diff options
author | hashworks | 2020-03-24 19:07:09 +0100 |
---|---|---|
committer | hashworks | 2020-03-24 19:07:09 +0100 |
commit | c2c7c807feb68955019978543b21388cf6e9ab5a (patch) | |
tree | 914ef18b9560347cb9140407d5645af95055ddf2 /filebin-nginx.conf | |
parent | 6a7d7889ad981b2972417b6e70b52b7b9cc2379a (diff) | |
download | aur-c2c7c807feb68955019978543b21388cf6e9ab5a.tar.gz |
Update nginx example config
Primarily I wanted to fix `root /usr/share/webapps/filebin;` which is a
security risk, but I guess a full update wouldn't hurt as well.
I dropped the HTTP example since none should really use that.
Diffstat (limited to 'filebin-nginx.conf')
-rw-r--r-- | filebin-nginx.conf | 124 |
1 files changed, 74 insertions, 50 deletions
diff --git a/filebin-nginx.conf b/filebin-nginx.conf index 8333a193b25f..1fed639647ea 100644 --- a/filebin-nginx.conf +++ b/filebin-nginx.conf @@ -1,64 +1,88 @@ -## http server redirecting to https +## Example config for http redirects server { - listen 80; - server_name example.com; + listen 80; + listen [::]:80 default; + server_name example.com; - return 301 https://$server_name$request_uri; + return 301 https://$server_name$request_uri; } -## sample http server, if no https is being used, if you use this comment the https server section -#server { -# listen 80; -# server_name example.com; - - -# root /usr/share/webapps/filebin; -# index index.php index.html index.htm; - -# location / { -# # First attempt to serve request as file, then -# # as directory, then fall back to displaying a 404. -# try_files $uri $uri/ /index.php /index.html; -# } -# location ~ ^(.+\.php)(.*)$ { -# try_files $fastcgi_script_name =404; -# fastcgi_split_path_info ^(.+\.php)(.*)$; -# fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock; -# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; -# fastcgi_param PATH_INFO $fastcgi_path_info; -# include /etc/nginx/fastcgi_params; -# } -#} - -## Config for server secured with https +## Example config for server secured with https server { - listen 443; - - root /usr/share/webapps/filebin; - index index.php index.html index.htm; - + listen 0.0.0.0:443 ssl http2; + listen [::]:443 ssl http2; server_name example.com; + access_log /var/log/nginx/example.com/access.log combined if=$log_ip; + error_log /var/log/nginx/example.com/error.log; - ssl on; - ssl_certificate certificate.crt; - ssl_certificate_key private-key.key; - ssl_session_timeout 5m; - ssl_ciphers 'AES128+EECDH:AES128+EDH'; - ssl_prefer_server_ciphers on; + root /usr/share/webapps/filebin/public_html/; + + add_header X-Frame-Options DENY; location / { - # First attempt to serve request as file, then - # as directory, then fall back to displaying a 404. - try_files $uri $uri/ /index.php /index.html; + try_files $uri $uri/ @ee; } - location ~ ^(.+\.php)(.*)$ { - try_files $fastcgi_script_name =404; - fastcgi_split_path_info ^(.+\.php)(.*)$; - fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - include /etc/nginx/fastcgi_params; + location @ee { + rewrite ^(.*) /index.php?$1 last; } + + # Needs: + # $config['download_driver'] = 'nginx'; + # $config['download_nginx_location'] = '/u'; + location ^~ /u/ { + internal; + gzip off; + sendfile on; + sendfile_max_chunk 100m; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 120; + proxy_max_temp_file_size 0; + chunked_transfer_encoding off; + alias /usr/share/webapps/filebin/data/uploads/; + } + + location ~ \.php$ { + fastcgi_pass unix:/run/php-fpm/fb.sock; + fastcgi_index index.php; + include fastcgi.conf; + } + + add_header Feature-Policy "geolocation 'none'; midi 'none'; notifications 'none'; push 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'none'; fullscreen 'none'; payment 'none'"; + + add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'none'; font-src 'self'; object-src 'none'; media-src 'self'; worker-src 'none'; frame-src 'none'; form-action 'self'; frame-ancestors 'none'; base-uri 'self';"; + + add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; + add_header Referrer-Policy "no-referrer, strict-origin-when-cross-origin"; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + + ssl_protocols TLSv1.2 TLSv1.3; + + # EECDH+AESGCM is a weaker cipher, but we need it for Android 5.0 / 6.0 support. + ssl_ciphers "EECDH+AESGCM+SHA384:EECDH+AESGCM"; + #ssl_ciphers "EECDH+AESGCM+SHA384"; + + ssl_prefer_server_ciphers on; + ssl_ecdh_curve secp384r1; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + ssl_stapling on; + ssl_stapling_verify on; + + resolver 127.0.0.1 valid=300s; + resolver_timeout 5s; + + # openssl dhparam -out /etc/ssl/dhparam.pem 4096 + ssl_dhparam /etc/ssl/dhparam.pem; + + # See https://wiki.archlinux.org/index.php/Certbot + ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; + + # Optional, needs to be generated + #ssl_stapling_file /etc/letsencrypt/ocspresponse/fb.hash.works.der; } +# vi:syntax=nginx |