From e68857d2fbe9317b3b7959b7d60acb9c721cbfc3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Iv=C3=A1n=20Salido=20Cobo?= Date: Sun, 28 Jan 2024 21:32:53 +0100 Subject: [PATCH] =?UTF-8?q?Nueva=20configuraci=C3=B3nd=20de=20nginx=20para?= =?UTF-8?q?=20el=20servidor=20principal?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../etc/letsencrypt/options-ssl-nginx.conf | 16 ++++++++ .../etc/nginx/conf.d/amp.wupp.dev.conf | 30 ++++++++++++++ .../etc/nginx/conf.d/cloud.wupp.dev.conf | 9 ++-- .../etc/nginx/conf.d/mc.wupp.dev.conf | 33 +++++++++++++++ .../etc/nginx/conf.d/mcminio.wupp.dev.conf | 40 ++++++++++++++++++ .../nginx/conf.d/web.mcminio.wupp.dev.conf | 41 +++++++++++++++++++ .../etc/nginx/conf.d/www.wupp.dev.conf | 19 +++++++-- 7 files changed, 181 insertions(+), 7 deletions(-) create mode 100644 fs/principal/etc/letsencrypt/options-ssl-nginx.conf create mode 100644 fs/principal/etc/nginx/conf.d/amp.wupp.dev.conf create mode 100644 fs/principal/etc/nginx/conf.d/mc.wupp.dev.conf create mode 100644 fs/principal/etc/nginx/conf.d/mcminio.wupp.dev.conf create mode 100644 fs/principal/etc/nginx/conf.d/web.mcminio.wupp.dev.conf diff --git a/fs/principal/etc/letsencrypt/options-ssl-nginx.conf b/fs/principal/etc/letsencrypt/options-ssl-nginx.conf new file mode 100644 index 00000000..af9ea504 --- /dev/null +++ b/fs/principal/etc/letsencrypt/options-ssl-nginx.conf @@ -0,0 +1,16 @@ +# This file contains important security parameters. If you modify this file +# manually, Certbot will be unable to automatically provide future security +# updates. Instead, Certbot will print and log an error message with a path to +# the up-to-date file that you will need to refer to when manually updating +# this file. + +ssl_protocols TLSv1.3; +ssl_session_cache shared:le_nginx_SSL:10m; +ssl_session_timeout 1d; +ssl_session_tickets off; +ssl_ecdh_curve secp384r1; +ssl_stapling on; +ssl_stapling_verify on; +resolver 208.67.222.222 208.67.220.220 valid=300s; +resolver_timeout 5s; +ssl_trusted_certificate /etc/letsencrypt/live/wupp.dev/chain.pem; \ No newline at end of file diff --git a/fs/principal/etc/nginx/conf.d/amp.wupp.dev.conf b/fs/principal/etc/nginx/conf.d/amp.wupp.dev.conf new file mode 100644 index 00000000..bebbc8e8 --- /dev/null +++ b/fs/principal/etc/nginx/conf.d/amp.wupp.dev.conf @@ -0,0 +1,30 @@ +server { + server_name amp.wupp.dev; + + access_log /var/log/nginx/amp.wupp.dev-access.log; + error_log /var/log/nginx/amp.wupp.dev-error.log; + + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Content-Type-Options nosniff always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; + + location / { + proxy_pass https://192.168.1.157; + proxy_ssl_session_reuse on; + proxy_ssl_verify off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/amp.wupp.dev/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/amp.wupp.dev/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot +} \ No newline at end of file diff --git a/fs/principal/etc/nginx/conf.d/cloud.wupp.dev.conf b/fs/principal/etc/nginx/conf.d/cloud.wupp.dev.conf index 226d7cb2..9ace4d6c 100644 --- a/fs/principal/etc/nginx/conf.d/cloud.wupp.dev.conf +++ b/fs/principal/etc/nginx/conf.d/cloud.wupp.dev.conf @@ -1,5 +1,5 @@ upstream nextcloud { - server 127.0.0.1:9000; + server 127.0.0.1:26848; } # Set the `immutable` cache control options only for assets with a cache busting `v` argument @@ -9,9 +9,12 @@ map $arg_v $asset_immutable { } server { - server_name cloud.wupp.dev; + server_name cloud.wupp.dev; http2 on; + access_log /var/log/nginx/cloud.wupp.dev-access.log; + error_log /var/log/nginx/cloud.wupp.dev-error.log; + # set max upload size client_max_body_size 50G; # unlimited download speed @@ -40,7 +43,7 @@ server { add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "no-referrer" always; add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; # Add .mjs as a file extension for javascript # Either include it in the default mime.types list diff --git a/fs/principal/etc/nginx/conf.d/mc.wupp.dev.conf b/fs/principal/etc/nginx/conf.d/mc.wupp.dev.conf new file mode 100644 index 00000000..ff7b4882 --- /dev/null +++ b/fs/principal/etc/nginx/conf.d/mc.wupp.dev.conf @@ -0,0 +1,33 @@ +server { + server_name mc.wupp.dev; + http2 on; + + access_log /var/log/nginx/mc.wupp.dev-access.log; + error_log /var/log/nginx/mc.wupp.dev-error.log; + + add_header Allow "GET, POST, OPTIONS"; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Content-Type-Options nosniff always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + #add_header Content-Security-Policy "default-src 'self' blob:https://mc.wupp.dev https://fonts.gstatic.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline'"; + add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; + + location / { + proxy_pass https://192.168.1.157; + proxy_ssl_session_reuse on; + proxy_ssl_verify off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/mc.wupp.dev/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/mc.wupp.dev/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot +} \ No newline at end of file diff --git a/fs/principal/etc/nginx/conf.d/mcminio.wupp.dev.conf b/fs/principal/etc/nginx/conf.d/mcminio.wupp.dev.conf new file mode 100644 index 00000000..1100aff6 --- /dev/null +++ b/fs/principal/etc/nginx/conf.d/mcminio.wupp.dev.conf @@ -0,0 +1,40 @@ +server { + server_name mcminio.wupp.dev; + + # Allow special characters in headers + ignore_invalid_headers off; + # Allow any size file to be uploaded. + # Set to a value such as 1000m; to restrict file size to a specific value + client_max_body_size 0; + # Disable buffering + proxy_buffering off; + proxy_request_buffering off; + + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Content-Type-Options nosniff always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; + + location / { + proxy_pass https://192.168.1.157; + proxy_ssl_session_reuse on; + proxy_ssl_verify off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Connection ""; + chunked_transfer_encoding off; + proxy_connect_timeout 300; + } + + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/mcminio.wupp.dev/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/mcminio.wupp.dev/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot +} diff --git a/fs/principal/etc/nginx/conf.d/web.mcminio.wupp.dev.conf b/fs/principal/etc/nginx/conf.d/web.mcminio.wupp.dev.conf new file mode 100644 index 00000000..c5c9832d --- /dev/null +++ b/fs/principal/etc/nginx/conf.d/web.mcminio.wupp.dev.conf @@ -0,0 +1,41 @@ +server { + server_name web.mcminio.wupp.dev; + + # Allow special characters in headers + ignore_invalid_headers off; + # Allow any size file to be uploaded. + # Set to a value such as 1000m; to restrict file size to a specific value + client_max_body_size 0; + # Disable buffering + proxy_buffering off; + proxy_request_buffering off; + + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Content-Type-Options nosniff always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; + + location / { + proxy_pass https://192.168.1.157; + proxy_ssl_session_reuse on; + proxy_ssl_verify off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_connect_timeout 300; + } + + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/web.mcminio.wupp.dev/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/web.mcminio.wupp.dev/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + +} \ No newline at end of file diff --git a/fs/principal/etc/nginx/conf.d/www.wupp.dev.conf b/fs/principal/etc/nginx/conf.d/www.wupp.dev.conf index ed3bab19..07b91f41 100644 --- a/fs/principal/etc/nginx/conf.d/www.wupp.dev.conf +++ b/fs/principal/etc/nginx/conf.d/www.wupp.dev.conf @@ -2,11 +2,22 @@ server { server_name wupp.dev www.wupp.dev; http2 on; - #access_log /var/log/nginx/host.access.log main; + add_header Allow "GET, POST, OPTIONS"; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Content-Type-Options nosniff always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline'"; + add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline'"; + add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; + + root /var/www/html; + index landing.html; location / { - root /usr/share/nginx/html; - index index.html index.htm; + try_files $uri /landing.html; } #error_page 404 /404.html; @@ -18,7 +29,7 @@ server { root /usr/share/nginx/html; } - listen 443 ssl; # managed by Certbot + listen 443 ssl default_server; # managed by Certbot ssl_certificate /etc/letsencrypt/live/wupp.dev/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/wupp.dev/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot