Change conf nginx
This commit is contained in:
parent
c3d98b2c2a
commit
13cba9c8ae
@ -1,5 +1,4 @@
|
|||||||
# http://nginx.org/en/docs/http/websocket.html
|
# http://nginx.org/en/docs/http/websocket.html
|
||||||
# http://nginx.org/en/docs/http/websocket.html
|
|
||||||
map $http_upgrade $connection_upgrade {
|
map $http_upgrade $connection_upgrade {
|
||||||
default upgrade;
|
default upgrade;
|
||||||
'' close;
|
'' close;
|
||||||
@ -25,23 +24,40 @@ server {
|
|||||||
listen [::]:443 http2;
|
listen [::]:443 http2;
|
||||||
|
|
||||||
ssl on;
|
ssl on;
|
||||||
# paths are relative to prefix and not to this file
|
ssl_certificate /etc/letsencrypt/live/api.c2a-systeme.fr/fullchain.pem;
|
||||||
ssl_certificate /etc/letsencrypt/live/api.c2a-systeme.fr/cert.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/api.c2a-systeme.fr/privkey.pem;
|
ssl_certificate_key /etc/letsencrypt/live/api.c2a-systeme.fr/privkey.pem;
|
||||||
ssl_session_timeout 5m;
|
ssl_session_timeout 10m;
|
||||||
ssl_session_cache shared:SSL:50m;
|
ssl_session_cache shared:SSL:50m;
|
||||||
|
|
||||||
# https://bettercrypto.org/static/applied-crypto-hardening.pdf
|
# Enable server-side protection against BEAST attacks
|
||||||
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
|
|
||||||
# https://cipherli.st/
|
|
||||||
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
|
||||||
|
|
||||||
# ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern
|
# RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096
|
||||||
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
ssl_dhparam /etc/ssl/ffdhe4096.pem;
|
||||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
ssl_ecdh_curve secp521r1:secp384r1;
|
||||||
add_header Strict-Transport-Security "max-age=15768000";
|
|
||||||
|
# Aditional Security Headers
|
||||||
|
# ref: https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
|
||||||
|
|
||||||
|
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
|
||||||
|
add_header X-Frame-Options DENY always;
|
||||||
|
|
||||||
|
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
|
||||||
|
add_header X-Content-Type-Options nosniff always;
|
||||||
|
|
||||||
|
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
|
||||||
|
add_header X-Xss-Protection "1; mode=block" always;
|
||||||
|
|
||||||
|
# Enable OCSP stapling
|
||||||
|
# ref. http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
ssl_trusted_certificate /etc/letsencrypt/live/api.c2a-systeme.fr/fullchain.pem;
|
||||||
|
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare
|
||||||
|
resolver_timeout 5s;
|
||||||
|
|
||||||
# https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
|
||||||
add_header X-Frame-Options "SAMEORIGIN";
|
add_header X-Frame-Options "SAMEORIGIN";
|
||||||
@ -78,6 +94,12 @@ server {
|
|||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
proxy_set_header Connection $connection_upgrade;
|
proxy_set_header Connection $connection_upgrade;
|
||||||
|
|
||||||
|
# Required for LE certificate enrollment using certbot
|
||||||
|
location '/.well-known/acme-challenge' {
|
||||||
|
default_type "text/plain";
|
||||||
|
root /var/www/html;
|
||||||
|
}
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
# No buffering to temp files, it fails for large downloads
|
# No buffering to temp files, it fails for large downloads
|
||||||
proxy_max_temp_file_size 0;
|
proxy_max_temp_file_size 0;
|
||||||
|
@ -1,5 +1,4 @@
|
|||||||
# http://nginx.org/en/docs/http/websocket.html
|
# http://nginx.org/en/docs/http/websocket.html
|
||||||
# http://nginx.org/en/docs/http/websocket.html
|
|
||||||
map $http_upgrade $connection_upgrade {
|
map $http_upgrade $connection_upgrade {
|
||||||
default upgrade;
|
default upgrade;
|
||||||
'' close;
|
'' close;
|
||||||
@ -10,7 +9,7 @@ server {
|
|||||||
listen 80;
|
listen 80;
|
||||||
listen [::]:80;
|
listen [::]:80;
|
||||||
|
|
||||||
server_name dev.api.c2a-systeme.fr;
|
server_name api.dev.c2a-systeme.fr;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
# redirect everything to HTTPS
|
# redirect everything to HTTPS
|
||||||
@ -20,28 +19,45 @@ server {
|
|||||||
|
|
||||||
# https server
|
# https server
|
||||||
server {
|
server {
|
||||||
server_name dev.api.c2a-systeme.fr;
|
server_name api.dev.c2a-systeme.fr;
|
||||||
listen 443 http2;
|
listen 443 http2;
|
||||||
listen [::]:443 http2;
|
listen [::]:443 http2;
|
||||||
|
|
||||||
ssl on;
|
ssl on;
|
||||||
# paths are relative to prefix and not to this file
|
ssl_certificate /etc/letsencrypt/live/api.dev.c2a-systeme.fr/fullchain.pem;
|
||||||
ssl_certificate /etc/letsencrypt/live/dev.api.c2a-systeme.fr/cert.pem;
|
ssl_certificate_key /etc/letsencrypt/live/api.dev.c2a-systeme.fr/privkey.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/dev.api.c2a-systeme.fr/privkey.pem;
|
ssl_session_timeout 10m;
|
||||||
ssl_session_timeout 5m;
|
|
||||||
ssl_session_cache shared:SSL:50m;
|
ssl_session_cache shared:SSL:50m;
|
||||||
|
|
||||||
# https://bettercrypto.org/static/applied-crypto-hardening.pdf
|
# Enable server-side protection against BEAST attacks
|
||||||
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
|
|
||||||
# https://cipherli.st/
|
|
||||||
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
|
||||||
|
|
||||||
# ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern
|
# RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096
|
||||||
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
ssl_dhparam /etc/ssl/ffdhe4096.pem;
|
||||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
ssl_ecdh_curve secp521r1:secp384r1;
|
||||||
add_header Strict-Transport-Security "max-age=15768000";
|
|
||||||
|
# Aditional Security Headers
|
||||||
|
# ref: https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
|
||||||
|
|
||||||
|
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
|
||||||
|
add_header X-Frame-Options DENY always;
|
||||||
|
|
||||||
|
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
|
||||||
|
add_header X-Content-Type-Options nosniff always;
|
||||||
|
|
||||||
|
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
|
||||||
|
add_header X-Xss-Protection "1; mode=block" always;
|
||||||
|
|
||||||
|
# Enable OCSP stapling
|
||||||
|
# ref. http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
ssl_trusted_certificate /etc/letsencrypt/live/api.dev.c2a-systeme.fr/fullchain.pem;
|
||||||
|
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare
|
||||||
|
resolver_timeout 5s;
|
||||||
|
|
||||||
# https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
|
||||||
add_header X-Frame-Options "SAMEORIGIN";
|
add_header X-Frame-Options "SAMEORIGIN";
|
||||||
@ -78,6 +94,12 @@ server {
|
|||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
proxy_set_header Connection $connection_upgrade;
|
proxy_set_header Connection $connection_upgrade;
|
||||||
|
|
||||||
|
# Required for LE certificate enrollment using certbot
|
||||||
|
location '/.well-known/acme-challenge' {
|
||||||
|
default_type "text/plain";
|
||||||
|
root /var/www/html;
|
||||||
|
}
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
# No buffering to temp files, it fails for large downloads
|
# No buffering to temp files, it fails for large downloads
|
||||||
proxy_max_temp_file_size 0;
|
proxy_max_temp_file_size 0;
|
||||||
|
@ -1,5 +1,4 @@
|
|||||||
# http://nginx.org/en/docs/http/websocket.html
|
# http://nginx.org/en/docs/http/websocket.html
|
||||||
# http://nginx.org/en/docs/http/websocket.html
|
|
||||||
map $http_upgrade $connection_upgrade {
|
map $http_upgrade $connection_upgrade {
|
||||||
default upgrade;
|
default upgrade;
|
||||||
'' close;
|
'' close;
|
||||||
@ -25,23 +24,40 @@ server {
|
|||||||
listen [::]:443 http2;
|
listen [::]:443 http2;
|
||||||
|
|
||||||
ssl on;
|
ssl on;
|
||||||
# paths are relative to prefix and not to this file
|
ssl_certificate /etc/letsencrypt/live/git.c2a-systeme.fr/fullchain.pem;
|
||||||
ssl_certificate /etc/letsencrypt/live/git.c2a-systeme.fr/cert.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/git.c2a-systeme.fr/privkey.pem;
|
ssl_certificate_key /etc/letsencrypt/live/git.c2a-systeme.fr/privkey.pem;
|
||||||
ssl_session_timeout 5m;
|
ssl_session_timeout 10m;
|
||||||
ssl_session_cache shared:SSL:50m;
|
ssl_session_cache shared:SSL:50m;
|
||||||
|
|
||||||
# https://bettercrypto.org/static/applied-crypto-hardening.pdf
|
# Enable server-side protection against BEAST attacks
|
||||||
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
|
|
||||||
# https://cipherli.st/
|
|
||||||
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
|
||||||
|
|
||||||
# ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern
|
# RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096
|
||||||
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
ssl_dhparam /etc/ssl/ffdhe4096.pem;
|
||||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
ssl_ecdh_curve secp521r1:secp384r1;
|
||||||
add_header Strict-Transport-Security "max-age=15768000";
|
|
||||||
|
# Aditional Security Headers
|
||||||
|
# ref: https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
|
||||||
|
|
||||||
|
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
|
||||||
|
add_header X-Frame-Options DENY always;
|
||||||
|
|
||||||
|
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
|
||||||
|
add_header X-Content-Type-Options nosniff always;
|
||||||
|
|
||||||
|
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
|
||||||
|
add_header X-Xss-Protection "1; mode=block" always;
|
||||||
|
|
||||||
|
# Enable OCSP stapling
|
||||||
|
# ref. http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
ssl_trusted_certificate /etc/letsencrypt/live/git.c2a-systeme.fr/fullchain.pem;
|
||||||
|
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare
|
||||||
|
resolver_timeout 5s;
|
||||||
|
|
||||||
# https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
|
||||||
add_header X-Frame-Options "SAMEORIGIN";
|
add_header X-Frame-Options "SAMEORIGIN";
|
||||||
@ -78,6 +94,12 @@ server {
|
|||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
proxy_set_header Connection $connection_upgrade;
|
proxy_set_header Connection $connection_upgrade;
|
||||||
|
|
||||||
|
# Required for LE certificate enrollment using certbot
|
||||||
|
location '/.well-known/acme-challenge' {
|
||||||
|
default_type "text/plain";
|
||||||
|
root /var/www/html;
|
||||||
|
}
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
# No buffering to temp files, it fails for large downloads
|
# No buffering to temp files, it fails for large downloads
|
||||||
proxy_max_temp_file_size 0;
|
proxy_max_temp_file_size 0;
|
||||||
|
@ -1,5 +1,4 @@
|
|||||||
# http://nginx.org/en/docs/http/websocket.html
|
# http://nginx.org/en/docs/http/websocket.html
|
||||||
# http://nginx.org/en/docs/http/websocket.html
|
|
||||||
map $http_upgrade $connection_upgrade {
|
map $http_upgrade $connection_upgrade {
|
||||||
default upgrade;
|
default upgrade;
|
||||||
'' close;
|
'' close;
|
||||||
@ -25,23 +24,40 @@ server {
|
|||||||
listen [::]:443 http2;
|
listen [::]:443 http2;
|
||||||
|
|
||||||
ssl on;
|
ssl on;
|
||||||
# paths are relative to prefix and not to this file
|
ssl_certificate /etc/letsencrypt/live/gitlab.c2a-systeme.fr/fullchain.pem;
|
||||||
ssl_certificate /etc/letsencrypt/live/gitlab.c2a-systeme.fr/cert.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/gitlab.c2a-systeme.fr/privkey.pem;
|
ssl_certificate_key /etc/letsencrypt/live/gitlab.c2a-systeme.fr/privkey.pem;
|
||||||
ssl_session_timeout 5m;
|
ssl_session_timeout 10m;
|
||||||
ssl_session_cache shared:SSL:50m;
|
ssl_session_cache shared:SSL:50m;
|
||||||
|
|
||||||
# https://bettercrypto.org/static/applied-crypto-hardening.pdf
|
# Enable server-side protection against BEAST attacks
|
||||||
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
|
|
||||||
# https://cipherli.st/
|
|
||||||
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
|
||||||
|
|
||||||
# ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern
|
# RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096
|
||||||
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
ssl_dhparam /etc/ssl/ffdhe4096.pem;
|
||||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
ssl_ecdh_curve secp521r1:secp384r1;
|
||||||
add_header Strict-Transport-Security "max-age=15768000";
|
|
||||||
|
# Aditional Security Headers
|
||||||
|
# ref: https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
|
||||||
|
|
||||||
|
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
|
||||||
|
add_header X-Frame-Options DENY always;
|
||||||
|
|
||||||
|
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
|
||||||
|
add_header X-Content-Type-Options nosniff always;
|
||||||
|
|
||||||
|
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
|
||||||
|
add_header X-Xss-Protection "1; mode=block" always;
|
||||||
|
|
||||||
|
# Enable OCSP stapling
|
||||||
|
# ref. http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
ssl_trusted_certificate /etc/letsencrypt/live/gitlab.c2a-systeme.fr/fullchain.pem;
|
||||||
|
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare
|
||||||
|
resolver_timeout 5s;
|
||||||
|
|
||||||
# https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
|
||||||
add_header X-Frame-Options "SAMEORIGIN";
|
add_header X-Frame-Options "SAMEORIGIN";
|
||||||
@ -78,6 +94,12 @@ server {
|
|||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
proxy_set_header Connection $connection_upgrade;
|
proxy_set_header Connection $connection_upgrade;
|
||||||
|
|
||||||
|
# Required for LE certificate enrollment using certbot
|
||||||
|
location '/.well-known/acme-challenge' {
|
||||||
|
default_type "text/plain";
|
||||||
|
root /var/www/html;
|
||||||
|
}
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
# No buffering to temp files, it fails for large downloads
|
# No buffering to temp files, it fails for large downloads
|
||||||
proxy_max_temp_file_size 0;
|
proxy_max_temp_file_size 0;
|
||||||
|
@ -24,23 +24,40 @@ server {
|
|||||||
listen [::]:443 http2;
|
listen [::]:443 http2;
|
||||||
|
|
||||||
ssl on;
|
ssl on;
|
||||||
# paths are relative to prefix and not to this file
|
ssl_certificate /etc/letsencrypt/live/jenkins.c2a-systeme.fr/fullchain.pem;
|
||||||
ssl_certificate /etc/letsencrypt/live/jenkins.c2a-systeme.fr/cert.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/jenkins.c2a-systeme.fr/privkey.pem;
|
ssl_certificate_key /etc/letsencrypt/live/jenkins.c2a-systeme.fr/privkey.pem;
|
||||||
ssl_session_timeout 5m;
|
ssl_session_timeout 10m;
|
||||||
ssl_session_cache shared:SSL:50m;
|
ssl_session_cache shared:SSL:50m;
|
||||||
|
|
||||||
# https://bettercrypto.org/static/applied-crypto-hardening.pdf
|
# Enable server-side protection against BEAST attacks
|
||||||
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
|
|
||||||
# https://cipherli.st/
|
|
||||||
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
|
||||||
|
|
||||||
# ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern
|
# RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096
|
||||||
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
ssl_dhparam /etc/ssl/ffdhe4096.pem;
|
||||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
ssl_ecdh_curve secp521r1:secp384r1;
|
||||||
add_header Strict-Transport-Security "max-age=15768000";
|
|
||||||
|
# Aditional Security Headers
|
||||||
|
# ref: https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
|
||||||
|
|
||||||
|
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
|
||||||
|
add_header X-Frame-Options DENY always;
|
||||||
|
|
||||||
|
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
|
||||||
|
add_header X-Content-Type-Options nosniff always;
|
||||||
|
|
||||||
|
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
|
||||||
|
add_header X-Xss-Protection "1; mode=block" always;
|
||||||
|
|
||||||
|
# Enable OCSP stapling
|
||||||
|
# ref. http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
ssl_trusted_certificate /etc/letsencrypt/live/jenkins.c2a-systeme.fr/fullchain.pem;
|
||||||
|
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare
|
||||||
|
resolver_timeout 5s;
|
||||||
|
|
||||||
# https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
|
||||||
add_header X-Frame-Options "SAMEORIGIN";
|
add_header X-Frame-Options "SAMEORIGIN";
|
||||||
@ -77,6 +94,12 @@ server {
|
|||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
proxy_set_header Connection $connection_upgrade;
|
proxy_set_header Connection $connection_upgrade;
|
||||||
|
|
||||||
|
# Required for LE certificate enrollment using certbot
|
||||||
|
location '/.well-known/acme-challenge' {
|
||||||
|
default_type "text/plain";
|
||||||
|
root /var/www/html;
|
||||||
|
}
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
# No buffering to temp files, it fails for large downloads
|
# No buffering to temp files, it fails for large downloads
|
||||||
proxy_max_temp_file_size 0;
|
proxy_max_temp_file_size 0;
|
||||||
|
@ -24,23 +24,40 @@ server {
|
|||||||
listen [::]:443 http2;
|
listen [::]:443 http2;
|
||||||
|
|
||||||
ssl on;
|
ssl on;
|
||||||
# paths are relative to prefix and not to this file
|
ssl_certificate /etc/letsencrypt/live/portainer.c2a-systeme.fr/fullchain.pem;
|
||||||
ssl_certificate /etc/letsencrypt/live/portainer.c2a-systeme.fr/cert.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/portainer.c2a-systeme.fr/privkey.pem;
|
ssl_certificate_key /etc/letsencrypt/live/portainer.c2a-systeme.fr/privkey.pem;
|
||||||
ssl_session_timeout 5m;
|
ssl_session_timeout 10m;
|
||||||
ssl_session_cache shared:SSL:50m;
|
ssl_session_cache shared:SSL:50m;
|
||||||
|
|
||||||
# https://bettercrypto.org/static/applied-crypto-hardening.pdf
|
# Enable server-side protection against BEAST attacks
|
||||||
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
|
|
||||||
# https://cipherli.st/
|
|
||||||
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
|
||||||
|
|
||||||
# ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern
|
# RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096
|
||||||
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
ssl_dhparam /etc/ssl/ffdhe4096.pem;
|
||||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
ssl_ecdh_curve secp521r1:secp384r1;
|
||||||
add_header Strict-Transport-Security "max-age=15768000";
|
|
||||||
|
# Aditional Security Headers
|
||||||
|
# ref: https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
|
||||||
|
|
||||||
|
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
|
||||||
|
add_header X-Frame-Options DENY always;
|
||||||
|
|
||||||
|
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
|
||||||
|
add_header X-Content-Type-Options nosniff always;
|
||||||
|
|
||||||
|
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
|
||||||
|
add_header X-Xss-Protection "1; mode=block" always;
|
||||||
|
|
||||||
|
# Enable OCSP stapling
|
||||||
|
# ref. http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
ssl_trusted_certificate /etc/letsencrypt/live/portainer.c2a-systeme.fr/fullchain.pem;
|
||||||
|
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare
|
||||||
|
resolver_timeout 5s;
|
||||||
|
|
||||||
# https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
|
||||||
add_header X-Frame-Options "SAMEORIGIN";
|
add_header X-Frame-Options "SAMEORIGIN";
|
||||||
@ -77,6 +94,12 @@ server {
|
|||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
proxy_set_header Connection $connection_upgrade;
|
proxy_set_header Connection $connection_upgrade;
|
||||||
|
|
||||||
|
# Required for LE certificate enrollment using certbot
|
||||||
|
location '/.well-known/acme-challenge' {
|
||||||
|
default_type "text/plain";
|
||||||
|
root /var/www/html;
|
||||||
|
}
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
# No buffering to temp files, it fails for large downloads
|
# No buffering to temp files, it fails for large downloads
|
||||||
proxy_max_temp_file_size 0;
|
proxy_max_temp_file_size 0;
|
||||||
|
@ -25,27 +25,37 @@ server {
|
|||||||
listen [::]:443 http2;
|
listen [::]:443 http2;
|
||||||
|
|
||||||
ssl on;
|
ssl on;
|
||||||
# paths are relative to prefix and not to this file
|
ssl_certificate /etc/letsencrypt/live/portainer.c2a-systeme.fr/fullchain.pem;
|
||||||
ssl_certificate /etc/letsencrypt/live/www.c2a-systeme.fr/cert.pem;
|
ssl_certificate_key /etc/letsencrypt/live/portainer.c2a-systeme.fr/privkey.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/www.c2a-systeme.fr/privkey.pem;
|
ssl_session_timeout 10m;
|
||||||
ssl_session_timeout 5m;
|
|
||||||
ssl_session_cache shared:SSL:50m;
|
ssl_session_cache shared:SSL:50m;
|
||||||
|
|
||||||
# https://bettercrypto.org/static/applied-crypto-hardening.pdf
|
# Enable server-side protection against BEAST attacks
|
||||||
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
|
|
||||||
# https://cipherli.st/
|
|
||||||
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
|
||||||
|
|
||||||
# ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern
|
# RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096
|
||||||
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
ssl_dhparam /etc/ssl/ffdhe4096.pem;
|
||||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
ssl_ecdh_curve secp521r1:secp384r1;
|
||||||
add_header Strict-Transport-Security "max-age=15768000";
|
|
||||||
|
# Enable OCSP stapling
|
||||||
|
# ref. http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
ssl_trusted_certificate /etc/letsencrypt/live/www.c2a-systeme.fr/fullchain.pem;
|
||||||
|
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare
|
||||||
|
resolver_timeout 5s;
|
||||||
|
|
||||||
root /var/www/html/c2a-web-platform;
|
root /var/www/html/c2a-web-platform;
|
||||||
index index.html;
|
index index.html;
|
||||||
|
|
||||||
|
# Required for LE certificate enrollment using certbot
|
||||||
|
location '/.well-known/acme-challenge' {
|
||||||
|
default_type "text/plain";
|
||||||
|
root /var/www/html;
|
||||||
|
}
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
try_files $uri $uri/ /index.html =404;
|
try_files $uri $uri/ /index.html =404;
|
||||||
}
|
}
|
||||||
|
@ -1,12 +1,13 @@
|
|||||||
apt-get install -y nginx
|
apt-get install -y nginx
|
||||||
|
|
||||||
/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d www.c2a-systeme.fr
|
|
||||||
/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d git.c2a-systeme.fr
|
certbot certonly --manual --preferred-challenges=dns --email mathieu.sanchez@outlook.fr -i nginx -d www.c2a-systeme.fr
|
||||||
/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d api.c2a-systeme.fr
|
certbot certonly --manual --preferred-challenges=dns --email mathieu.sanchez@outlook.fr -i nginx -d git.c2a-systeme.fr
|
||||||
/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d gitlab.c2a-systeme.fr
|
certbot certonly --manual --preferred-challenges=dns --email mathieu.sanchez@outlook.fr -i nginx -d api.c2a-systeme.fr
|
||||||
/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d dev.api.c2a-systeme.fr
|
certbot certonly --manual --preferred-challenges=dns --email mathieu.sanchez@outlook.fr -i nginx -d gitlab.c2a-systeme.fr
|
||||||
/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d jenkins.c2a-systeme.fr
|
certbot certonly --manual --preferred-challenges=dns --email mathieu.sanchez@outlook.fr -i nginx -d dev.api.c2a-systeme.fr
|
||||||
/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d portainer.c2a-systeme.fr
|
certbot certonly --manual --preferred-challenges=dns --email mathieu.sanchez@outlook.fr -i nginx -d jenkins.c2a-systeme.fr
|
||||||
|
certbot certonly --manual --preferred-challenges=dns --email mathieu.sanchez@outlook.fr -i nginx -d portainer.c2a-systeme.fr
|
||||||
|
|
||||||
cp ./docker/conf/nginx.conf /etc/nginx/
|
cp ./docker/conf/nginx.conf /etc/nginx/
|
||||||
cp ./docker/conf/mime.types /etc/nginx/
|
cp ./docker/conf/mime.types /etc/nginx/
|
||||||
|
Loading…
Reference in New Issue
Block a user