Update nginx example config

Primarily I wanted to fix `root /usr/share/webapps/filebin;` which is a
security risk, but I guess a full update wouldn't hurt as well.

I dropped the HTTP example since none should really use that.

1 files changed, 74 insertions, 50 deletions

diff --git a/filebin-nginx.conf b/filebin-nginx.conf
index 8333a193b25f..1fed639647ea 100644
--- a/filebin-nginx.conf
+++ b/filebin-nginx.conf
@@ -1,64 +1,88 @@
-## http server redirecting to https
+## Example config for http redirects
 server {
-	listen	80;
-	server_name	example.com;
+	listen 80;
+	listen [::]:80 default;
+	server_name example.com;
 
-	return 301	https://$server_name$request_uri;
+	return 301 https://$server_name$request_uri;
 }
 
-## sample http server, if no https is being used, if you use this comment the https server section
-#server {
-#	listen 	80;
-#	server_name 	example.com;
-
-
-#	root 	/usr/share/webapps/filebin;
-#	index index.php index.html index.htm;
-
-#	location / {
-#		# First attempt to serve request as file, then
-#		# as directory, then fall back to displaying a 404.
-#		try_files $uri $uri/ /index.php /index.html;
-#	}
-#	location ~ ^(.+\.php)(.*)$ {
-#		try_files $fastcgi_script_name =404;
-#		fastcgi_split_path_info  ^(.+\.php)(.*)$;
-#		fastcgi_pass   unix:/var/run/php-fpm/php-fpm.sock;
-#		fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
-#		fastcgi_param  PATH_INFO        $fastcgi_path_info;
-#		include        /etc/nginx/fastcgi_params;
-#	}
-#}
-
-## Config for server secured with https
+## Example config for server secured with https
 server {
-	listen   443;
-
-	root /usr/share/webapps/filebin;
-	index index.php index.html index.htm;
-
+	listen 0.0.0.0:443 ssl http2;
+	listen [::]:443 ssl http2;
 	server_name example.com;
 
+	access_log /var/log/nginx/example.com/access.log combined if=$log_ip;
+	error_log  /var/log/nginx/example.com/error.log;
 
-	ssl					     						on;
-	ssl_certificate		 					certificate.crt;
-	ssl_certificate_key  				private-key.key;
-	ssl_session_timeout 				5m;
-	ssl_ciphers 								'AES128+EECDH:AES128+EDH';
-	ssl_prefer_server_ciphers 	on;
+	root /usr/share/webapps/filebin/public_html/;
+
+	add_header X-Frame-Options DENY;
 
 	location / {
-		# First attempt to serve request as file, then
-		# as directory, then fall back to displaying a 404.
-		try_files $uri $uri/ /index.php /index.html;
+		try_files $uri $uri/ @ee;
 	}
-	location ~ ^(.+\.php)(.*)$ {
-		try_files $fastcgi_script_name =404;
-		fastcgi_split_path_info  ^(.+\.php)(.*)$;
-		fastcgi_pass   unix:/var/run/php-fpm/php-fpm.sock;
-		fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
-		fastcgi_param  PATH_INFO        $fastcgi_path_info;
-		include        /etc/nginx/fastcgi_params;
+	location @ee {
+		rewrite ^(.*) /index.php?$1 last;
 	}
+
+	# Needs:
+	# $config['download_driver'] = 'nginx';
+	# $config['download_nginx_location'] = '/u';
+	location ^~ /u/ {
+		internal;
+		gzip off;
+		sendfile on;
+		sendfile_max_chunk 100m;
+		tcp_nopush on;
+		tcp_nodelay on;
+		keepalive_timeout 120;
+		proxy_max_temp_file_size 0;
+		chunked_transfer_encoding off;
+		alias /usr/share/webapps/filebin/data/uploads/;
+	}
+
+	location ~ \.php$ {
+		fastcgi_pass unix:/run/php-fpm/fb.sock;
+		fastcgi_index index.php;
+		include fastcgi.conf;
+	}
+
+	add_header Feature-Policy "geolocation 'none'; midi 'none'; notifications 'none'; push 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'none'; fullscreen 'none'; payment 'none'";
+
+	add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'none'; font-src 'self'; object-src 'none'; media-src 'self'; worker-src 'none'; frame-src 'none'; form-action 'self'; frame-ancestors 'none'; base-uri 'self';";
+
+	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
+	add_header Referrer-Policy "no-referrer, strict-origin-when-cross-origin";
+	add_header X-Content-Type-Options nosniff;
+	add_header X-XSS-Protection "1; mode=block";
+
+	ssl_protocols TLSv1.2 TLSv1.3;
+
+	# EECDH+AESGCM is a weaker cipher, but we need it for Android 5.0 / 6.0 support.
+	ssl_ciphers "EECDH+AESGCM+SHA384:EECDH+AESGCM";
+	#ssl_ciphers "EECDH+AESGCM+SHA384";
+
+	ssl_prefer_server_ciphers on;
+	ssl_ecdh_curve secp384r1;
+	ssl_session_cache shared:SSL:10m;
+	ssl_session_tickets off;
+	ssl_stapling on;
+	ssl_stapling_verify on;
+
+	resolver 127.0.0.1 valid=300s;
+	resolver_timeout 5s;
+
+	# openssl dhparam -out /etc/ssl/dhparam.pem 4096
+	ssl_dhparam /etc/ssl/dhparam.pem;
+
+	# See https://wiki.archlinux.org/index.php/Certbot
+	ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
+
+	# Optional, needs to be generated
+	#ssl_stapling_file /etc/letsencrypt/ocspresponse/fb.hash.works.der;
 }
 
+# vi:syntax=nginx