diff --git a/Dockerfile b/Dockerfile index d935eba3..69f68082 100644 --- a/Dockerfile +++ b/Dockerfile @@ -53,7 +53,7 @@ RUN apk add --no-cache ca-certificates git build-base && \ sed -i "s|CAPTCHA_TEMPLATE_PATH=.*|CAPTCHA_TEMPLATE_PATH=/data/etc/crowdsec/captcha.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf -FROM zoeyvid/nginx-quic:205 +FROM zoeyvid/nginx-quic:206 SHELL ["/bin/ash", "-eo", "pipefail", "-c"] COPY rootfs / RUN apk add --no-cache ca-certificates tzdata tini \ diff --git a/backend/internal/nginx.js b/backend/internal/nginx.js index fa6299f5..8c7970f9 100644 --- a/backend/internal/nginx.js +++ b/backend/internal/nginx.js @@ -271,55 +271,6 @@ const internalNginx = { }); }, - /** - * This generates a temporary nginx config listening on port 80 for the domain names listed - * in the certificate setup. It allows the certbot acme challenge to be requested by certbot - * when requesting a certificate without having a hostname set up already. - * - * @param {Object} certificate - * @returns {Promise} - */ - generateLetsEncryptRequestConfig: (certificate) => { - if (config.debug()) { - logger.info('Generating certbot Request Config:', certificate); - } - - const renderEngine = utils.getRenderEngine(); - - return new Promise((resolve, reject) => { - let template = null; - let filename = '/usr/local/nginx/conf/conf.d/certbot_' + certificate.id + '.conf'; - - try { - template = fs.readFileSync(__dirname + '/../templates/certbot-request.conf', {encoding: 'utf8'}); - } catch (err) { - reject(new error.ConfigurationError(err.message)); - return; - } - - certificate.ipv6 = internalNginx.ipv6Enabled(); - - renderEngine - .parseAndRender(template, certificate) - .then((config_text) => { - fs.writeFileSync(filename, config_text, {encoding: 'utf8'}); - - if (config.debug()) { - logger.success('Wrote config:', filename, config_text); - } - - resolve(true); - }) - .catch((err) => { - if (config.debug()) { - logger.warn('Could not write ' + filename + ':', err.message); - } - - reject(new error.ConfigurationError(err.message)); - }); - }); - }, - /** * A simple wrapper around unlinkSync that writes to the logger * @@ -343,19 +294,6 @@ const internalNginx = { return host_type.replace(new RegExp('-', 'g'), '_'); }, - /** - * This removes the temporary nginx config file generated by `generateLetsEncryptRequestConfig` - * - * @param {Object} certificate - * @returns {Promise} - */ - deleteLetsEncryptRequestConfig: (certificate) => { - const config_file = '/usr/local/nginx/conf/conf.d/letsencrypt_' + certificate.id + '.conf'; - return new Promise((resolve/*, reject*/) => { - internalNginx.deleteFile(config_file); - resolve(); - }); - }, /** * @param {String} host_type diff --git a/backend/templates/_hsts.conf b/backend/templates/_hsts.conf index 18b4f450..82664d0f 100644 --- a/backend/templates/_hsts.conf +++ b/backend/templates/_hsts.conf @@ -1,17 +1,7 @@ {% if certificate and certificate_id > 0 -%} {% if ssl_forced == 1 or ssl_forced == true %} {% if hsts_enabled == 1 or hsts_enabled == true %} - add_header X-XSS-Protection "0" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "strict-origin-when-cross-origin" always; - add_header Content-Security-Policy "default-src https: 'unsafe-inline' 'unsafe-eval'; upgrade-insecure-requests" always; - - add_header Expect-CT "enforce; max-age=86400" always; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - - add_header Cross-Origin-Embedder-Policy-Report-Only "require-corp; report-to='default'" always; - add_header Cross-Origin-Opener-Policy-Report-Only "same-origin-allow-popups; report-to='default'" always; + include conf.d/include/hsts.conf; {% endif %} {% endif %} {% endif %} diff --git a/backend/templates/_listen.conf b/backend/templates/_listen.conf index 858615a1..2b5973e5 100644 --- a/backend/templates/_listen.conf +++ b/backend/templates/_listen.conf @@ -1,4 +1,4 @@ - listen unix:/run/nginx.sock; + listen unix:/run/nginx-{{ id }}.sock; listen 80; listen [::]:80; diff --git a/backend/templates/certbot-request.conf b/backend/templates/certbot-request.conf deleted file mode 100644 index 54533691..00000000 --- a/backend/templates/certbot-request.conf +++ /dev/null @@ -1,18 +0,0 @@ -{% include "_header_comment.conf" %} - -server { - listen unix:/run/nginx.sock; - - listen 80; - listen [::]:80; - - server_name {{ domain_names | join: " " }}; - - include conf.d/include/acme-challenge.conf; - include conf.d/include/block-exploits.conf; - - location / { - include conf.d/include/acme-challenge.conf; - return 404; - } -} diff --git a/backend/templates/default.conf b/backend/templates/default.conf index 88806d06..fde8bc5a 100644 --- a/backend/templates/default.conf +++ b/backend/templates/default.conf @@ -2,8 +2,6 @@ # Default Site # ------------------------------------------------------------ server { - listen unix:/run/nginx.sock default_server; - listen 80 default_server; listen [::]:80 default_server; diff --git a/frontend/app-images/logo-text-vertical-grey.png b/frontend/app-images/logo-text-vertical-grey.png index df90ece6..4676ee81 100644 Binary files a/frontend/app-images/logo-text-vertical-grey.png and b/frontend/app-images/logo-text-vertical-grey.png differ diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/default.conf b/rootfs/usr/local/nginx/conf/conf.d/include/default.conf index 100a8d3d..3d11fb0d 100644 --- a/rootfs/usr/local/nginx/conf/conf.d/include/default.conf +++ b/rootfs/usr/local/nginx/conf/conf.d/include/default.conf @@ -2,8 +2,6 @@ # Default Site # ------------------------------------------------------------ server { - listen unix:/run/nginx.sock default_server; - listen 80 default_server; listen [::]:80 default_server; diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/hsts.conf b/rootfs/usr/local/nginx/conf/conf.d/include/hsts.conf new file mode 100644 index 00000000..58f094bf --- /dev/null +++ b/rootfs/usr/local/nginx/conf/conf.d/include/hsts.conf @@ -0,0 +1,8 @@ +more_set_headers "X-XSS-Protection: 0"; +more_set_headers "X-Frame-Options: SAMEORIGIN"; +more_set_headers "X-Content-Type-Options: nosniff"; +more_set_headers "Referrer-Policy: strict-origin-when-cross-origin"; +more_set_headers "Content-Security-Policy: upgrade-insecure-requests"; + +more_set_headers "Expect-CT: enforce; max-age=86400"; +more_set_headers "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload"; \ No newline at end of file diff --git a/rootfs/usr/local/nginx/conf/conf.d/no-server-name.conf b/rootfs/usr/local/nginx/conf/conf.d/no-server-name.conf index 67cbbfbc..d2c44c6c 100644 --- a/rootfs/usr/local/nginx/conf/conf.d/no-server-name.conf +++ b/rootfs/usr/local/nginx/conf/conf.d/no-server-name.conf @@ -1,6 +1,4 @@ server { - listen unix:/run/nginx.sock; - listen 80; listen [::]:80; diff --git a/rootfs/usr/local/nginx/conf/nginx.conf b/rootfs/usr/local/nginx/conf/nginx.conf index 3565d6cd..463d0810 100644 --- a/rootfs/usr/local/nginx/conf/nginx.conf +++ b/rootfs/usr/local/nginx/conf/nginx.conf @@ -23,7 +23,11 @@ http { lua_package_path "/usr/local/nginx/lib/lua/?.lua;;"; server_tokens off; - hide_server_tokens on; + more_clear_headers "Server"; + more_clear_headers "X-Powered-By"; + more_clear_headers "X-Page-Speed"; + more_clear_headers "X-Varnish"; + aio threads; sendfile on; tcp_nopush on;