From 13cba9c8ae3450cbd6bbf916245a451691dda0ab Mon Sep 17 00:00:00 2001 From: Mathieu Sanchez Date: Tue, 30 Apr 2019 18:23:04 +0900 Subject: [PATCH] Change conf nginx --- .../conf/applications/api.c2a-systeme.fr.conf | 50 ++++++++++++----- .../applications/dev.api.c2a-systeme.fr.conf | 56 +++++++++++++------ .../conf/applications/git.c2a-systeme.fr.conf | 50 ++++++++++++----- .../applications/gitlab.c2a-systeme.fr.conf | 48 +++++++++++----- .../applications/jenkins.c2a-systeme.fr.conf | 47 ++++++++++++---- .../portainer.c2a-systeme.fr.conf | 47 ++++++++++++---- .../conf/applications/www.c2a-systeme.fr.conf | 36 +++++++----- docker/install-nginx.sh | 15 ++--- 8 files changed, 247 insertions(+), 102 deletions(-) diff --git a/docker/conf/applications/api.c2a-systeme.fr.conf b/docker/conf/applications/api.c2a-systeme.fr.conf index 9ff527c..e640635 100644 --- a/docker/conf/applications/api.c2a-systeme.fr.conf +++ b/docker/conf/applications/api.c2a-systeme.fr.conf @@ -1,5 +1,4 @@ # http://nginx.org/en/docs/http/websocket.html -# http://nginx.org/en/docs/http/websocket.html map $http_upgrade $connection_upgrade { default upgrade; '' close; @@ -25,23 +24,40 @@ server { listen [::]:443 http2; ssl on; - # paths are relative to prefix and not to this file - ssl_certificate /etc/letsencrypt/live/api.c2a-systeme.fr/cert.pem; + ssl_certificate /etc/letsencrypt/live/api.c2a-systeme.fr/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/api.c2a-systeme.fr/privkey.pem; - ssl_session_timeout 5m; + ssl_session_timeout 10m; ssl_session_cache shared:SSL:50m; - # https://bettercrypto.org/static/applied-crypto-hardening.pdf - # https://mozilla.github.io/server-side-tls/ssl-config-generator/ - # https://cipherli.st/ - # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html - ssl_prefer_server_ciphers on; + # Enable server-side protection against BEAST attacks ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE + ssl_prefer_server_ciphers on; + ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384"; + + # RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096 + ssl_dhparam /etc/ssl/ffdhe4096.pem; + ssl_ecdh_curve secp521r1:secp384r1; - # ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern - ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - add_header Strict-Transport-Security "max-age=15768000"; + # Aditional Security Headers + # ref: https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + + # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + add_header X-Frame-Options DENY always; + + # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options + add_header X-Content-Type-Options nosniff always; + + # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection + add_header X-Xss-Protection "1; mode=block" always; + + # Enable OCSP stapling + # ref. http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /etc/letsencrypt/live/api.c2a-systeme.fr/fullchain.pem; + resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare + resolver_timeout 5s; # https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options add_header X-Frame-Options "SAMEORIGIN"; @@ -78,6 +94,12 @@ server { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; + # Required for LE certificate enrollment using certbot + location '/.well-known/acme-challenge' { + default_type "text/plain"; + root /var/www/html; + } + location / { # No buffering to temp files, it fails for large downloads proxy_max_temp_file_size 0; @@ -93,4 +115,4 @@ server { proxy_pass http://127.0.0.1:8004; } -} +} diff --git a/docker/conf/applications/dev.api.c2a-systeme.fr.conf b/docker/conf/applications/dev.api.c2a-systeme.fr.conf index 2555d07..47107b0 100644 --- a/docker/conf/applications/dev.api.c2a-systeme.fr.conf +++ b/docker/conf/applications/dev.api.c2a-systeme.fr.conf @@ -1,5 +1,4 @@ # http://nginx.org/en/docs/http/websocket.html -# http://nginx.org/en/docs/http/websocket.html map $http_upgrade $connection_upgrade { default upgrade; '' close; @@ -10,7 +9,7 @@ server { listen 80; listen [::]:80; - server_name dev.api.c2a-systeme.fr; + server_name api.dev.c2a-systeme.fr; location / { # redirect everything to HTTPS @@ -20,28 +19,45 @@ server { # https server server { - server_name dev.api.c2a-systeme.fr; + server_name api.dev.c2a-systeme.fr; listen 443 http2; listen [::]:443 http2; ssl on; - # paths are relative to prefix and not to this file - ssl_certificate /etc/letsencrypt/live/dev.api.c2a-systeme.fr/cert.pem; - ssl_certificate_key /etc/letsencrypt/live/dev.api.c2a-systeme.fr/privkey.pem; - ssl_session_timeout 5m; + ssl_certificate /etc/letsencrypt/live/api.dev.c2a-systeme.fr/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/api.dev.c2a-systeme.fr/privkey.pem; + ssl_session_timeout 10m; ssl_session_cache shared:SSL:50m; - # https://bettercrypto.org/static/applied-crypto-hardening.pdf - # https://mozilla.github.io/server-side-tls/ssl-config-generator/ - # https://cipherli.st/ - # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html - ssl_prefer_server_ciphers on; + # Enable server-side protection against BEAST attacks ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE + ssl_prefer_server_ciphers on; + ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384"; + + # RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096 + ssl_dhparam /etc/ssl/ffdhe4096.pem; + ssl_ecdh_curve secp521r1:secp384r1; - # ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern - ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - add_header Strict-Transport-Security "max-age=15768000"; + # Aditional Security Headers + # ref: https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + + # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + add_header X-Frame-Options DENY always; + + # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options + add_header X-Content-Type-Options nosniff always; + + # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection + add_header X-Xss-Protection "1; mode=block" always; + + # Enable OCSP stapling + # ref. http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /etc/letsencrypt/live/api.dev.c2a-systeme.fr/fullchain.pem; + resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare + resolver_timeout 5s; # https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options add_header X-Frame-Options "SAMEORIGIN"; @@ -78,6 +94,12 @@ server { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; + # Required for LE certificate enrollment using certbot + location '/.well-known/acme-challenge' { + default_type "text/plain"; + root /var/www/html; + } + location / { # No buffering to temp files, it fails for large downloads proxy_max_temp_file_size 0; @@ -93,4 +115,4 @@ server { proxy_pass http://127.0.0.1:8005; } -} +} diff --git a/docker/conf/applications/git.c2a-systeme.fr.conf b/docker/conf/applications/git.c2a-systeme.fr.conf index 3bb36ac..59a09c8 100644 --- a/docker/conf/applications/git.c2a-systeme.fr.conf +++ b/docker/conf/applications/git.c2a-systeme.fr.conf @@ -1,5 +1,4 @@ # http://nginx.org/en/docs/http/websocket.html -# http://nginx.org/en/docs/http/websocket.html map $http_upgrade $connection_upgrade { default upgrade; '' close; @@ -25,23 +24,40 @@ server { listen [::]:443 http2; ssl on; - # paths are relative to prefix and not to this file - ssl_certificate /etc/letsencrypt/live/git.c2a-systeme.fr/cert.pem; + ssl_certificate /etc/letsencrypt/live/git.c2a-systeme.fr/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/git.c2a-systeme.fr/privkey.pem; - ssl_session_timeout 5m; + ssl_session_timeout 10m; ssl_session_cache shared:SSL:50m; - # https://bettercrypto.org/static/applied-crypto-hardening.pdf - # https://mozilla.github.io/server-side-tls/ssl-config-generator/ - # https://cipherli.st/ - # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html - ssl_prefer_server_ciphers on; + # Enable server-side protection against BEAST attacks ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE + ssl_prefer_server_ciphers on; + ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384"; + + # RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096 + ssl_dhparam /etc/ssl/ffdhe4096.pem; + ssl_ecdh_curve secp521r1:secp384r1; - # ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern - ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - add_header Strict-Transport-Security "max-age=15768000"; + # Aditional Security Headers + # ref: https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + + # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + add_header X-Frame-Options DENY always; + + # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options + add_header X-Content-Type-Options nosniff always; + + # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection + add_header X-Xss-Protection "1; mode=block" always; + + # Enable OCSP stapling + # ref. http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /etc/letsencrypt/live/git.c2a-systeme.fr/fullchain.pem; + resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare + resolver_timeout 5s; # https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options add_header X-Frame-Options "SAMEORIGIN"; @@ -78,6 +94,12 @@ server { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; + # Required for LE certificate enrollment using certbot + location '/.well-known/acme-challenge' { + default_type "text/plain"; + root /var/www/html; + } + location / { # No buffering to temp files, it fails for large downloads proxy_max_temp_file_size 0; @@ -93,4 +115,4 @@ server { proxy_pass http://127.0.0.1:8000; } -} +} diff --git a/docker/conf/applications/gitlab.c2a-systeme.fr.conf b/docker/conf/applications/gitlab.c2a-systeme.fr.conf index 92fffda..94733be 100644 --- a/docker/conf/applications/gitlab.c2a-systeme.fr.conf +++ b/docker/conf/applications/gitlab.c2a-systeme.fr.conf @@ -1,5 +1,4 @@ # http://nginx.org/en/docs/http/websocket.html -# http://nginx.org/en/docs/http/websocket.html map $http_upgrade $connection_upgrade { default upgrade; '' close; @@ -25,23 +24,40 @@ server { listen [::]:443 http2; ssl on; - # paths are relative to prefix and not to this file - ssl_certificate /etc/letsencrypt/live/gitlab.c2a-systeme.fr/cert.pem; + ssl_certificate /etc/letsencrypt/live/gitlab.c2a-systeme.fr/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/gitlab.c2a-systeme.fr/privkey.pem; - ssl_session_timeout 5m; + ssl_session_timeout 10m; ssl_session_cache shared:SSL:50m; - # https://bettercrypto.org/static/applied-crypto-hardening.pdf - # https://mozilla.github.io/server-side-tls/ssl-config-generator/ - # https://cipherli.st/ - # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html - ssl_prefer_server_ciphers on; + # Enable server-side protection against BEAST attacks ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE + ssl_prefer_server_ciphers on; + ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384"; + + # RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096 + ssl_dhparam /etc/ssl/ffdhe4096.pem; + ssl_ecdh_curve secp521r1:secp384r1; - # ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern - ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - add_header Strict-Transport-Security "max-age=15768000"; + # Aditional Security Headers + # ref: https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + + # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + add_header X-Frame-Options DENY always; + + # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options + add_header X-Content-Type-Options nosniff always; + + # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection + add_header X-Xss-Protection "1; mode=block" always; + + # Enable OCSP stapling + # ref. http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /etc/letsencrypt/live/gitlab.c2a-systeme.fr/fullchain.pem; + resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare + resolver_timeout 5s; # https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options add_header X-Frame-Options "SAMEORIGIN"; @@ -78,6 +94,12 @@ server { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; + # Required for LE certificate enrollment using certbot + location '/.well-known/acme-challenge' { + default_type "text/plain"; + root /var/www/html; + } + location / { # No buffering to temp files, it fails for large downloads proxy_max_temp_file_size 0; diff --git a/docker/conf/applications/jenkins.c2a-systeme.fr.conf b/docker/conf/applications/jenkins.c2a-systeme.fr.conf index 025ebe5..cdc85be 100644 --- a/docker/conf/applications/jenkins.c2a-systeme.fr.conf +++ b/docker/conf/applications/jenkins.c2a-systeme.fr.conf @@ -24,23 +24,40 @@ server { listen [::]:443 http2; ssl on; - # paths are relative to prefix and not to this file - ssl_certificate /etc/letsencrypt/live/jenkins.c2a-systeme.fr/cert.pem; + ssl_certificate /etc/letsencrypt/live/jenkins.c2a-systeme.fr/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/jenkins.c2a-systeme.fr/privkey.pem; - ssl_session_timeout 5m; + ssl_session_timeout 10m; ssl_session_cache shared:SSL:50m; - # https://bettercrypto.org/static/applied-crypto-hardening.pdf - # https://mozilla.github.io/server-side-tls/ssl-config-generator/ - # https://cipherli.st/ - # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html - ssl_prefer_server_ciphers on; + # Enable server-side protection against BEAST attacks ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE + ssl_prefer_server_ciphers on; + ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384"; + + # RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096 + ssl_dhparam /etc/ssl/ffdhe4096.pem; + ssl_ecdh_curve secp521r1:secp384r1; - # ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern - ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - add_header Strict-Transport-Security "max-age=15768000"; + # Aditional Security Headers + # ref: https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + + # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + add_header X-Frame-Options DENY always; + + # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options + add_header X-Content-Type-Options nosniff always; + + # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection + add_header X-Xss-Protection "1; mode=block" always; + + # Enable OCSP stapling + # ref. http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /etc/letsencrypt/live/jenkins.c2a-systeme.fr/fullchain.pem; + resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare + resolver_timeout 5s; # https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options add_header X-Frame-Options "SAMEORIGIN"; @@ -77,6 +94,12 @@ server { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; + # Required for LE certificate enrollment using certbot + location '/.well-known/acme-challenge' { + default_type "text/plain"; + root /var/www/html; + } + location / { # No buffering to temp files, it fails for large downloads proxy_max_temp_file_size 0; diff --git a/docker/conf/applications/portainer.c2a-systeme.fr.conf b/docker/conf/applications/portainer.c2a-systeme.fr.conf index d5f1b47..e4d4dff 100644 --- a/docker/conf/applications/portainer.c2a-systeme.fr.conf +++ b/docker/conf/applications/portainer.c2a-systeme.fr.conf @@ -24,23 +24,40 @@ server { listen [::]:443 http2; ssl on; - # paths are relative to prefix and not to this file - ssl_certificate /etc/letsencrypt/live/portainer.c2a-systeme.fr/cert.pem; + ssl_certificate /etc/letsencrypt/live/portainer.c2a-systeme.fr/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/portainer.c2a-systeme.fr/privkey.pem; - ssl_session_timeout 5m; + ssl_session_timeout 10m; ssl_session_cache shared:SSL:50m; - # https://bettercrypto.org/static/applied-crypto-hardening.pdf - # https://mozilla.github.io/server-side-tls/ssl-config-generator/ - # https://cipherli.st/ - # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html - ssl_prefer_server_ciphers on; + # Enable server-side protection against BEAST attacks ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE + ssl_prefer_server_ciphers on; + ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384"; + + # RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096 + ssl_dhparam /etc/ssl/ffdhe4096.pem; + ssl_ecdh_curve secp521r1:secp384r1; - # ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern - ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - add_header Strict-Transport-Security "max-age=15768000"; + # Aditional Security Headers + # ref: https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + + # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + add_header X-Frame-Options DENY always; + + # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options + add_header X-Content-Type-Options nosniff always; + + # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection + add_header X-Xss-Protection "1; mode=block" always; + + # Enable OCSP stapling + # ref. http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /etc/letsencrypt/live/portainer.c2a-systeme.fr/fullchain.pem; + resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare + resolver_timeout 5s; # https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options add_header X-Frame-Options "SAMEORIGIN"; @@ -77,6 +94,12 @@ server { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; + # Required for LE certificate enrollment using certbot + location '/.well-known/acme-challenge' { + default_type "text/plain"; + root /var/www/html; + } + location / { # No buffering to temp files, it fails for large downloads proxy_max_temp_file_size 0; diff --git a/docker/conf/applications/www.c2a-systeme.fr.conf b/docker/conf/applications/www.c2a-systeme.fr.conf index b858bea..d530a3a 100644 --- a/docker/conf/applications/www.c2a-systeme.fr.conf +++ b/docker/conf/applications/www.c2a-systeme.fr.conf @@ -25,27 +25,37 @@ server { listen [::]:443 http2; ssl on; - # paths are relative to prefix and not to this file - ssl_certificate /etc/letsencrypt/live/www.c2a-systeme.fr/cert.pem; - ssl_certificate_key /etc/letsencrypt/live/www.c2a-systeme.fr/privkey.pem; - ssl_session_timeout 5m; + ssl_certificate /etc/letsencrypt/live/portainer.c2a-systeme.fr/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/portainer.c2a-systeme.fr/privkey.pem; + ssl_session_timeout 10m; ssl_session_cache shared:SSL:50m; - # https://bettercrypto.org/static/applied-crypto-hardening.pdf - # https://mozilla.github.io/server-side-tls/ssl-config-generator/ - # https://cipherli.st/ - # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html - ssl_prefer_server_ciphers on; + # Enable server-side protection against BEAST attacks ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE + ssl_prefer_server_ciphers on; + ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384"; + + # RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096 + ssl_dhparam /etc/ssl/ffdhe4096.pem; + ssl_ecdh_curve secp521r1:secp384r1; - # ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern - ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - add_header Strict-Transport-Security "max-age=15768000"; + # Enable OCSP stapling + # ref. http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /etc/letsencrypt/live/www.c2a-systeme.fr/fullchain.pem; + resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare + resolver_timeout 5s; root /var/www/html/c2a-web-platform; index index.html; + # Required for LE certificate enrollment using certbot + location '/.well-known/acme-challenge' { + default_type "text/plain"; + root /var/www/html; + } + location / { try_files $uri $uri/ /index.html =404; } diff --git a/docker/install-nginx.sh b/docker/install-nginx.sh index 177d959..e9faf82 100755 --- a/docker/install-nginx.sh +++ b/docker/install-nginx.sh @@ -1,12 +1,13 @@ apt-get install -y nginx -/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d www.c2a-systeme.fr -/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d git.c2a-systeme.fr -/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d api.c2a-systeme.fr -/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d gitlab.c2a-systeme.fr -/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d dev.api.c2a-systeme.fr -/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d jenkins.c2a-systeme.fr -/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d portainer.c2a-systeme.fr + +certbot certonly --manual --preferred-challenges=dns --email mathieu.sanchez@outlook.fr -i nginx -d www.c2a-systeme.fr +certbot certonly --manual --preferred-challenges=dns --email mathieu.sanchez@outlook.fr -i nginx -d git.c2a-systeme.fr +certbot certonly --manual --preferred-challenges=dns --email mathieu.sanchez@outlook.fr -i nginx -d api.c2a-systeme.fr +certbot certonly --manual --preferred-challenges=dns --email mathieu.sanchez@outlook.fr -i nginx -d gitlab.c2a-systeme.fr +certbot certonly --manual --preferred-challenges=dns --email mathieu.sanchez@outlook.fr -i nginx -d dev.api.c2a-systeme.fr +certbot certonly --manual --preferred-challenges=dns --email mathieu.sanchez@outlook.fr -i nginx -d jenkins.c2a-systeme.fr +certbot certonly --manual --preferred-challenges=dns --email mathieu.sanchez@outlook.fr -i nginx -d portainer.c2a-systeme.fr cp ./docker/conf/nginx.conf /etc/nginx/ cp ./docker/conf/mime.types /etc/nginx/