titanz/NGINX-Configs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/main' into development
All checks were successful
ShellCheck / Shell syntax checker (push) Successful in 9s
Details

Browse Source
This commit is contained in:
titanz
2025-02-10 17:59:11 +01:00
parent 806ba4f78f 2e9c3ae120
commit d6a956eba3
15 changed files with 105 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
etc/nginx/conf.d/default-quic.conf
View File

@@ -6,7 +6,6 @@ server {
server_name hostname.of.your.server;
include snippets/hsts.conf;
include snippets/quic.conf;
include snippets/robots.conf;
include snippets/universal_paths.conf;

52
etc/nginx/conf.d/default.conf
View File

@@ -1,3 +1,55 @@
# Use http2
http2 on;
# Shared TLS configuration
## Use strong ciphers
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
ssl_conf_command Options PrioritizeChaCha;
# Use strong ciphers for proxies
proxy_ssl_verify on;
proxy_ssl_server_name on;
proxy_ssl_session_reuse on;
proxy_ssl_protocols TLSv1.2 TLSv1.3;
proxy_ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
proxy_ssl_conf_command Options PrioritizeChaCha;
## Configure ssl session cache
## Improves performance but we don't wanna keep this forever
## Session ticket creation and rotation is handled by GrapheneOS's scripts:
## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-create-session-ticket-keys
## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-rotate-session-ticket-keys
ssl_session_cache shared:SSL:10m; # About 40000 sessions
ssl_session_timeout 1d;
ssl_session_ticket_key session-ticket-keys/4.key;
ssl_session_ticket_key session-ticket-keys/3.key;
ssl_session_ticket_key session-ticket-keys/2.key;
ssl_session_ticket_key session-ticket-keys/1.key;
## The following settings need to be declared manually per vhost:
## ssl_certificate
## ssl_certificate_key
## ssl_trusted_certificate
## ssl_stapling_file
# Make sure ssl early data is off - replay attack mitigation
ssl_early_data off;
# Set-Cookie
proxy_cookie_domain ~ "";
proxy_cookie_flags ~ secure;
# Disable compression
## Mitigates oracle attacks
gzip off;
# Disable server tokens
server_tokens off;
server {
listen 127.0.0.1:80 default_server;
# listen [ipv6_1]:80 default_server;

3
etc/nginx/conf.d/http2.conf
View File

@@ -1,3 +0,0 @@
# This is all it takes to enable http2 globally
http2 on;

1
etc/nginx/conf.d/server_tokens.conf
View File

@@ -1 +0,0 @@
server_tokens off;

1
etc/nginx/conf.d/sites_miniflux.conf
View File

@@ -10,7 +10,6 @@ server {
ssl_certificate_key /etc/letsencrypt/live/miniflux.yourdomain.tld/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/miniflux.yourdomain.tld/chain.pem;
include snippets/hsts.conf;
include snippets/security.conf;
include snippets/cross-origin-security.conf;
include snippets/quic.conf;

1
etc/nginx/conf.d/sites_nextcloud.conf
View File

@@ -10,7 +10,6 @@ server {
ssl_certificate_key /etc/letsencrypt/live/cloud.yourdomain.tld/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/cloud.yourdomain.tld/chain.pem;
include snippets/hsts.conf;
include snippets/security.conf;
include snippets/quic.conf;
include snippets/proxy.conf;

3
etc/nginx/conf.d/sites_uptime-kuma.conf
View File

@@ -10,14 +10,13 @@ server {
ssl_certificate_key /etc/letsencrypt/live/uptime.yourdomain.tld/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/uptime.yourdomain.tld/chain.pem;
include snippets/hsts.conf;
include snippets/security.conf;
include snippets/cross-origin-security.conf;
include snippets/quic.conf;
include snippets/proxy.conf;
proxy_hide_header Content-Security-Policy;
include snippets/universal_paths.conf;
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; img-src 'self' data:; frame-src 'self'; manifest-src 'self'; object-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; base-uri 'none'; block-all-mixed-content; form-action 'none'; frame-ancestors 'self'; upgrade-insecure-requests";
location / {

1
etc/nginx/conf.d/sites_vaultwarden.conf
View File

@@ -10,7 +10,6 @@ server {
ssl_certificate_key /etc/letsencrypt/live/vault.yourdomain.tld/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/vault.yourdomain.tld/chain.pem;
include snippets/hsts.conf;
include snippets/security.conf;
include snippets/cross-origin-security.conf;
include snippets/quic.conf;

26
etc/nginx/conf.d/tls.conf
View File

@@ -1,26 +0,0 @@
# Shared TLS configuration
## Use strong ciphers
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
ssl_conf_command Options PrioritizeChaCha;
## Configure ssl session cache
## Improves performance but we don't wanna keep this forever
## Session ticket creation and rotation is handled by GrapheneOS's scripts:
## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-create-session-ticket-keys
## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-rotate-session-ticket-keys
ssl_session_cache shared:SSL:10m; # About 40000 sessions
ssl_session_timeout 1d;
ssl_session_ticket_key session-ticket-keys/4.key;
ssl_session_ticket_key session-ticket-keys/3.key;
ssl_session_ticket_key session-ticket-keys/2.key;
ssl_session_ticket_key session-ticket-keys/1.key;
## The following settings need to be declared manually per vhost:
# ssl_certificate
# ssl_certificate_key
# ssl_trusted_certificate
# ssl_stapling_file

2
etc/nginx/snippets/cross-origin-security.conf
View File

@@ -7,5 +7,7 @@ add_header Cross-Origin-Resource-Policy "same-origin" always;
proxy_hide_header Cross-Origin-Opener-Policy;
add_header Cross-Origin-Opener-Policy "same-origin" always;
# Change COEP to "credentialless" when supported by Safari
# https://developer.mozilla.org/en-US/docs/Web/API/Window/credentialless
proxy_hide_header Cross-Origin-Embedder-Policy;
add_header Cross-Origin-Embedder-Policy "require-corp" always;

5
etc/nginx/snippets/hsts.conf
View File

@@ -1,5 +0,0 @@
# Enable HSTS header
# Only add this to server blocks with TLS
proxy_hide_header Strict-Transport-Security;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

26
etc/nginx/snippets/proxy.conf
View File

@@ -4,17 +4,12 @@
# Force http 1.1, anything not supporting it shouldn't be used
proxy_http_version 1.1;
# Replay attack mitigation for early data
# Signal to upstream whether ssl_early_data is used
proxy_set_header Early-Data $ssl_early_data;
# Restore visitor IP
proxy_set_header X-Real-IP $remote_addr;
# Restore original method & URL
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Original-URI $request_uri;
# Forward host header
proxy_set_header Host $host;
@@ -23,7 +18,13 @@ proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Enable X-Forwarded headers
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
## Using $proxy_add_x_forwarded_for will append the $remote_addr to the end of the the IP lists
## If some clients sends a fake X-Forwarded-For, and the upstream server does not parses this
## correctly, it could result in security issues.
## We are not behind a reverse proxy, so just set it to $remote_addr should be good enough.
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl on;
@@ -31,3 +32,14 @@ proxy_set_header X-Forwarded-Port $server_port;
# Hide X-Powered-By
proxy_hide_header X-Powered-By;
# CVE-2018-14773
proxy_set_header X-Original-URL "";
proxy_set_header X-Rewrite-URL "";
# Not the CVE, but is extremely similar
proxy_set_header X-Original-URI "";
# Potentially dangerous: https://github.com/oauth2-proxy/oauth2-proxy/issues/735
proxy_set_header X-Original-Method "";
proxy_set_header X-Forwarded-Method "";

17
etc/nginx/snippets/security.conf
View File

@@ -1,22 +1,31 @@
# Global security headers - apply everywhere
proxy_hide_header Strict-Transport-Security;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# We do not set clipboard-write() here, because it is very commonly used
proxy_hide_header Strict-Transport-Security;
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), bluetooth=(), browsing-topics=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-create=self, publickey-credentials-get=self, screen-wake-lock=(), serial=(), speaker-selection=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
# Access-Control-Max-Age
proxy_hide_header Access-Control-Max-Age;
add_header Access-Control-Max-Age "600";
proxy_hide_header Permissions-Policy;
add_header Referrer-Policy "same-origin" always;
proxy_hide_header X-Content-Type-Options;
add_header X-Content-Type-Options "nosniff" always;
proxy_hide_header X-Frame-Options;
add_header X-Frame-Options "SAMEORIGIN" always;
proxy_hide_header X-Permitted-Cross-Domain-Policies;
add_header X-Permitted-Cross-Domain-Policies "none" always;
# Obsolete and replaced by Content-Security-Policy frame-ancestors
# Setting the less restrictive SAMEORIGIN here, as frame-ancestors 'none' will overwrite it anyways
proxy_hide_header X-Frame-Options;
add_header X-Frame-Options "SAMEORIGIN" always;
# Obsolete and replaced by Content-Security-Policy
# Only here to pass Hardenize checks
proxy_hide_header X-XSS-Protection;
add_header X-XSS-Protection "0" always;
add_header X-XSS-Protection "0" always;