From c809ef29b2ddb9fcaea342457dd513ec42b80e43 Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 3 Jan 2025 06:15:48 -0700 Subject: [PATCH 01/24] Block dangerous X headers --- etc/nginx/snippets/proxy.conf | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/etc/nginx/snippets/proxy.conf b/etc/nginx/snippets/proxy.conf index 1dc108b..2ea7ce3 100644 --- a/etc/nginx/snippets/proxy.conf +++ b/etc/nginx/snippets/proxy.conf @@ -10,11 +10,6 @@ proxy_set_header Early-Data $ssl_early_data; # Restore visitor IP proxy_set_header X-Real-IP $remote_addr; -# Restore original method & URL -proxy_set_header X-Original-Method $request_method; -proxy_set_header X-Original-URL $scheme://$http_host$request_uri; -proxy_set_header X-Original-URI $request_uri; - # Forward host header proxy_set_header Host $host; @@ -31,3 +26,14 @@ proxy_set_header X-Forwarded-Port $server_port; # Hide X-Powered-By proxy_hide_header X-Powered-By; + +# CVE-2018-14773 +proxy_set_header X-Original-URL ""; +proxy_set_header X-Rewrite-URL ""; + +# Not the CVE, but is extremely similar +proxy_set_header X-Original-URI ""; + +# Potentially dangerous: https://github.com/oauth2-proxy/oauth2-proxy/issues/735 +proxy_set_header X-Original-Method ""; +proxy_set_header X-Forwarded-Method ""; \ No newline at end of file From 2e584825ffdeaf7fbc2bf6864ffb0c5ce80c16ce Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 3 Jan 2025 06:24:19 -0700 Subject: [PATCH 02/24] Disable sending headers on http Signed-off-by: Tommy --- etc/nginx/conf.d/default.conf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/etc/nginx/conf.d/default.conf b/etc/nginx/conf.d/default.conf index 88e03b1..259bd93 100644 --- a/etc/nginx/conf.d/default.conf +++ b/etc/nginx/conf.d/default.conf @@ -4,7 +4,10 @@ server { include snippets/universal_paths.conf; + # Don't send headers + add_header "" ""; + location / { return 308 https://$host$request_uri; } -} \ No newline at end of file +} From 1ade01cd11a0554bd364d82207f47a926dd608f0 Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 3 Jan 2025 06:27:58 -0700 Subject: [PATCH 03/24] Merge HSTS headers with TLS config --- etc/nginx/conf.d/sites_miniflux.conf | 1 - etc/nginx/conf.d/sites_nextcloud.conf | 1 - etc/nginx/conf.d/sites_uptime-kuma.conf | 1 - etc/nginx/conf.d/sites_vaultwarden.conf | 1 - etc/nginx/conf.d/tls.conf | 5 +++++ etc/nginx/snippets/hsts.conf | 5 ----- setup.sh | 1 - 7 files changed, 5 insertions(+), 10 deletions(-) delete mode 100644 etc/nginx/snippets/hsts.conf diff --git a/etc/nginx/conf.d/sites_miniflux.conf b/etc/nginx/conf.d/sites_miniflux.conf index 285580d..d3e4b28 100644 --- a/etc/nginx/conf.d/sites_miniflux.conf +++ b/etc/nginx/conf.d/sites_miniflux.conf @@ -10,7 +10,6 @@ server { ssl_certificate_key /etc/letsencrypt/live/miniflux.yourdomain.tld/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/miniflux.yourdomain.tld/chain.pem; - include snippets/hsts.conf; include snippets/security.conf; include snippets/cross-origin-security.conf; include snippets/quic.conf; diff --git a/etc/nginx/conf.d/sites_nextcloud.conf b/etc/nginx/conf.d/sites_nextcloud.conf index 7256189..e447aad 100644 --- a/etc/nginx/conf.d/sites_nextcloud.conf +++ b/etc/nginx/conf.d/sites_nextcloud.conf @@ -10,7 +10,6 @@ server { ssl_certificate_key /etc/letsencrypt/live/cloud.yourdomain.tld/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/cloud.yourdomain.tld/chain.pem; - include snippets/hsts.conf; include snippets/security.conf; include snippets/quic.conf; include snippets/proxy.conf; diff --git a/etc/nginx/conf.d/sites_uptime-kuma.conf b/etc/nginx/conf.d/sites_uptime-kuma.conf index 741cb11..7b68172 100644 --- a/etc/nginx/conf.d/sites_uptime-kuma.conf +++ b/etc/nginx/conf.d/sites_uptime-kuma.conf @@ -10,7 +10,6 @@ server { ssl_certificate_key /etc/letsencrypt/live/uptime.yourdomain.tld/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/uptime.yourdomain.tld/chain.pem; - include snippets/hsts.conf; include snippets/security.conf; include snippets/cross-origin-security.conf; include snippets/quic.conf; diff --git a/etc/nginx/conf.d/sites_vaultwarden.conf b/etc/nginx/conf.d/sites_vaultwarden.conf index cd7b078..c734b8b 100644 --- a/etc/nginx/conf.d/sites_vaultwarden.conf +++ b/etc/nginx/conf.d/sites_vaultwarden.conf @@ -10,7 +10,6 @@ server { ssl_certificate_key /etc/letsencrypt/live/vault.yourdomain.tld/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/vault.yourdomain.tld/chain.pem; - include snippets/hsts.conf; include snippets/security.conf; include snippets/cross-origin-security.conf; include snippets/quic.conf; diff --git a/etc/nginx/conf.d/tls.conf b/etc/nginx/conf.d/tls.conf index 271ad0f..35eaf5b 100644 --- a/etc/nginx/conf.d/tls.conf +++ b/etc/nginx/conf.d/tls.conf @@ -19,6 +19,11 @@ ssl_session_ticket_key session-ticket-keys/3.key; ssl_session_ticket_key session-ticket-keys/2.key; ssl_session_ticket_key session-ticket-keys/1.key; +# Enable HSTS header + +proxy_hide_header Strict-Transport-Security; +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + ## The following settings need to be declared manually per vhost: # ssl_certificate # ssl_certificate_key diff --git a/etc/nginx/snippets/hsts.conf b/etc/nginx/snippets/hsts.conf deleted file mode 100644 index 14cca7f..0000000 --- a/etc/nginx/snippets/hsts.conf +++ /dev/null @@ -1,5 +0,0 @@ -# Enable HSTS header -# Only add this to server blocks with TLS - -proxy_hide_header Strict-Transport-Security; -add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; \ No newline at end of file diff --git a/setup.sh b/setup.sh index 19351a6..b94f6e6 100644 --- a/setup.sh +++ b/setup.sh @@ -128,7 +128,6 @@ unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/tls.conf | sudo tee /etc/nginx/conf.d/tls.conf > /dev/null sudo mkdir -p /etc/nginx/snippets -unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/hsts.conf | sudo tee /etc/nginx/snippets/hsts.conf > /dev/null unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/proxy.conf | sudo tee /etc/nginx/snippets/proxy.conf > /dev/null unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/quic.conf | sudo tee /etc/nginx/snippets/quic.conf > /dev/null unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/security.conf | sudo tee /etc/nginx/snippets/security.conf > /dev/null From 275d68ce12a3041d465db4e10daf393d1ec51fd4 Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 3 Jan 2025 06:34:57 -0700 Subject: [PATCH 04/24] Merge default server configs --- etc/nginx/conf.d/default.conf | 38 +++++++++++++++++++++++++++++ etc/nginx/conf.d/http2.conf | 3 --- etc/nginx/conf.d/server_tokens.conf | 1 - etc/nginx/conf.d/tls.conf | 31 ----------------------- setup.sh | 3 --- 5 files changed, 38 insertions(+), 38 deletions(-) delete mode 100644 etc/nginx/conf.d/http2.conf delete mode 100644 etc/nginx/conf.d/server_tokens.conf delete mode 100644 etc/nginx/conf.d/tls.conf diff --git a/etc/nginx/conf.d/default.conf b/etc/nginx/conf.d/default.conf index 259bd93..5b4050b 100644 --- a/etc/nginx/conf.d/default.conf +++ b/etc/nginx/conf.d/default.conf @@ -1,3 +1,41 @@ +# Use http2 +http2 on; + +# Shared TLS configuration + +## Use strong ciphers +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256; +ssl_prefer_server_ciphers on; +ssl_conf_command Options PrioritizeChaCha; + +## Configure ssl session cache +## Improves performance but we don't wanna keep this forever +## Session ticket creation and rotation is handled by GrapheneOS's scripts: +## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-create-session-ticket-keys +## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-rotate-session-ticket-keys + +ssl_session_cache shared:SSL:10m; # About 40000 sessions +ssl_session_timeout 1d; +ssl_session_ticket_key session-ticket-keys/4.key; +ssl_session_ticket_key session-ticket-keys/3.key; +ssl_session_ticket_key session-ticket-keys/2.key; +ssl_session_ticket_key session-ticket-keys/1.key; + +## Enable HSTS header + +proxy_hide_header Strict-Transport-Security; +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + +## The following settings need to be declared manually per vhost: +# ssl_certificate +# ssl_certificate_key +# ssl_trusted_certificate +# ssl_stapling_file + +# Disable server tokens +server_tokens off; + server { listen ipv4_1:80 default_server; listen [ipv6_1]:80 default_server; diff --git a/etc/nginx/conf.d/http2.conf b/etc/nginx/conf.d/http2.conf deleted file mode 100644 index 96587ce..0000000 --- a/etc/nginx/conf.d/http2.conf +++ /dev/null @@ -1,3 +0,0 @@ -# This is all it takes to enable http2 globally - -http2 on; \ No newline at end of file diff --git a/etc/nginx/conf.d/server_tokens.conf b/etc/nginx/conf.d/server_tokens.conf deleted file mode 100644 index b7a0bcb..0000000 --- a/etc/nginx/conf.d/server_tokens.conf +++ /dev/null @@ -1 +0,0 @@ -server_tokens off; \ No newline at end of file diff --git a/etc/nginx/conf.d/tls.conf b/etc/nginx/conf.d/tls.conf deleted file mode 100644 index 35eaf5b..0000000 --- a/etc/nginx/conf.d/tls.conf +++ /dev/null @@ -1,31 +0,0 @@ -# Shared TLS configuration - -## Use strong ciphers -ssl_protocols TLSv1.2 TLSv1.3; -ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256; -ssl_prefer_server_ciphers on; -ssl_conf_command Options PrioritizeChaCha; - -## Configure ssl session cache -## Improves performance but we don't wanna keep this forever -## Session ticket creation and rotation is handled by GrapheneOS's scripts: -## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-create-session-ticket-keys -## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-rotate-session-ticket-keys - -ssl_session_cache shared:SSL:10m; # About 40000 sessions -ssl_session_timeout 1d; -ssl_session_ticket_key session-ticket-keys/4.key; -ssl_session_ticket_key session-ticket-keys/3.key; -ssl_session_ticket_key session-ticket-keys/2.key; -ssl_session_ticket_key session-ticket-keys/1.key; - -# Enable HSTS header - -proxy_hide_header Strict-Transport-Security; -add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - -## The following settings need to be declared manually per vhost: -# ssl_certificate -# ssl_certificate_key -# ssl_trusted_certificate -# ssl_stapling_file diff --git a/setup.sh b/setup.sh index b94f6e6..06d0b55 100644 --- a/setup.sh +++ b/setup.sh @@ -122,10 +122,7 @@ sudo systemctl enable --now nginx-rotate-session-ticket-keys.timer # Download NGINX configs -unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/http2.conf | sudo tee /etc/nginx/conf.d/http2.conf > /dev/null -unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/server_tokens.conf | sudo tee /etc/nginx/conf.d/server_tokens.conf > /dev/null unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/default.conf | sudo tee /etc/nginx/conf.d/default.conf > /dev/null -unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/tls.conf | sudo tee /etc/nginx/conf.d/tls.conf > /dev/null sudo mkdir -p /etc/nginx/snippets unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/proxy.conf | sudo tee /etc/nginx/snippets/proxy.conf > /dev/null From 30d16930fc7b2a9f0fe1ab18ff1d4999500ca1c0 Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 3 Jan 2025 06:38:21 -0700 Subject: [PATCH 05/24] Remove invalid config --- etc/nginx/conf.d/default-quic.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/etc/nginx/conf.d/default-quic.conf b/etc/nginx/conf.d/default-quic.conf index 8204c03..132ddd3 100644 --- a/etc/nginx/conf.d/default-quic.conf +++ b/etc/nginx/conf.d/default-quic.conf @@ -6,7 +6,6 @@ server { server_name hostname.of.your.server; - include snippets/hsts.conf; include snippets/quic.conf; include snippets/robots.conf; include snippets/universal_paths.conf; From a4dd4b62375bcfd9f48e99967ad1ea3643bba070 Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 3 Jan 2025 06:45:40 -0700 Subject: [PATCH 06/24] Disable gzip --- etc/nginx/conf.d/default.conf | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/etc/nginx/conf.d/default.conf b/etc/nginx/conf.d/default.conf index 5b4050b..5bdfa19 100644 --- a/etc/nginx/conf.d/default.conf +++ b/etc/nginx/conf.d/default.conf @@ -28,14 +28,18 @@ proxy_hide_header Strict-Transport-Security; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; ## The following settings need to be declared manually per vhost: -# ssl_certificate -# ssl_certificate_key -# ssl_trusted_certificate -# ssl_stapling_file +## ssl_certificate +## ssl_certificate_key +## ssl_trusted_certificate +## ssl_stapling_file # Disable server tokens server_tokens off; +# Disable compression +## Mitigates oracle attacks +gzip off; + server { listen ipv4_1:80 default_server; listen [ipv6_1]:80 default_server; From 662d06a701846887d6c972971a65e208387f1f6d Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 3 Jan 2025 07:08:15 -0700 Subject: [PATCH 07/24] Undo 1ade01c - Split HSTS headers again nginx-module-headers-more requires third party repo --- etc/nginx/conf.d/default-quic.conf | 1 + etc/nginx/conf.d/sites_miniflux.conf | 1 + etc/nginx/conf.d/sites_nextcloud.conf | 1 + etc/nginx/conf.d/sites_uptime-kuma.conf | 1 + etc/nginx/conf.d/sites_vaultwarden.conf | 1 + etc/nginx/snippets/hsts.conf | 4 ++++ setup.sh | 1 + 7 files changed, 10 insertions(+) create mode 100644 etc/nginx/snippets/hsts.conf diff --git a/etc/nginx/conf.d/default-quic.conf b/etc/nginx/conf.d/default-quic.conf index 132ddd3..8204c03 100644 --- a/etc/nginx/conf.d/default-quic.conf +++ b/etc/nginx/conf.d/default-quic.conf @@ -6,6 +6,7 @@ server { server_name hostname.of.your.server; + include snippets/hsts.conf; include snippets/quic.conf; include snippets/robots.conf; include snippets/universal_paths.conf; diff --git a/etc/nginx/conf.d/sites_miniflux.conf b/etc/nginx/conf.d/sites_miniflux.conf index d3e4b28..285580d 100644 --- a/etc/nginx/conf.d/sites_miniflux.conf +++ b/etc/nginx/conf.d/sites_miniflux.conf @@ -10,6 +10,7 @@ server { ssl_certificate_key /etc/letsencrypt/live/miniflux.yourdomain.tld/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/miniflux.yourdomain.tld/chain.pem; + include snippets/hsts.conf; include snippets/security.conf; include snippets/cross-origin-security.conf; include snippets/quic.conf; diff --git a/etc/nginx/conf.d/sites_nextcloud.conf b/etc/nginx/conf.d/sites_nextcloud.conf index e447aad..7256189 100644 --- a/etc/nginx/conf.d/sites_nextcloud.conf +++ b/etc/nginx/conf.d/sites_nextcloud.conf @@ -10,6 +10,7 @@ server { ssl_certificate_key /etc/letsencrypt/live/cloud.yourdomain.tld/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/cloud.yourdomain.tld/chain.pem; + include snippets/hsts.conf; include snippets/security.conf; include snippets/quic.conf; include snippets/proxy.conf; diff --git a/etc/nginx/conf.d/sites_uptime-kuma.conf b/etc/nginx/conf.d/sites_uptime-kuma.conf index 7b68172..741cb11 100644 --- a/etc/nginx/conf.d/sites_uptime-kuma.conf +++ b/etc/nginx/conf.d/sites_uptime-kuma.conf @@ -10,6 +10,7 @@ server { ssl_certificate_key /etc/letsencrypt/live/uptime.yourdomain.tld/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/uptime.yourdomain.tld/chain.pem; + include snippets/hsts.conf; include snippets/security.conf; include snippets/cross-origin-security.conf; include snippets/quic.conf; diff --git a/etc/nginx/conf.d/sites_vaultwarden.conf b/etc/nginx/conf.d/sites_vaultwarden.conf index c734b8b..cd7b078 100644 --- a/etc/nginx/conf.d/sites_vaultwarden.conf +++ b/etc/nginx/conf.d/sites_vaultwarden.conf @@ -10,6 +10,7 @@ server { ssl_certificate_key /etc/letsencrypt/live/vault.yourdomain.tld/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/vault.yourdomain.tld/chain.pem; + include snippets/hsts.conf; include snippets/security.conf; include snippets/cross-origin-security.conf; include snippets/quic.conf; diff --git a/etc/nginx/snippets/hsts.conf b/etc/nginx/snippets/hsts.conf new file mode 100644 index 0000000..42edd6f --- /dev/null +++ b/etc/nginx/snippets/hsts.conf @@ -0,0 +1,4 @@ +# Enable HSTS header +# Only add this to server blocks with TLS +proxy_hide_header Strict-Transport-Security; +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; \ No newline at end of file diff --git a/setup.sh b/setup.sh index 06d0b55..9f3b46c 100644 --- a/setup.sh +++ b/setup.sh @@ -125,6 +125,7 @@ sudo systemctl enable --now nginx-rotate-session-ticket-keys.timer unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/default.conf | sudo tee /etc/nginx/conf.d/default.conf > /dev/null sudo mkdir -p /etc/nginx/snippets +unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/hsts.conf | sudo tee /etc/nginx/snippets/hsts.conf > /dev/null unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/proxy.conf | sudo tee /etc/nginx/snippets/proxy.conf > /dev/null unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/quic.conf | sudo tee /etc/nginx/snippets/quic.conf > /dev/null unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/security.conf | sudo tee /etc/nginx/snippets/security.conf > /dev/null From 71a7618b1c61a1e3789ab4d516e9c7c44cc86f7a Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 3 Jan 2025 07:22:40 -0700 Subject: [PATCH 08/24] Use strong ciphers for proxies --- etc/nginx/conf.d/default.conf | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/etc/nginx/conf.d/default.conf b/etc/nginx/conf.d/default.conf index 5bdfa19..045f051 100644 --- a/etc/nginx/conf.d/default.conf +++ b/etc/nginx/conf.d/default.conf @@ -9,6 +9,14 @@ ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-EC ssl_prefer_server_ciphers on; ssl_conf_command Options PrioritizeChaCha; +# Use strong ciphers for proxies +proxy_ssl_verify on; +proxy_ssl_server_name on; +proxy_ssl_session_reuse on; +proxy_ssl_protocols TLSv1.2 TLSv1.3; +proxy_ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256; +proxy_ssl_conf_command Options PrioritizeChaCha; + ## Configure ssl session cache ## Improves performance but we don't wanna keep this forever ## Session ticket creation and rotation is handled by GrapheneOS's scripts: @@ -22,11 +30,6 @@ ssl_session_ticket_key session-ticket-keys/3.key; ssl_session_ticket_key session-ticket-keys/2.key; ssl_session_ticket_key session-ticket-keys/1.key; -## Enable HSTS header - -proxy_hide_header Strict-Transport-Security; -add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - ## The following settings need to be declared manually per vhost: ## ssl_certificate ## ssl_certificate_key From b52186dcaacad80b09fea8b0ce6ca98cfed0162e Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 3 Jan 2025 07:34:17 -0700 Subject: [PATCH 09/24] Update robots.txt --- srv/nginx/robots.txt | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/srv/nginx/robots.txt b/srv/nginx/robots.txt index 54f42cc..9ad0312 100644 --- a/srv/nginx/robots.txt +++ b/srv/nginx/robots.txt @@ -8,10 +8,9 @@ Disallow: / Allow: /ads.txt Allow: /app-ads.txt -User-agent: peer39_crawler User-agent: peer39_crawler/1.0 User-agent: TurnitinBot -User-agent: NPBot +User-agent: AcademicBotRTU User-agent: SlySearch User-agent: BLEXBot User-agent: CheckMarkNetwork/1.0 (+https://www.checkmarknetwork.com/spider.html) @@ -24,6 +23,7 @@ User-agent: MJ12bot User-agent: AI2Bot User-agent: Ai2Bot-Dolma User-agent: Amazonbot +User-agent: anthropic-ai User-agent: Applebot User-agent: Applebot-Extended User-agent: Bytespider @@ -31,21 +31,28 @@ User-agent: CCBot User-agent: ChatGPT-User User-agent: Claude-Web User-agent: ClaudeBot +User-agent: cohere-ai User-agent: Diffbot +User-agent: DuckAssistBot User-agent: FacebookBot User-agent: FriendlyCrawler -User-agent: GPTBot User-agent: Google-Extended User-agent: GoogleOther User-agent: GoogleOther-Image User-agent: GoogleOther-Video +User-agent: GPTBot +User-agent: iaskspider/2.0 User-agent: ICC-Crawler -User-agent: ISSCyberRiskCrawler User-agent: ImagesiftBot +User-agent: img2dataset +User-agent: ISSCyberRiskCrawler User-agent: Kangaroo Bot User-agent: Meta-ExternalAgent User-agent: Meta-ExternalFetcher User-agent: OAI-SearchBot +User-agent: omgili +User-agent: omgilibot +User-agent: PanguBot User-agent: PerplexityBot User-agent: PetalBot User-agent: Scrapy @@ -54,11 +61,4 @@ User-agent: Timpibot User-agent: VelenPublicWebCrawler User-agent: Webzio-Extended User-agent: YouBot -User-agent: anthropic-ai -User-agent: cohere-ai -User-agent: facebookexternalhit -User-agent: iaskspider/2.0 -User-agent: img2dataset -User-agent: omgili -User-agent: omgilibot Disallow: / \ No newline at end of file From 819c0e63721e75261a05f3788aed74384e12a347 Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 3 Jan 2025 08:22:55 -0700 Subject: [PATCH 10/24] Add note for credentialless --- etc/nginx/snippets/cross-origin-security.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/nginx/snippets/cross-origin-security.conf b/etc/nginx/snippets/cross-origin-security.conf index 8acc8db..3861307 100644 --- a/etc/nginx/snippets/cross-origin-security.conf +++ b/etc/nginx/snippets/cross-origin-security.conf @@ -7,5 +7,7 @@ add_header Cross-Origin-Resource-Policy "same-origin" always; proxy_hide_header Cross-Origin-Opener-Policy; add_header Cross-Origin-Opener-Policy "same-origin" always; +# Change COEP to "credentialless" when supported by Safari +# https://developer.mozilla.org/en-US/docs/Web/API/Window/credentialless proxy_hide_header Cross-Origin-Embedder-Policy; add_header Cross-Origin-Embedder-Policy "require-corp" always; \ No newline at end of file From 1ca56b70399bdc9f63f405a5e9af32c3a337e6db Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 3 Jan 2025 09:13:14 -0700 Subject: [PATCH 11/24] Add cookie secure flag Signed-off-by: Tommy --- etc/nginx/conf.d/default.conf | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/etc/nginx/conf.d/default.conf b/etc/nginx/conf.d/default.conf index 045f051..74042d5 100644 --- a/etc/nginx/conf.d/default.conf +++ b/etc/nginx/conf.d/default.conf @@ -36,13 +36,16 @@ ssl_session_ticket_key session-ticket-keys/1.key; ## ssl_trusted_certificate ## ssl_stapling_file -# Disable server tokens -server_tokens off; +# Cookie flags +proxy_cookie_flags ~ secure; # Disable compression ## Mitigates oracle attacks gzip off; +# Disable server tokens +server_tokens off; + server { listen ipv4_1:80 default_server; listen [ipv6_1]:80 default_server; From 65459ad7844752250d8719f8489533df12106b7f Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 3 Jan 2025 09:22:33 -0700 Subject: [PATCH 12/24] Add Access-Control-Max-Age --- etc/nginx/conf.d/sites_nextcloud.conf | 2 ++ etc/nginx/snippets/cross-origin-security.conf | 6 +++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/etc/nginx/conf.d/sites_nextcloud.conf b/etc/nginx/conf.d/sites_nextcloud.conf index 7256189..f50f0e8 100644 --- a/etc/nginx/conf.d/sites_nextcloud.conf +++ b/etc/nginx/conf.d/sites_nextcloud.conf @@ -19,6 +19,8 @@ server { add_header Cross-Origin-Resource-Policy "same-origin" always; add_header Cross-Origin-Opener-Policy "same-origin" always; + proxy_hide_header Access-Control-Max-Age; + add_header Access-Control-Max-Age "600"; location / { proxy_pass http://nextcloud:8080; diff --git a/etc/nginx/snippets/cross-origin-security.conf b/etc/nginx/snippets/cross-origin-security.conf index 3861307..52f824c 100644 --- a/etc/nginx/snippets/cross-origin-security.conf +++ b/etc/nginx/snippets/cross-origin-security.conf @@ -10,4 +10,8 @@ add_header Cross-Origin-Opener-Policy "same-origin" always; # Change COEP to "credentialless" when supported by Safari # https://developer.mozilla.org/en-US/docs/Web/API/Window/credentialless proxy_hide_header Cross-Origin-Embedder-Policy; -add_header Cross-Origin-Embedder-Policy "require-corp" always; \ No newline at end of file +add_header Cross-Origin-Embedder-Policy "require-corp" always; + +# Access-Control-Max-Age +proxy_hide_header Access-Control-Max-Age; +add_header Access-Control-Max-Age "600"; \ No newline at end of file From 111a568c6ed4f991eb7145c80b696bc0e85cf118 Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 3 Jan 2025 09:28:28 -0700 Subject: [PATCH 13/24] Note X-Frame-Options obsolesence --- etc/nginx/snippets/security.conf | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/etc/nginx/snippets/security.conf b/etc/nginx/snippets/security.conf index e3e0a1b..a7a78b7 100644 --- a/etc/nginx/snippets/security.conf +++ b/etc/nginx/snippets/security.conf @@ -10,13 +10,15 @@ add_header Referrer-Policy "same-origin" always; proxy_hide_header X-Content-Type-Options; add_header X-Content-Type-Options "nosniff" always; -proxy_hide_header X-Frame-Options; -add_header X-Frame-Options "SAMEORIGIN" always; - proxy_hide_header X-Permitted-Cross-Domain-Policies; add_header X-Permitted-Cross-Domain-Policies "none" always; +# Obsolete and replaced by Content-Security-Policy frame-ancestors +# Setting the less restrictive SAMEORIGIN here, has frame-ancestors 'none' will overwrite it anyways +proxy_hide_header X-Frame-Options; +add_header X-Frame-Options "SAMEORIGIN" always; + # Obsolete and replaced by Content-Security-Policy # Only here to pass Hardenize checks proxy_hide_header X-XSS-Protection; -add_header X-XSS-Protection "0" always; +add_header X-XSS-Protection "0" always; \ No newline at end of file From 8293f6f1c373b6aa2749475113c19e742277b5cb Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 3 Jan 2025 09:28:46 -0700 Subject: [PATCH 14/24] Typo Fix --- etc/nginx/snippets/security.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/nginx/snippets/security.conf b/etc/nginx/snippets/security.conf index a7a78b7..67e4b8f 100644 --- a/etc/nginx/snippets/security.conf +++ b/etc/nginx/snippets/security.conf @@ -14,7 +14,7 @@ proxy_hide_header X-Permitted-Cross-Domain-Policies; add_header X-Permitted-Cross-Domain-Policies "none" always; # Obsolete and replaced by Content-Security-Policy frame-ancestors -# Setting the less restrictive SAMEORIGIN here, has frame-ancestors 'none' will overwrite it anyways +# Setting the less restrictive SAMEORIGIN here, as frame-ancestors 'none' will overwrite it anyways proxy_hide_header X-Frame-Options; add_header X-Frame-Options "SAMEORIGIN" always; From 023e2cdad3ccf149b3b70d6247a8c33c8ecfdabf Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 3 Jan 2025 09:31:47 -0700 Subject: [PATCH 15/24] Move Access-Control-Max-Age to security.conf --- etc/nginx/conf.d/sites_nextcloud.conf | 2 -- etc/nginx/snippets/cross-origin-security.conf | 6 +----- etc/nginx/snippets/security.conf | 4 ++++ 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/etc/nginx/conf.d/sites_nextcloud.conf b/etc/nginx/conf.d/sites_nextcloud.conf index f50f0e8..7256189 100644 --- a/etc/nginx/conf.d/sites_nextcloud.conf +++ b/etc/nginx/conf.d/sites_nextcloud.conf @@ -19,8 +19,6 @@ server { add_header Cross-Origin-Resource-Policy "same-origin" always; add_header Cross-Origin-Opener-Policy "same-origin" always; - proxy_hide_header Access-Control-Max-Age; - add_header Access-Control-Max-Age "600"; location / { proxy_pass http://nextcloud:8080; diff --git a/etc/nginx/snippets/cross-origin-security.conf b/etc/nginx/snippets/cross-origin-security.conf index 52f824c..3861307 100644 --- a/etc/nginx/snippets/cross-origin-security.conf +++ b/etc/nginx/snippets/cross-origin-security.conf @@ -10,8 +10,4 @@ add_header Cross-Origin-Opener-Policy "same-origin" always; # Change COEP to "credentialless" when supported by Safari # https://developer.mozilla.org/en-US/docs/Web/API/Window/credentialless proxy_hide_header Cross-Origin-Embedder-Policy; -add_header Cross-Origin-Embedder-Policy "require-corp" always; - -# Access-Control-Max-Age -proxy_hide_header Access-Control-Max-Age; -add_header Access-Control-Max-Age "600"; \ No newline at end of file +add_header Cross-Origin-Embedder-Policy "require-corp" always; \ No newline at end of file diff --git a/etc/nginx/snippets/security.conf b/etc/nginx/snippets/security.conf index 67e4b8f..6458c27 100644 --- a/etc/nginx/snippets/security.conf +++ b/etc/nginx/snippets/security.conf @@ -13,6 +13,10 @@ add_header X-Content-Type-Options "nosniff" always; proxy_hide_header X-Permitted-Cross-Domain-Policies; add_header X-Permitted-Cross-Domain-Policies "none" always; +# Access-Control-Max-Age +proxy_hide_header Access-Control-Max-Age; +add_header Access-Control-Max-Age "600"; + # Obsolete and replaced by Content-Security-Policy frame-ancestors # Setting the less restrictive SAMEORIGIN here, as frame-ancestors 'none' will overwrite it anyways proxy_hide_header X-Frame-Options; From 6334ef08611960a7f165f11480c7935379d46fac Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 3 Jan 2025 09:48:56 -0700 Subject: [PATCH 16/24] Undo 2e58482 nginx-module-headers-more requires third party repo --- etc/nginx/conf.d/default.conf | 3 --- 1 file changed, 3 deletions(-) diff --git a/etc/nginx/conf.d/default.conf b/etc/nginx/conf.d/default.conf index 74042d5..072744f 100644 --- a/etc/nginx/conf.d/default.conf +++ b/etc/nginx/conf.d/default.conf @@ -52,9 +52,6 @@ server { include snippets/universal_paths.conf; - # Don't send headers - add_header "" ""; - location / { return 308 https://$host$request_uri; } From 2cf70896f7adf0b5ea7e02192775104ca77763b7 Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 3 Jan 2025 09:57:09 -0700 Subject: [PATCH 17/24] Merge hsts snippet into security snippet --- etc/nginx/conf.d/default-quic.conf | 1 - etc/nginx/conf.d/sites_miniflux.conf | 1 - etc/nginx/conf.d/sites_nextcloud.conf | 1 - etc/nginx/conf.d/sites_uptime-kuma.conf | 1 - etc/nginx/conf.d/sites_vaultwarden.conf | 1 - etc/nginx/snippets/hsts.conf | 4 ---- etc/nginx/snippets/security.conf | 11 +++++++---- 7 files changed, 7 insertions(+), 13 deletions(-) delete mode 100644 etc/nginx/snippets/hsts.conf diff --git a/etc/nginx/conf.d/default-quic.conf b/etc/nginx/conf.d/default-quic.conf index 8204c03..132ddd3 100644 --- a/etc/nginx/conf.d/default-quic.conf +++ b/etc/nginx/conf.d/default-quic.conf @@ -6,7 +6,6 @@ server { server_name hostname.of.your.server; - include snippets/hsts.conf; include snippets/quic.conf; include snippets/robots.conf; include snippets/universal_paths.conf; diff --git a/etc/nginx/conf.d/sites_miniflux.conf b/etc/nginx/conf.d/sites_miniflux.conf index 285580d..d3e4b28 100644 --- a/etc/nginx/conf.d/sites_miniflux.conf +++ b/etc/nginx/conf.d/sites_miniflux.conf @@ -10,7 +10,6 @@ server { ssl_certificate_key /etc/letsencrypt/live/miniflux.yourdomain.tld/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/miniflux.yourdomain.tld/chain.pem; - include snippets/hsts.conf; include snippets/security.conf; include snippets/cross-origin-security.conf; include snippets/quic.conf; diff --git a/etc/nginx/conf.d/sites_nextcloud.conf b/etc/nginx/conf.d/sites_nextcloud.conf index 7256189..e447aad 100644 --- a/etc/nginx/conf.d/sites_nextcloud.conf +++ b/etc/nginx/conf.d/sites_nextcloud.conf @@ -10,7 +10,6 @@ server { ssl_certificate_key /etc/letsencrypt/live/cloud.yourdomain.tld/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/cloud.yourdomain.tld/chain.pem; - include snippets/hsts.conf; include snippets/security.conf; include snippets/quic.conf; include snippets/proxy.conf; diff --git a/etc/nginx/conf.d/sites_uptime-kuma.conf b/etc/nginx/conf.d/sites_uptime-kuma.conf index 741cb11..7b68172 100644 --- a/etc/nginx/conf.d/sites_uptime-kuma.conf +++ b/etc/nginx/conf.d/sites_uptime-kuma.conf @@ -10,7 +10,6 @@ server { ssl_certificate_key /etc/letsencrypt/live/uptime.yourdomain.tld/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/uptime.yourdomain.tld/chain.pem; - include snippets/hsts.conf; include snippets/security.conf; include snippets/cross-origin-security.conf; include snippets/quic.conf; diff --git a/etc/nginx/conf.d/sites_vaultwarden.conf b/etc/nginx/conf.d/sites_vaultwarden.conf index cd7b078..c734b8b 100644 --- a/etc/nginx/conf.d/sites_vaultwarden.conf +++ b/etc/nginx/conf.d/sites_vaultwarden.conf @@ -10,7 +10,6 @@ server { ssl_certificate_key /etc/letsencrypt/live/vault.yourdomain.tld/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/vault.yourdomain.tld/chain.pem; - include snippets/hsts.conf; include snippets/security.conf; include snippets/cross-origin-security.conf; include snippets/quic.conf; diff --git a/etc/nginx/snippets/hsts.conf b/etc/nginx/snippets/hsts.conf deleted file mode 100644 index 42edd6f..0000000 --- a/etc/nginx/snippets/hsts.conf +++ /dev/null @@ -1,4 +0,0 @@ -# Enable HSTS header -# Only add this to server blocks with TLS -proxy_hide_header Strict-Transport-Security; -add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; \ No newline at end of file diff --git a/etc/nginx/snippets/security.conf b/etc/nginx/snippets/security.conf index 6458c27..219a118 100644 --- a/etc/nginx/snippets/security.conf +++ b/etc/nginx/snippets/security.conf @@ -1,9 +1,16 @@ # Global security headers - apply everywhere +proxy_hide_header Strict-Transport-Security; +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + # We do not set clipboard-write() here, because it is very commonly used proxy_hide_header Strict-Transport-Security; add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), bluetooth=(), browsing-topics=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-create=self, publickey-credentials-get=self, screen-wake-lock=(), serial=(), speaker-selection=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always; +# Access-Control-Max-Age +proxy_hide_header Access-Control-Max-Age; +add_header Access-Control-Max-Age "600"; + proxy_hide_header Permissions-Policy; add_header Referrer-Policy "same-origin" always; @@ -13,10 +20,6 @@ add_header X-Content-Type-Options "nosniff" always; proxy_hide_header X-Permitted-Cross-Domain-Policies; add_header X-Permitted-Cross-Domain-Policies "none" always; -# Access-Control-Max-Age -proxy_hide_header Access-Control-Max-Age; -add_header Access-Control-Max-Age "600"; - # Obsolete and replaced by Content-Security-Policy frame-ancestors # Setting the less restrictive SAMEORIGIN here, as frame-ancestors 'none' will overwrite it anyways proxy_hide_header X-Frame-Options; From 66e7b661412869e915f424f5af4bf4f6f32eaa7c Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 3 Jan 2025 09:58:24 -0700 Subject: [PATCH 18/24] Minor reorganization --- etc/nginx/conf.d/sites_uptime-kuma.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/nginx/conf.d/sites_uptime-kuma.conf b/etc/nginx/conf.d/sites_uptime-kuma.conf index 7b68172..2ceb40a 100644 --- a/etc/nginx/conf.d/sites_uptime-kuma.conf +++ b/etc/nginx/conf.d/sites_uptime-kuma.conf @@ -14,9 +14,9 @@ server { include snippets/cross-origin-security.conf; include snippets/quic.conf; include snippets/proxy.conf; - proxy_hide_header Content-Security-Policy; include snippets/universal_paths.conf; + proxy_hide_header Content-Security-Policy; add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; img-src 'self' data:; frame-src 'self'; manifest-src 'self'; object-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; base-uri 'none'; block-all-mixed-content; form-action 'none'; frame-ancestors 'self'; upgrade-insecure-requests"; location / { From 3b270e465748852aec898a1d0825b4353b1682a7 Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 3 Jan 2025 10:00:10 -0700 Subject: [PATCH 19/24] Remove hsts.conf from setup.sh --- setup.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/setup.sh b/setup.sh index 9f3b46c..06d0b55 100644 --- a/setup.sh +++ b/setup.sh @@ -125,7 +125,6 @@ sudo systemctl enable --now nginx-rotate-session-ticket-keys.timer unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/default.conf | sudo tee /etc/nginx/conf.d/default.conf > /dev/null sudo mkdir -p /etc/nginx/snippets -unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/hsts.conf | sudo tee /etc/nginx/snippets/hsts.conf > /dev/null unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/proxy.conf | sudo tee /etc/nginx/snippets/proxy.conf > /dev/null unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/quic.conf | sudo tee /etc/nginx/snippets/quic.conf > /dev/null unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/security.conf | sudo tee /etc/nginx/snippets/security.conf > /dev/null From 37dcc6dddeb65b94f9da5bd4118b8e3bdd2ffefd Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 3 Jan 2025 23:05:02 -0700 Subject: [PATCH 20/24] Update ssl_early_data configuration --- etc/nginx/conf.d/default.conf | 3 +++ etc/nginx/snippets/proxy.conf | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/etc/nginx/conf.d/default.conf b/etc/nginx/conf.d/default.conf index 072744f..073d69e 100644 --- a/etc/nginx/conf.d/default.conf +++ b/etc/nginx/conf.d/default.conf @@ -36,6 +36,9 @@ ssl_session_ticket_key session-ticket-keys/1.key; ## ssl_trusted_certificate ## ssl_stapling_file +# Make sure ssl early data is off - replay attack mitigation +ssl_early_data off; + # Cookie flags proxy_cookie_flags ~ secure; diff --git a/etc/nginx/snippets/proxy.conf b/etc/nginx/snippets/proxy.conf index 2ea7ce3..379d5e2 100644 --- a/etc/nginx/snippets/proxy.conf +++ b/etc/nginx/snippets/proxy.conf @@ -4,7 +4,7 @@ # Force http 1.1, anything not supporting it shouldn't be used proxy_http_version 1.1; -# Replay attack mitigation for early data +# Signal to upstream whether ssl_early_data is used proxy_set_header Early-Data $ssl_early_data; # Restore visitor IP From 6f712a928299720053b3834b747b6543bae7c8e5 Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 3 Jan 2025 23:24:33 -0700 Subject: [PATCH 21/24] Set-Cookie --- etc/nginx/conf.d/default.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/etc/nginx/conf.d/default.conf b/etc/nginx/conf.d/default.conf index 073d69e..35b7ac3 100644 --- a/etc/nginx/conf.d/default.conf +++ b/etc/nginx/conf.d/default.conf @@ -39,7 +39,8 @@ ssl_session_ticket_key session-ticket-keys/1.key; # Make sure ssl early data is off - replay attack mitigation ssl_early_data off; -# Cookie flags +# Set-Cookie +proxy_cookie_domain ~ ""; proxy_cookie_flags ~ secure; # Disable compression From d28691ceed48feb0190802797bb76d42b0c46ea3 Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 3 Jan 2025 23:50:40 -0700 Subject: [PATCH 22/24] Fix X-Forwarded-For Signed-off-by: Tommy --- etc/nginx/snippets/proxy.conf | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/etc/nginx/snippets/proxy.conf b/etc/nginx/snippets/proxy.conf index 379d5e2..90eaf34 100644 --- a/etc/nginx/snippets/proxy.conf +++ b/etc/nginx/snippets/proxy.conf @@ -18,7 +18,13 @@ proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; # Enable X-Forwarded headers -proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +## Using $proxy_add_x_forwarded_for will append the $remote_addr to the end of the the IP lists +## If some clients sends a fake X-Forwarded-For, and the upstream server does not parses this +## correctly, it could result in security issues. +## We are not behind a reverse proxy, so just set it to $remote_addr should be good enough. +proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Ssl on; @@ -36,4 +42,4 @@ proxy_set_header X-Original-URI ""; # Potentially dangerous: https://github.com/oauth2-proxy/oauth2-proxy/issues/735 proxy_set_header X-Original-Method ""; -proxy_set_header X-Forwarded-Method ""; \ No newline at end of file +proxy_set_header X-Forwarded-Method ""; From 0f0305614b05c8774cf719d12f1567ec3d2403d3 Mon Sep 17 00:00:00 2001 From: Tommy Date: Mon, 10 Feb 2025 04:59:59 -0700 Subject: [PATCH 23/24] Update robots.txt Matches https://github.com/ai-robots-txt/ai.robots.txt/blob/bebffccc0ced8c420276c93f3109c2e71cd5ca0c/robots.txt Signed-off-by: Tommy --- srv/nginx/robots.txt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/srv/nginx/robots.txt b/srv/nginx/robots.txt index 9ad0312..f7c6e2b 100644 --- a/srv/nginx/robots.txt +++ b/srv/nginx/robots.txt @@ -32,6 +32,8 @@ User-agent: ChatGPT-User User-agent: Claude-Web User-agent: ClaudeBot User-agent: cohere-ai +User-agent: cohere-training-data-crawler +User-agent: Crawlspace User-agent: Diffbot User-agent: DuckAssistBot User-agent: FacebookBot @@ -56,6 +58,8 @@ User-agent: PanguBot User-agent: PerplexityBot User-agent: PetalBot User-agent: Scrapy +User-agent: SemrushBot-OCOB +User-agent: SemrushBot-SWA User-agent: Sidetrade indexer bot User-agent: Timpibot User-agent: VelenPublicWebCrawler From 2e9c3ae120ee7186467199754a83652f6b0d95d5 Mon Sep 17 00:00:00 2001 From: Tommy Date: Mon, 10 Feb 2025 05:04:27 -0700 Subject: [PATCH 24/24] Typo Fixes Signed-off-by: Tommy --- setup.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/setup.sh b/setup.sh index 06d0b55..b406824 100644 --- a/setup.sh +++ b/setup.sh @@ -68,9 +68,9 @@ fi sudo semanage fcontext -a -t httpd_sys_content_t "$(realpath /srv/nginx)(/.*)?" sudo mkdir -p /srv/nginx/.well-known/acme-challenge sudo chmod -R 755 /srv/nginx -unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/srv/nginx/ads.txt | sudo tee /srv/nginx/ads.txt > /dev/null -unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/srv/nginx/app-ads.txt | sudo tee /srv/nginx/app-ads.txt > /dev/null -unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/srv/nginx/robots.txt | sudo tee /srv/nginx/robots.txt > /dev/null +unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/srv/nginx/ads.txt | sudo tee /srv/nginx/ads.txt > /dev/null +unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/srv/nginx/app-ads.txt | sudo tee /srv/nginx/app-ads.txt > /dev/null +unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/srv/nginx/robots.txt | sudo tee /srv/nginx/robots.txt > /dev/null sudo chmod 644 /srv/nginx/ads.txt /srv/nginx/app-ads.txt /srv/nginx/robots.txt sudo restorecon -Rv "$(realpath /srv/nginx)"