Merge remote-tracking branch 'origin/main' into development

etc/nginx/conf.d/default-quic.conf

@@ -6,7 +6,6 @@ server {
 
     server_name hostname.of.your.server;
 
-    include snippets/hsts.conf;
     include snippets/quic.conf;
     include snippets/robots.conf;
     include snippets/universal_paths.conf;

etc/nginx/conf.d/default.conf

@@ -1,3 +1,55 @@
+# Use http2
+http2 on;
+
+# Shared TLS configuration
+
+## Use strong ciphers
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
+ssl_prefer_server_ciphers on;
+ssl_conf_command Options PrioritizeChaCha;
+
+# Use strong ciphers for proxies
+proxy_ssl_verify on;
+proxy_ssl_server_name on;
+proxy_ssl_session_reuse on;
+proxy_ssl_protocols TLSv1.2 TLSv1.3;
+proxy_ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
+proxy_ssl_conf_command Options PrioritizeChaCha;
+
+## Configure ssl session cache
+## Improves performance but we don't wanna keep this forever
+## Session ticket creation and rotation is handled by GrapheneOS's scripts:
+## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-create-session-ticket-keys
+## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-rotate-session-ticket-keys
+
+ssl_session_cache shared:SSL:10m; # About 40000 sessions
+ssl_session_timeout 1d;
+ssl_session_ticket_key session-ticket-keys/4.key;
+ssl_session_ticket_key session-ticket-keys/3.key;
+ssl_session_ticket_key session-ticket-keys/2.key;
+ssl_session_ticket_key session-ticket-keys/1.key;
+
+## The following settings need to be declared manually per vhost:
+## ssl_certificate
+## ssl_certificate_key
+## ssl_trusted_certificate
+## ssl_stapling_file
+
+# Make sure ssl early data is off - replay attack mitigation
+ssl_early_data off;
+
+# Set-Cookie
+proxy_cookie_domain ~ "";
+proxy_cookie_flags ~ secure;
+
+# Disable compression
+## Mitigates oracle attacks
+gzip off;
+
+# Disable server tokens
+server_tokens off;
+
 server {
     listen 127.0.0.1:80 default_server;
 #    listen [ipv6_1]:80 default_server;

etc/nginx/conf.d/http2.conf

@@ -1,3 +0,0 @@
-# This is all it takes to enable http2 globally
-
-http2 on;

etc/nginx/conf.d/server_tokens.conf

@@ -1 +0,0 @@
-server_tokens off;

etc/nginx/conf.d/sites_miniflux.conf

@@ -10,7 +10,6 @@ server {
     ssl_certificate_key /etc/letsencrypt/live/miniflux.yourdomain.tld/privkey.pem;
     ssl_trusted_certificate /etc/letsencrypt/live/miniflux.yourdomain.tld/chain.pem;
 
-    include snippets/hsts.conf;
     include snippets/security.conf;
     include snippets/cross-origin-security.conf;
     include snippets/quic.conf;

etc/nginx/conf.d/sites_nextcloud.conf

@@ -10,7 +10,6 @@ server {
     ssl_certificate_key /etc/letsencrypt/live/cloud.yourdomain.tld/privkey.pem;
     ssl_trusted_certificate /etc/letsencrypt/live/cloud.yourdomain.tld/chain.pem;
 
-    include snippets/hsts.conf;
     include snippets/security.conf;
     include snippets/quic.conf;
     include snippets/proxy.conf;

etc/nginx/conf.d/sites_uptime-kuma.conf

@@ -10,14 +10,13 @@ server {
     ssl_certificate_key /etc/letsencrypt/live/uptime.yourdomain.tld/privkey.pem;
     ssl_trusted_certificate /etc/letsencrypt/live/uptime.yourdomain.tld/chain.pem;
 
-    include snippets/hsts.conf;
     include snippets/security.conf;
     include snippets/cross-origin-security.conf;
     include snippets/quic.conf;
     include snippets/proxy.conf;
-    proxy_hide_header Content-Security-Policy;
     include snippets/universal_paths.conf;
 
+    proxy_hide_header Content-Security-Policy;
     add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; img-src 'self' data:; frame-src 'self'; manifest-src 'self'; object-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; base-uri 'none'; block-all-mixed-content; form-action 'none'; frame-ancestors 'self'; upgrade-insecure-requests";
 
     location / {

etc/nginx/conf.d/sites_vaultwarden.conf

@@ -10,7 +10,6 @@ server {
     ssl_certificate_key /etc/letsencrypt/live/vault.yourdomain.tld/privkey.pem;
     ssl_trusted_certificate /etc/letsencrypt/live/vault.yourdomain.tld/chain.pem;
 
-    include snippets/hsts.conf;
     include snippets/security.conf;
     include snippets/cross-origin-security.conf;
     include snippets/quic.conf;

etc/nginx/conf.d/tls.conf

@@ -1,26 +0,0 @@
-# Shared TLS configuration
-
-## Use strong ciphers
-ssl_protocols TLSv1.2 TLSv1.3;
-ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
-ssl_prefer_server_ciphers on;
-ssl_conf_command Options PrioritizeChaCha;
-
-## Configure ssl session cache
-## Improves performance but we don't wanna keep this forever
-## Session ticket creation and rotation is handled by GrapheneOS's scripts:
-## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-create-session-ticket-keys
-## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-rotate-session-ticket-keys
-
-ssl_session_cache shared:SSL:10m; # About 40000 sessions
-ssl_session_timeout 1d;
-ssl_session_ticket_key session-ticket-keys/4.key;
-ssl_session_ticket_key session-ticket-keys/3.key;
-ssl_session_ticket_key session-ticket-keys/2.key;
-ssl_session_ticket_key session-ticket-keys/1.key;
-
-## The following settings need to be declared manually per vhost:
-# ssl_certificate
-# ssl_certificate_key
-# ssl_trusted_certificate
-# ssl_stapling_file

etc/nginx/snippets/cross-origin-security.conf

@@ -7,5 +7,7 @@ add_header Cross-Origin-Resource-Policy "same-origin" always;
 proxy_hide_header Cross-Origin-Opener-Policy;
 add_header Cross-Origin-Opener-Policy "same-origin" always;
 
+# Change COEP to "credentialless" when supported by Safari
+# https://developer.mozilla.org/en-US/docs/Web/API/Window/credentialless
 proxy_hide_header Cross-Origin-Embedder-Policy;
 add_header Cross-Origin-Embedder-Policy "require-corp" always;

etc/nginx/snippets/hsts.conf

@@ -1,5 +0,0 @@
-# Enable HSTS header
-# Only add this to server blocks with TLS
-
-proxy_hide_header Strict-Transport-Security;
-add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

etc/nginx/snippets/proxy.conf

@@ -4,17 +4,12 @@
 # Force http 1.1, anything not supporting it shouldn't be used
 proxy_http_version 1.1;
 
-# Replay attack mitigation for early data
+# Signal to upstream whether ssl_early_data is used
 proxy_set_header Early-Data $ssl_early_data;
 
 # Restore visitor IP
 proxy_set_header X-Real-IP $remote_addr;
 
-# Restore original method & URL
-proxy_set_header X-Original-Method $request_method;
-proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
-proxy_set_header X-Original-URI $request_uri;
-
 # Forward host header
 proxy_set_header Host $host;
 
@@ -23,7 +18,13 @@ proxy_set_header   Upgrade $http_upgrade;
 proxy_set_header   Connection "upgrade";
 
 # Enable X-Forwarded headers
-proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+## Using $proxy_add_x_forwarded_for will append the $remote_addr to the end of the the IP lists
+## If some clients sends a fake X-Forwarded-For, and the upstream server does not parses this
+## correctly, it could result in security issues.
+## We are not behind a reverse proxy, so just set it to $remote_addr should be good enough.
+proxy_set_header X-Forwarded-For $remote_addr;
+
 proxy_set_header X-Forwarded-Host $host;
 proxy_set_header X-Forwarded-Proto $scheme;
 proxy_set_header X-Forwarded-Ssl on;
@@ -31,3 +32,14 @@ proxy_set_header X-Forwarded-Port $server_port;
 
 # Hide X-Powered-By
 proxy_hide_header X-Powered-By;
+
+# CVE-2018-14773
+proxy_set_header X-Original-URL "";
+proxy_set_header X-Rewrite-URL "";
+
+# Not the CVE, but is extremely similar
+proxy_set_header X-Original-URI "";
+
+# Potentially dangerous: https://github.com/oauth2-proxy/oauth2-proxy/issues/735
+proxy_set_header X-Original-Method "";
+proxy_set_header X-Forwarded-Method "";

etc/nginx/snippets/security.conf

@@ -1,22 +1,31 @@
 # Global security headers - apply everywhere
 
+proxy_hide_header Strict-Transport-Security;
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
 # We do not set clipboard-write() here, because it is very commonly used
 proxy_hide_header Strict-Transport-Security;
 add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), bluetooth=(), browsing-topics=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-create=self, publickey-credentials-get=self, screen-wake-lock=(), serial=(), speaker-selection=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
 
+# Access-Control-Max-Age
+proxy_hide_header Access-Control-Max-Age;
+add_header Access-Control-Max-Age "600";
+
 proxy_hide_header Permissions-Policy;
 add_header Referrer-Policy "same-origin" always;
 
 proxy_hide_header X-Content-Type-Options;
 add_header X-Content-Type-Options "nosniff" always;
 
-proxy_hide_header X-Frame-Options;
-add_header X-Frame-Options "SAMEORIGIN" always;
-
 proxy_hide_header X-Permitted-Cross-Domain-Policies;
 add_header X-Permitted-Cross-Domain-Policies "none" always;
 
+# Obsolete and replaced by Content-Security-Policy frame-ancestors
+# Setting the less restrictive SAMEORIGIN here, as frame-ancestors 'none' will overwrite it anyways
+proxy_hide_header X-Frame-Options;
+add_header X-Frame-Options "SAMEORIGIN" always;
+
 # Obsolete and replaced by Content-Security-Policy
 # Only here to pass Hardenize checks
 proxy_hide_header X-XSS-Protection;
-add_header X-XSS-Protection "0" always;
+add_header X-XSS-Protection "0" always;

setup.sh

@@ -68,9 +68,9 @@ fi
 sudo semanage fcontext -a -t httpd_sys_content_t "$(realpath /srv/nginx)(/.*)?"
 sudo mkdir -p /srv/nginx/.well-known/acme-challenge
 sudo chmod -R 755 /srv/nginx
-unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/srv/nginx/ads.txt | sudo tee /srv/nginx/ads.txt > /dev/null
+unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/srv/nginx/ads.txt | sudo tee /srv/nginx/ads.txt > /dev/null
-unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/srv/nginx/app-ads.txt | sudo tee /srv/nginx/app-ads.txt > /dev/null
+unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/srv/nginx/app-ads.txt | sudo tee /srv/nginx/app-ads.txt > /dev/null
-unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/srv/nginx/robots.txt | sudo tee /srv/nginx/robots.txt > /dev/null
+unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/srv/nginx/robots.txt | sudo tee /srv/nginx/robots.txt > /dev/null
 sudo chmod 644 /srv/nginx/ads.txt /srv/nginx/app-ads.txt /srv/nginx/robots.txt
 sudo restorecon -Rv "$(realpath /srv/nginx)"
 
@@ -122,13 +122,9 @@ sudo systemctl enable --now nginx-rotate-session-ticket-keys.timer
 
 # Download NGINX configs
 
-unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/http2.conf | sudo tee /etc/nginx/conf.d/http2.conf > /dev/null
-unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/server_tokens.conf | sudo tee /etc/nginx/conf.d/server_tokens.conf > /dev/null
 unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/default.conf | sudo tee /etc/nginx/conf.d/default.conf > /dev/null
-unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/tls.conf | sudo tee /etc/nginx/conf.d/tls.conf > /dev/null
 
 sudo mkdir -p /etc/nginx/snippets
-unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/hsts.conf | sudo tee /etc/nginx/snippets/hsts.conf > /dev/null
 unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/proxy.conf | sudo tee /etc/nginx/snippets/proxy.conf > /dev/null
 unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/quic.conf | sudo tee /etc/nginx/snippets/quic.conf > /dev/null
 unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/security.conf | sudo tee /etc/nginx/snippets/security.conf > /dev/null

srv/nginx/robots.txt

@@ -8,10 +8,9 @@ Disallow: /
 Allow: /ads.txt
 Allow: /app-ads.txt
 
-User-agent: peer39_crawler
 User-agent: peer39_crawler/1.0
 User-agent: TurnitinBot
-User-agent: NPBot
+User-agent: AcademicBotRTU
 User-agent: SlySearch
 User-agent: BLEXBot
 User-agent: CheckMarkNetwork/1.0 (+https://www.checkmarknetwork.com/spider.html)
@@ -24,6 +23,7 @@ User-agent: MJ12bot
 User-agent: AI2Bot
 User-agent: Ai2Bot-Dolma
 User-agent: Amazonbot
+User-agent: anthropic-ai
 User-agent: Applebot
 User-agent: Applebot-Extended
 User-agent: Bytespider
@@ -31,34 +31,38 @@ User-agent: CCBot
 User-agent: ChatGPT-User
 User-agent: Claude-Web
 User-agent: ClaudeBot
+User-agent: cohere-ai
+User-agent: cohere-training-data-crawler
+User-agent: Crawlspace
 User-agent: Diffbot
+User-agent: DuckAssistBot
 User-agent: FacebookBot
 User-agent: FriendlyCrawler
-User-agent: GPTBot
 User-agent: Google-Extended
 User-agent: GoogleOther
 User-agent: GoogleOther-Image
 User-agent: GoogleOther-Video
+User-agent: GPTBot
+User-agent: iaskspider/2.0
 User-agent: ICC-Crawler
-User-agent: ISSCyberRiskCrawler
 User-agent: ImagesiftBot
+User-agent: img2dataset
+User-agent: ISSCyberRiskCrawler
 User-agent: Kangaroo Bot
 User-agent: Meta-ExternalAgent
 User-agent: Meta-ExternalFetcher
 User-agent: OAI-SearchBot
+User-agent: omgili
+User-agent: omgilibot
+User-agent: PanguBot
 User-agent: PerplexityBot
 User-agent: PetalBot
 User-agent: Scrapy
+User-agent: SemrushBot-OCOB
+User-agent: SemrushBot-SWA
 User-agent: Sidetrade indexer bot
 User-agent: Timpibot
 User-agent: VelenPublicWebCrawler
 User-agent: Webzio-Extended
 User-agent: YouBot
-User-agent: anthropic-ai
-User-agent: cohere-ai
-User-agent: facebookexternalhit
-User-agent: iaskspider/2.0
-User-agent: img2dataset
-User-agent: omgili
-User-agent: omgilibot
 Disallow: /