Web security enhancements

* new dependency: libnginx-mod-http-headers-more-filter * security headers in _general.conf (inherited to all vhosts) * scheme-dependent Strict-Transport-Security header in nginx.conf
2025-02-12 20:28:25 +01:00 · 2025-02-12 20:28:25 +01:00 · 6d9394e62d
commit 6d9394e62d
parent ddd6a71186
4 changed files with 66 additions and 24 deletions
--- a/.metadata
+++ b/.metadata
--- a/.templates/nginx/.nginx/_default.conf
+++ b/.templates/nginx/.nginx/_default.conf
@ -1,14 +1,42 @@
 # A restrictive default virtualhost configuration.
+# Provides HTTPs with a self-signed certificate.
+
+# The STS header should only be sent over https.
+map $scheme $hsts_header { https "max-age=31536000; includeSubDomains"; }

 server {
-        listen 80 default_server;
-        server_name _;
+    listen 80 default_server;
+    listen 443 ssl default_server;

-        root /var/www/html;
-        index index.html index.htm index.nginx-debian.html;
+    server_name _;
+
+    root /var/www/html;
+    index index.html index.htm index.nginx-debian.html;
+
+    location / {
+        types { } default_type text/html;
+        return 404 "<span style='font-size: large'>$hostname</span>";
+    }
+
+    ##################################################################################
+    # The SSL part
+    # https://ssl-config.mozilla.org/
+    # https://community.letsencrypt.org/t/howto-a-with-all-100-s-on-ssl-labs-test-using-nginx-mainline-stable/55033
+
+    ssl_certificate     /etc/ssl/certs/ssl-cert-snakeoil.pem;
+    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+
+    # Settings to achieve 'A' grade on https://www.ssllabs.com/ssltest/
+    ssl_session_timeout 1440m;
+    ssl_session_tickets off;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers off;
+    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA";
+
+    # Activate it only in case of stable HTTPs service.
+#   more_set_headers "Strict-Transport-Security: $hsts_header";
+#   ssl_stapling on;
+#   ssl_stapling_verify on;

-        location / {
-            default_type text/html;
-            return 404 "<span style='font-size: large'>$hostname</span>";
-        }
 }
--- a/.templates/nginx/.nginx/_general.conf
+++ b/.templates/nginx/.nginx/_general.conf
@ -1,14 +1,29 @@
 # NGINX general configuration for Docker services.
+# Uses ngx_http_headers_more_filter_module to inherit the security headers.
+# Note, this is not a really restrictive policy!
+# Feel free to customize the particular vhost definitions.

 # Doesn't explore unnecessary info.
+#
 server_tokens off;
-# Depends on ngx_http_security_headers_module.so
-#hide_server_tokens on;
+
+# Security headers to achieve 'A' grade on https://securityheaders.com/
+# See e.g https://linuxcapable.com/how-to-configure-security-headers-in-nginx/
+# Depends on ngx_http_headers_more_filter_module.so
+#
+# These are valid restrictions below.
+more_set_headers "X-Frame-Options: SAMEORIGIN";
+more_set_headers "X-Content-Type-Options: nosniff";
+more_set_headers "Referrer-Policy: no-referrer-when-downgrade";
+# These are dummy restrictions (meaningless headers) below.
+more_set_headers "Content-Security-Policy: img-src *";
+more_set_headers "Permissions-Policy: geolocation=*";

 # https://amalgjose.com/2020/05/15/how-to-set-the-allowed-url-length-for-a-nginx-request-error-code-414-uri-too-large/
+#
 large_client_header_buffers 4 32k;

 # https://serverfault.com/questions/602201/nginx-possible-bug-with-dashes-in-server-name
 # https://trac.nginx.org/nginx/ticket/571
+#
 #server_names_hash_bucket_size 64;
-
--- a/.templates/nginx/nginx.conf
+++ b/.templates/nginx/nginx.conf
@ -3,6 +3,8 @@

 # Flags the  non 2xx or non 3xx (probably error) responses.
 map $status $errorlog_$PAR_PROXYPORT { ~^[23]  0; default 1; }
+# The STS header should only be sent over https.
+map $scheme $hsts_header_$PAR_PROXYPORT { https "max-age=31536000; includeSubDomains"; }

 # Virtualhost's configuration follows.
 server {
@ -67,11 +69,11 @@ server {
    #
    # Static service.
 #   location / {
-#	root $PAR_SERVICE/storage/volumes/staticweb/;
-#	allow all;
-#	autoindex off;
-#	index index.html index.htm;
-#	try_files $ri $uri/ =404;
+#       root $PAR_SERVICE/storage/volumes/staticweb/;
+#       allow all;
+#       autoindex off;
+#       index index.html index.htm;
+#       try_files $ri $uri/ =404;
 #   }
    #
    # No static service, but we may provide the OPTIONS for a potential DAV client.
@ -104,14 +106,11 @@ server {
    ssl_prefer_server_ciphers off;
    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA";

-    ssl_stapling on;
-    ssl_stapling_verify on;
-
-    # Read before activating: https://blog.g3rt.nl/nginx-add_header-pitfall.html
-#   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-#   add_header X-Frame-Options SAMEORIGIN;
-#   add_header X-Content-Type-Options nosniff;
+    # Activate it only in case of stable https service.
+#   more_set_headers "Strict-Transport-Security: $hsts_header_$PAR_PROXYPORT";
+#   ssl_stapling on;
+#   ssl_stapling_verify on;

 }

-# That's all.
+# That's all.