From 6d9394e62da50daab19de8560402b62ccc004686 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kov=C3=A1cs=20Zolt=C3=A1n?= Date: Wed, 12 Feb 2025 20:28:25 +0100 Subject: [PATCH] Web security enhancements * new dependency: libnginx-mod-http-headers-more-filter * security headers in _general.conf (inherited to all vhosts) * scheme-dependent Strict-Transport-Security header in nginx.conf --- .metadata | Bin 9456 -> 9456 bytes .templates/nginx/.nginx/_default.conf | 44 +++++++++++++++++++++----- .templates/nginx/.nginx/_general.conf | 21 ++++++++++-- .templates/nginx/nginx.conf | 25 +++++++-------- 4 files changed, 66 insertions(+), 24 deletions(-) diff --git a/.metadata b/.metadata index b31cad577189268f16fba3091667eed7168c5832..81ef96b9d0df75f3ec77507056624d39a94b7318 100644 GIT binary patch delta 148 zcmez1`N4Ao7pvfxP4m+kfZ)cHe>@<1!{iGJlABFf*_e3NeO&{VdON8>YI3}+`s8>O zzR7vq@|$O|H*&C?o4O`_@<9%f$rA+GHd_kRbFt`60*i=Fo-e^Qd4dq@<_A*$8F^Gc fK}_jY?or+RTILQTs=4#|#V0RdX4(8sj)@HbeA6_* delta 131 zcmez1`N4Ao7pvf$lVRx$AmFyf07Pw=d_h5Svk5C36VKk2^TAR=ask$p<7L$+$E)y7 z&f}KfJd3@NgGu!1$hostname"; + } + + ################################################################################## + # The SSL part + # https://ssl-config.mozilla.org/ + # https://community.letsencrypt.org/t/howto-a-with-all-100-s-on-ssl-labs-test-using-nginx-mainline-stable/55033 + + ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; + ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; + + # Settings to achieve 'A' grade on https://www.ssllabs.com/ssltest/ + ssl_session_timeout 1440m; + ssl_session_tickets off; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers off; + ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA"; + + # Activate it only in case of stable HTTPs service. +# more_set_headers "Strict-Transport-Security: $hsts_header"; +# ssl_stapling on; +# ssl_stapling_verify on; - location / { - default_type text/html; - return 404 "$hostname"; - } } diff --git a/.templates/nginx/.nginx/_general.conf b/.templates/nginx/.nginx/_general.conf index 1eead3a..cc98517 100644 --- a/.templates/nginx/.nginx/_general.conf +++ b/.templates/nginx/.nginx/_general.conf @@ -1,14 +1,29 @@ # NGINX general configuration for Docker services. +# Uses ngx_http_headers_more_filter_module to inherit the security headers. +# Note, this is not a really restrictive policy! +# Feel free to customize the particular vhost definitions. # Doesn't explore unnecessary info. +# server_tokens off; -# Depends on ngx_http_security_headers_module.so -#hide_server_tokens on; + +# Security headers to achieve 'A' grade on https://securityheaders.com/ +# See e.g https://linuxcapable.com/how-to-configure-security-headers-in-nginx/ +# Depends on ngx_http_headers_more_filter_module.so +# +# These are valid restrictions below. +more_set_headers "X-Frame-Options: SAMEORIGIN"; +more_set_headers "X-Content-Type-Options: nosniff"; +more_set_headers "Referrer-Policy: no-referrer-when-downgrade"; +# These are dummy restrictions (meaningless headers) below. +more_set_headers "Content-Security-Policy: img-src *"; +more_set_headers "Permissions-Policy: geolocation=*"; # https://amalgjose.com/2020/05/15/how-to-set-the-allowed-url-length-for-a-nginx-request-error-code-414-uri-too-large/ +# large_client_header_buffers 4 32k; # https://serverfault.com/questions/602201/nginx-possible-bug-with-dashes-in-server-name # https://trac.nginx.org/nginx/ticket/571 +# #server_names_hash_bucket_size 64; - diff --git a/.templates/nginx/nginx.conf b/.templates/nginx/nginx.conf index e3ccb24..59bc93b 100644 --- a/.templates/nginx/nginx.conf +++ b/.templates/nginx/nginx.conf @@ -3,6 +3,8 @@ # Flags the non 2xx or non 3xx (probably error) responses. map $status $errorlog_$PAR_PROXYPORT { ~^[23] 0; default 1; } +# The STS header should only be sent over https. +map $scheme $hsts_header_$PAR_PROXYPORT { https "max-age=31536000; includeSubDomains"; } # Virtualhost's configuration follows. server { @@ -67,11 +69,11 @@ server { # # Static service. # location / { -# root $PAR_SERVICE/storage/volumes/staticweb/; -# allow all; -# autoindex off; -# index index.html index.htm; -# try_files $ri $uri/ =404; +# root $PAR_SERVICE/storage/volumes/staticweb/; +# allow all; +# autoindex off; +# index index.html index.htm; +# try_files $ri $uri/ =404; # } # # No static service, but we may provide the OPTIONS for a potential DAV client. @@ -104,14 +106,11 @@ server { ssl_prefer_server_ciphers off; ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA"; - ssl_stapling on; - ssl_stapling_verify on; - - # Read before activating: https://blog.g3rt.nl/nginx-add_header-pitfall.html -# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; -# add_header X-Frame-Options SAMEORIGIN; -# add_header X-Content-Type-Options nosniff; + # Activate it only in case of stable https service. +# more_set_headers "Strict-Transport-Security: $hsts_header_$PAR_PROXYPORT"; +# ssl_stapling on; +# ssl_stapling_verify on; } -# That's all. \ No newline at end of file +# That's all.