fix security headers and sockets

Signed-off-by: Zoey <zoey@z0ey.de>
This commit is contained in:
Zoey
2023-10-10 19:33:30 +02:00
parent dec9dc990f
commit efcca74d67
11 changed files with 16 additions and 100 deletions

View File

@@ -53,7 +53,7 @@ RUN apk add --no-cache ca-certificates git build-base && \
sed -i "s|CAPTCHA_TEMPLATE_PATH=.*|CAPTCHA_TEMPLATE_PATH=/data/etc/crowdsec/captcha.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf
FROM zoeyvid/nginx-quic:205
FROM zoeyvid/nginx-quic:206
SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
COPY rootfs /
RUN apk add --no-cache ca-certificates tzdata tini \

View File

@@ -271,55 +271,6 @@ const internalNginx = {
});
},
/**
* This generates a temporary nginx config listening on port 80 for the domain names listed
* in the certificate setup. It allows the certbot acme challenge to be requested by certbot
* when requesting a certificate without having a hostname set up already.
*
* @param {Object} certificate
* @returns {Promise}
*/
generateLetsEncryptRequestConfig: (certificate) => {
if (config.debug()) {
logger.info('Generating certbot Request Config:', certificate);
}
const renderEngine = utils.getRenderEngine();
return new Promise((resolve, reject) => {
let template = null;
let filename = '/usr/local/nginx/conf/conf.d/certbot_' + certificate.id + '.conf';
try {
template = fs.readFileSync(__dirname + '/../templates/certbot-request.conf', {encoding: 'utf8'});
} catch (err) {
reject(new error.ConfigurationError(err.message));
return;
}
certificate.ipv6 = internalNginx.ipv6Enabled();
renderEngine
.parseAndRender(template, certificate)
.then((config_text) => {
fs.writeFileSync(filename, config_text, {encoding: 'utf8'});
if (config.debug()) {
logger.success('Wrote config:', filename, config_text);
}
resolve(true);
})
.catch((err) => {
if (config.debug()) {
logger.warn('Could not write ' + filename + ':', err.message);
}
reject(new error.ConfigurationError(err.message));
});
});
},
/**
* A simple wrapper around unlinkSync that writes to the logger
*
@@ -343,19 +294,6 @@ const internalNginx = {
return host_type.replace(new RegExp('-', 'g'), '_');
},
/**
* This removes the temporary nginx config file generated by `generateLetsEncryptRequestConfig`
*
* @param {Object} certificate
* @returns {Promise}
*/
deleteLetsEncryptRequestConfig: (certificate) => {
const config_file = '/usr/local/nginx/conf/conf.d/letsencrypt_' + certificate.id + '.conf';
return new Promise((resolve/*, reject*/) => {
internalNginx.deleteFile(config_file);
resolve();
});
},
/**
* @param {String} host_type

View File

@@ -1,17 +1,7 @@
{% if certificate and certificate_id > 0 -%}
{% if ssl_forced == 1 or ssl_forced == true %}
{% if hsts_enabled == 1 or hsts_enabled == true %}
add_header X-XSS-Protection "0" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src https: 'unsafe-inline' 'unsafe-eval'; upgrade-insecure-requests" always;
add_header Expect-CT "enforce; max-age=86400" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Cross-Origin-Embedder-Policy-Report-Only "require-corp; report-to='default'" always;
add_header Cross-Origin-Opener-Policy-Report-Only "same-origin-allow-popups; report-to='default'" always;
include conf.d/include/hsts.conf;
{% endif %}
{% endif %}
{% endif %}

View File

@@ -1,4 +1,4 @@
listen unix:/run/nginx.sock;
listen unix:/run/nginx-{{ id }}.sock;
listen 80;
listen [::]:80;

View File

@@ -1,18 +0,0 @@
{% include "_header_comment.conf" %}
server {
listen unix:/run/nginx.sock;
listen 80;
listen [::]:80;
server_name {{ domain_names | join: " " }};
include conf.d/include/acme-challenge.conf;
include conf.d/include/block-exploits.conf;
location / {
include conf.d/include/acme-challenge.conf;
return 404;
}
}

View File

@@ -2,8 +2,6 @@
# Default Site
# ------------------------------------------------------------
server {
listen unix:/run/nginx.sock default_server;
listen 80 default_server;
listen [::]:80 default_server;

Binary file not shown.

Before

Width:  |  Height:  |  Size: 10 KiB

After

Width:  |  Height:  |  Size: 15 KiB

View File

@@ -2,8 +2,6 @@
# Default Site
# ------------------------------------------------------------
server {
listen unix:/run/nginx.sock default_server;
listen 80 default_server;
listen [::]:80 default_server;

View File

@@ -0,0 +1,8 @@
more_set_headers "X-XSS-Protection: 0";
more_set_headers "X-Frame-Options: SAMEORIGIN";
more_set_headers "X-Content-Type-Options: nosniff";
more_set_headers "Referrer-Policy: strict-origin-when-cross-origin";
more_set_headers "Content-Security-Policy: upgrade-insecure-requests";
more_set_headers "Expect-CT: enforce; max-age=86400";
more_set_headers "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload";

View File

@@ -1,6 +1,4 @@
server {
listen unix:/run/nginx.sock;
listen 80;
listen [::]:80;

View File

@@ -23,7 +23,11 @@ http {
lua_package_path "/usr/local/nginx/lib/lua/?.lua;;";
server_tokens off;
hide_server_tokens on;
more_clear_headers "Server";
more_clear_headers "X-Powered-By";
more_clear_headers "X-Page-Speed";
more_clear_headers "X-Varnish";
aio threads;
sendfile on;
tcp_nopush on;