys/3.key;
|
||||
ssl_session_ticket_key session-ticket-keys/2.key;
|
||||
ssl_session_ticket_key session-ticket-keys/1.key;
|
||||
|
||||
## The following settings need to be declared manually per vhost:
|
||||
## ssl_certificate
|
||||
## ssl_certificate_key
|
||||
## ssl_trusted_certificate
|
||||
## ssl_stapling_file
|
||||
|
||||
# Make sure ssl early data is off - replay attack mitigation
|
||||
ssl_early_data off;
|
||||
|
||||
# Set-Cookie
|
||||
proxy_cookie_domain ~ "";
|
||||
proxy_cookie_flags ~ secure;
|
||||
|
||||
# Disable compression
|
||||
## Mitigates oracle attacks
|
||||
gzip off;
|
||||
|
||||
# Disable server tokens
|
||||
server_tokens off;
|
||||
|
||||
server {
|
||||
listen 127.0.0.1:80 default_server;
|
||||
# listen [ipv6_1]:80 default_server;
|
||||
|
||||
@ -1,3 +0,0 @@
|
||||
# This is all it takes to enable http2 globally
|
||||
|
||||
http2 on;
|
||||
@ -1 +0,0 @@
|
||||
server_tokens off;
|
||||
@ -10,7 +10,6 @@ server {
|
||||
ssl_certificate_key /etc/letsencrypt/live/miniflux.yourdomain.tld/privkey.pem;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/miniflux.yourdomain.tld/chain.pem;
|
||||
|
||||
include snippets/hsts.conf;
|
||||
include snippets/security.conf;
|
||||
include snippets/cross-origin-security.conf;
|
||||
include snippets/quic.conf;
|
||||
|
||||
@ -10,7 +10,6 @@ server {
|
||||
ssl_certificate_key /etc/letsencrypt/live/cloud.yourdomain.tld/privkey.pem;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/cloud.yourdomain.tld/chain.pem;
|
||||
|
||||
include snippets/hsts.conf;
|
||||
include snippets/security.conf;
|
||||
include snippets/quic.conf;
|
||||
include snippets/proxy.conf;
|
||||
|
||||
@ -10,14 +10,13 @@ server {
|
||||
ssl_certificate_key /etc/letsencrypt/live/uptime.yourdomain.tld/privkey.pem;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/uptime.yourdomain.tld/chain.pem;
|
||||
|
||||
include snippets/hsts.conf;
|
||||
include snippets/security.conf;
|
||||
include snippets/cross-origin-security.conf;
|
||||
include snippets/quic.conf;
|
||||
include snippets/proxy.conf;
|
||||
proxy_hide_header Content-Security-Policy;
|
||||
include snippets/universal_paths.conf;
|
||||
|
||||
proxy_hide_header Content-Security-Policy;
|
||||
add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; img-src 'self' data:; frame-src 'self'; manifest-src 'self'; object-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; base-uri 'none'; block-all-mixed-content; form-action 'none'; frame-ancestors 'self'; upgrade-insecure-requests";
|
||||
|
||||
location / {
|
||||
|
||||
@ -10,7 +10,6 @@ server {
|
||||
ssl_certificate_key /etc/letsencrypt/live/vault.yourdomain.tld/privkey.pem;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/vault.yourdomain.tld/chain.pem;
|
||||
|
||||
include snippets/hsts.conf;
|
||||
include snippets/security.conf;
|
||||
include snippets/cross-origin-security.conf;
|
||||
include snippets/quic.conf;
|
||||
|
||||
@ -1,26 +0,0 @@
|
||||
# Shared TLS configuration
|
||||
|
||||
## Use strong ciphers
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_conf_command Options PrioritizeChaCha;
|
||||
|
||||
## Configure ssl session cache
|
||||
## Improves performance but we don't wanna keep this forever
|
||||
## Session ticket creation and rotation is handled by GrapheneOS's scripts:
|
||||
## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-create-session-ticket-keys
|
||||
## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-rotate-session-ticket-keys
|
||||
|
||||
ssl_session_cache shared:SSL:10m; # About 40000 sessions
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_ticket_key session-ticket-keys/4.key;
|
||||
ssl_session_ticket_key session-ticket-keys/3.key;
|
||||
ssl_session_ticket_key session-ticket-keys/2.key;
|
||||
ssl_session_ticket_key session-ticket-keys/1.key;
|
||||
|
||||
## The following settings need to be declared manually per vhost:
|
||||
# ssl_certificate
|
||||
# ssl_certificate_key
|
||||
# ssl_trusted_certificate
|
||||
# ssl_stapling_file
|
||||
@ -7,5 +7,7 @@ add_header Cross-Origin-Resource-Policy "same-origin" always;
|
||||
proxy_hide_header Cross-Origin-Opener-Policy;
|
||||
add_header Cross-Origin-Opener-Policy "same-origin" always;
|
||||
|
||||
# Change COEP to "credentialless" when supported by Safari
|
||||
# https://developer.mozilla.org/en-US/docs/Web/API/Window/credentialless
|
||||
proxy_hide_header Cross-Origin-Embedder-Policy;
|
||||
add_header Cross-Origin-Embedder-Policy "require-corp" always;
|
||||
@ -1,5 +0,0 @@
|
||||
# Enable HSTS header
|
||||
# Only add this to server blocks with TLS
|
||||
|
||||
proxy_hide_header Strict-Transport-Security;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
@ -4,17 +4,12 @@
|
||||
# Force http 1.1, anything not supporting it shouldn't be used
|
||||
proxy_http_version 1.1;
|
||||
|
||||
# Replay attack mitigation for early data
|
||||
# Signal to upstream whether ssl_early_data is used
|
||||
proxy_set_header Early-Data $ssl_early_data;
|
||||
|
||||
# Restore visitor IP
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
|
||||
# Restore original method & URL
|
||||
proxy_set_header X-Original-Method $request_method;
|
||||
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
|
||||
proxy_set_header X-Original-URI $request_uri;
|
||||
|
||||
# Forward host header
|
||||
proxy_set_header Host $host;
|
||||
|
||||
@ -23,7 +18,13 @@ proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
|
||||
# Enable X-Forwarded headers
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
||||
## Using $proxy_add_x_forwarded_for will append the $remote_addr to the end of the the IP lists
|
||||
## If some clients sends a fake X-Forwarded-For, and the upstream server does not parses this
|
||||
## correctly, it could result in security issues.
|
||||
## We are not behind a reverse proxy, so just set it to $remote_addr should be good enough.
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Ssl on;
|
||||
@ -31,3 +32,14 @@ proxy_set_header X-Forwarded-Port $server_port;
|
||||
|
||||
# Hide X-Powered-By
|
||||
proxy_hide_header X-Powered-By;
|
||||
|
||||
# CVE-2018-14773
|
||||
proxy_set_header X-Original-URL "";
|
||||
proxy_set_header X-Rewrite-URL "";
|
||||
|
||||
# Not the CVE, but is extremely similar
|
||||
proxy_set_header X-Original-URI "";
|
||||
|
||||
# Potentially dangerous: https://github.com/oauth2-proxy/oauth2-proxy/issues/735
|
||||
proxy_set_header X-Original-Method "";
|
||||
proxy_set_header X-Forwarded-Method "";
|
||||
|
||||
@ -1,22 +1,31 @@
|
||||
# Global security headers - apply everywhere
|
||||
|
||||
proxy_hide_header Strict-Transport-Security;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
|
||||
# We do not set clipboard-write() here, because it is very commonly used
|
||||
proxy_hide_header Strict-Transport-Security;
|
||||
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), bluetooth=(), browsing-topics=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-create=self, publickey-credentials-get=self, screen-wake-lock=(), serial=(), speaker-selection=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
|
||||
|
||||
# Access-Control-Max-Age
|
||||
proxy_hide_header Access-Control-Max-Age;
|
||||
add_header Access-Control-Max-Age "600";
|
||||
|
||||
proxy_hide_header Permissions-Policy;
|
||||
add_header Referrer-Policy "same-origin" always;
|
||||
|
||||
proxy_hide_header X-Content-Type-Options;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
|
||||
proxy_hide_header X-Frame-Options;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
|
||||
proxy_hide_header X-Permitted-Cross-Domain-Policies;
|
||||
add_header X-Permitted-Cross-Domain-Policies "none" always;
|
||||
|
||||
# Obsolete and replaced by Content-Security-Policy frame-ancestors
|
||||
# Setting the less restrictive SAMEORIGIN here, as frame-ancestors 'none' will overwrite it anyways
|
||||
proxy_hide_header X-Frame-Options;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
|
||||
# Obsolete and replaced by Content-Security-Policy
|
||||
# Only here to pass Hardenize checks
|
||||
proxy_hide_header X-XSS-Protection;
|
||||
add_header X-XSS-Protection "0" always;
|
||||
add_header X-XSS-Protection "0" always;
|
||||
10
setup.sh
10
setup.sh
@ -68,9 +68,9 @@ fi
|
||||
sudo semanage fcontext -a -t httpd_sys_content_t "$(realpath /srv/nginx)(/.*)?"
|
||||
sudo mkdir -p /srv/nginx/.well-known/acme-challenge
|
||||
sudo chmod -R 755 /srv/nginx
|
||||
unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/srv/nginx/ads.txt | sudo tee /srv/nginx/ads.txt > /dev/null
|
||||
unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/srv/nginx/app-ads.txt | sudo tee /srv/nginx/app-ads.txt > /dev/null
|
||||
unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/srv/nginx/robots.txt | sudo tee /srv/nginx/robots.txt > /dev/null
|
||||
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/srv/nginx/ads.txt | sudo tee /srv/nginx/ads.txt > /dev/null
|
||||
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/srv/nginx/app-ads.txt | sudo tee /srv/nginx/app-ads.txt > /dev/null
|
||||
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/srv/nginx/robots.txt | sudo tee /srv/nginx/robots.txt > /dev/null
|
||||
sudo chmod 644 /srv/nginx/ads.txt /srv/nginx/app-ads.txt /srv/nginx/robots.txt
|
||||
sudo restorecon -Rv "$(realpath /srv/nginx)"
|
||||
|
||||
@ -122,13 +122,9 @@ sudo systemctl enable --now nginx-rotate-session-ticket-keys.timer
|
||||
|
||||
# Download NGINX configs
|
||||
|
||||
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/http2.conf | sudo tee /etc/nginx/conf.d/http2.conf > /dev/null
|
||||
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/server_tokens.conf | sudo tee /etc/nginx/conf.d/server_tokens.conf > /dev/null
|
||||
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/default.conf | sudo tee /etc/nginx/conf.d/default.conf > /dev/null
|
||||
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/tls.conf | sudo tee /etc/nginx/conf.d/tls.conf > /dev/null
|
||||
|
||||
sudo mkdir -p /etc/nginx/snippets
|
||||
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/hsts.conf | sudo tee /etc/nginx/snippets/hsts.conf > /dev/null
|
||||
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/proxy.conf | sudo tee /etc/nginx/snippets/proxy.conf > /dev/null
|
||||
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/quic.conf | sudo tee /etc/nginx/snippets/quic.conf > /dev/null
|
||||
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/security.conf | sudo tee /etc/nginx/snippets/security.conf > /dev/null
|
||||
|
||||
@ -8,10 +8,9 @@ Disallow: /
|
||||
Allow: /ads.txt
|
||||
Allow: /app-ads.txt
|
||||
|
||||
User-agent: peer39_crawler
|
||||
User-agent: peer39_crawler/1.0
|
||||
User-agent: TurnitinBot
|
||||
User-agent: NPBot
|
||||
User-agent: AcademicBotRTU
|
||||
User-agent: SlySearch
|
||||
User-agent: BLEXBot
|
||||
User-agent: CheckMarkNetwork/1.0 (+https://www.checkmarknetwork.com/spider.html)
|
||||
@ -24,6 +23,7 @@ User-agent: MJ12bot
|
||||
User-agent: AI2Bot
|
||||
User-agent: Ai2Bot-Dolma
|
||||
User-agent: Amazonbot
|
||||
User-agent: anthropic-ai
|
||||
User-agent: Applebot
|
||||
User-agent: Applebot-Extended
|
||||
User-agent: Bytespider
|
||||
@ -31,34 +31,38 @@ User-agent: CCBot
|
||||
User-agent: ChatGPT-User
|
||||
User-agent: Claude-Web
|
||||
User-agent: ClaudeBot
|
||||
User-agent: cohere-ai
|
||||
User-agent: cohere-training-data-crawler
|
||||
User-agent: Crawlspace
|
||||
User-agent: Diffbot
|
||||
User-agent: DuckAssistBot
|
||||
User-agent: FacebookBot
|
||||
User-agent: FriendlyCrawler
|
||||
User-agent: GPTBot
|
||||
User-agent: Google-Extended
|
||||
User-agent: GoogleOther
|
||||
User-agent: GoogleOther-Image
|
||||
User-agent: GoogleOther-Video
|
||||
User-agent: GPTBot
|
||||
User-agent: iaskspider/2.0
|
||||
User-agent: ICC-Crawler
|
||||
User-agent: ISSCyberRiskCrawler
|
||||
User-agent: ImagesiftBot
|
||||
User-agent: img2dataset
|
||||
User-agent: ISSCyberRiskCrawler
|
||||
User-agent: Kangaroo Bot
|
||||
User-agent: Meta-ExternalAgent
|
||||
User-agent: Meta-ExternalFetcher
|
||||
User-agent: OAI-SearchBot
|
||||
User-agent: omgili
|
||||
User-agent: omgilibot
|
||||
User-agent: PanguBot
|
||||
User-agent: PerplexityBot
|
||||
User-agent: PetalBot
|
||||
User-agent: Scrapy
|
||||
User-agent: SemrushBot-OCOB
|
||||
User-agent: SemrushBot-SWA
|
||||
User-agent: Sidetrade indexer bot
|
||||
User-agent: Timpibot
|
||||
User-agent: VelenPublicWebCrawler
|
||||
User-agent: Webzio-Extended
|
||||
User-agent: YouBot
|
||||
User-agent: anthropic-ai
|
||||
User-agent: cohere-ai
|
||||
User-agent: facebookexternalhit
|
||||
User-agent: iaskspider/2.0
|
||||
User-agent: img2dataset
|
||||
User-agent: omgili
|
||||
User-agent: omgilibot
|
||||
Disallow: /
|
||||
Loading…
x
Reference in New Issue
Block a user