summarylogtreecommitdiffstats
diff options
context:
space:
mode:
authorhashworks2020-03-24 19:07:09 +0100
committerhashworks2020-03-24 19:07:09 +0100
commitc2c7c807feb68955019978543b21388cf6e9ab5a (patch)
tree914ef18b9560347cb9140407d5645af95055ddf2
parent6a7d7889ad981b2972417b6e70b52b7b9cc2379a (diff)
downloadaur-c2c7c807feb68955019978543b21388cf6e9ab5a.tar.gz
Update nginx example config
Primarily I wanted to fix `root /usr/share/webapps/filebin;` which is a security risk, but I guess a full update wouldn't hurt as well. I dropped the HTTP example since none should really use that.
-rw-r--r--filebin-nginx.conf124
1 files changed, 74 insertions, 50 deletions
diff --git a/filebin-nginx.conf b/filebin-nginx.conf
index 8333a193b25..1fed639647e 100644
--- a/filebin-nginx.conf
+++ b/filebin-nginx.conf
@@ -1,64 +1,88 @@
-## http server redirecting to https
+## Example config for http redirects
server {
- listen 80;
- server_name example.com;
+ listen 80;
+ listen [::]:80 default;
+ server_name example.com;
- return 301 https://$server_name$request_uri;
+ return 301 https://$server_name$request_uri;
}
-## sample http server, if no https is being used, if you use this comment the https server section
-#server {
-# listen 80;
-# server_name example.com;
-
-
-# root /usr/share/webapps/filebin;
-# index index.php index.html index.htm;
-
-# location / {
-# # First attempt to serve request as file, then
-# # as directory, then fall back to displaying a 404.
-# try_files $uri $uri/ /index.php /index.html;
-# }
-# location ~ ^(.+\.php)(.*)$ {
-# try_files $fastcgi_script_name =404;
-# fastcgi_split_path_info ^(.+\.php)(.*)$;
-# fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
-# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-# fastcgi_param PATH_INFO $fastcgi_path_info;
-# include /etc/nginx/fastcgi_params;
-# }
-#}
-
-## Config for server secured with https
+## Example config for server secured with https
server {
- listen 443;
-
- root /usr/share/webapps/filebin;
- index index.php index.html index.htm;
-
+ listen 0.0.0.0:443 ssl http2;
+ listen [::]:443 ssl http2;
server_name example.com;
+ access_log /var/log/nginx/example.com/access.log combined if=$log_ip;
+ error_log /var/log/nginx/example.com/error.log;
- ssl on;
- ssl_certificate certificate.crt;
- ssl_certificate_key private-key.key;
- ssl_session_timeout 5m;
- ssl_ciphers 'AES128+EECDH:AES128+EDH';
- ssl_prefer_server_ciphers on;
+ root /usr/share/webapps/filebin/public_html/;
+
+ add_header X-Frame-Options DENY;
location / {
- # First attempt to serve request as file, then
- # as directory, then fall back to displaying a 404.
- try_files $uri $uri/ /index.php /index.html;
+ try_files $uri $uri/ @ee;
}
- location ~ ^(.+\.php)(.*)$ {
- try_files $fastcgi_script_name =404;
- fastcgi_split_path_info ^(.+\.php)(.*)$;
- fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
- fastcgi_param PATH_INFO $fastcgi_path_info;
- include /etc/nginx/fastcgi_params;
+ location @ee {
+ rewrite ^(.*) /index.php?$1 last;
}
+
+ # Needs:
+ # $config['download_driver'] = 'nginx';
+ # $config['download_nginx_location'] = '/u';
+ location ^~ /u/ {
+ internal;
+ gzip off;
+ sendfile on;
+ sendfile_max_chunk 100m;
+ tcp_nopush on;
+ tcp_nodelay on;
+ keepalive_timeout 120;
+ proxy_max_temp_file_size 0;
+ chunked_transfer_encoding off;
+ alias /usr/share/webapps/filebin/data/uploads/;
+ }
+
+ location ~ \.php$ {
+ fastcgi_pass unix:/run/php-fpm/fb.sock;
+ fastcgi_index index.php;
+ include fastcgi.conf;
+ }
+
+ add_header Feature-Policy "geolocation 'none'; midi 'none'; notifications 'none'; push 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'none'; fullscreen 'none'; payment 'none'";
+
+ add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'none'; font-src 'self'; object-src 'none'; media-src 'self'; worker-src 'none'; frame-src 'none'; form-action 'self'; frame-ancestors 'none'; base-uri 'self';";
+
+ add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
+ add_header Referrer-Policy "no-referrer, strict-origin-when-cross-origin";
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
+
+ ssl_protocols TLSv1.2 TLSv1.3;
+
+ # EECDH+AESGCM is a weaker cipher, but we need it for Android 5.0 / 6.0 support.
+ ssl_ciphers "EECDH+AESGCM+SHA384:EECDH+AESGCM";
+ #ssl_ciphers "EECDH+AESGCM+SHA384";
+
+ ssl_prefer_server_ciphers on;
+ ssl_ecdh_curve secp384r1;
+ ssl_session_cache shared:SSL:10m;
+ ssl_session_tickets off;
+ ssl_stapling on;
+ ssl_stapling_verify on;
+
+ resolver 127.0.0.1 valid=300s;
+ resolver_timeout 5s;
+
+ # openssl dhparam -out /etc/ssl/dhparam.pem 4096
+ ssl_dhparam /etc/ssl/dhparam.pem;
+
+ # See https://wiki.archlinux.org/index.php/Certbot
+ ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
+
+ # Optional, needs to be generated
+ #ssl_stapling_file /etc/letsencrypt/ocspresponse/fb.hash.works.der;
}
+# vi:syntax=nginx