Change conf nginx

This commit is contained in:
Mathieu Sanchez 2019-04-30 18:23:04 +09:00
parent c3d98b2c2a
commit 13cba9c8ae
8 changed files with 247 additions and 102 deletions

View File

@ -1,5 +1,4 @@
# http://nginx.org/en/docs/http/websocket.html # http://nginx.org/en/docs/http/websocket.html
# http://nginx.org/en/docs/http/websocket.html
map $http_upgrade $connection_upgrade { map $http_upgrade $connection_upgrade {
default upgrade; default upgrade;
'' close; '' close;
@ -25,23 +24,40 @@ server {
listen [::]:443 http2; listen [::]:443 http2;
ssl on; ssl on;
# paths are relative to prefix and not to this file ssl_certificate /etc/letsencrypt/live/api.c2a-systeme.fr/fullchain.pem;
ssl_certificate /etc/letsencrypt/live/api.c2a-systeme.fr/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/api.c2a-systeme.fr/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/api.c2a-systeme.fr/privkey.pem;
ssl_session_timeout 5m; ssl_session_timeout 10m;
ssl_session_cache shared:SSL:50m; ssl_session_cache shared:SSL:50m;
# https://bettercrypto.org/static/applied-crypto-hardening.pdf # Enable server-side protection against BEAST attacks
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
# https://cipherli.st/
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
# ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern # RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_dhparam /etc/ssl/ffdhe4096.pem;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; ssl_ecdh_curve secp521r1:secp384r1;
add_header Strict-Transport-Security "max-age=15768000";
# Aditional Security Headers
# ref: https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
add_header X-Frame-Options DENY always;
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
add_header X-Content-Type-Options nosniff always;
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
add_header X-Xss-Protection "1; mode=block" always;
# Enable OCSP stapling
# ref. http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/api.c2a-systeme.fr/fullchain.pem;
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare
resolver_timeout 5s;
# https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options # https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
add_header X-Frame-Options "SAMEORIGIN"; add_header X-Frame-Options "SAMEORIGIN";
@ -78,6 +94,12 @@ server {
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade; proxy_set_header Connection $connection_upgrade;
# Required for LE certificate enrollment using certbot
location '/.well-known/acme-challenge' {
default_type "text/plain";
root /var/www/html;
}
location / { location / {
# No buffering to temp files, it fails for large downloads # No buffering to temp files, it fails for large downloads
proxy_max_temp_file_size 0; proxy_max_temp_file_size 0;

View File

@ -1,5 +1,4 @@
# http://nginx.org/en/docs/http/websocket.html # http://nginx.org/en/docs/http/websocket.html
# http://nginx.org/en/docs/http/websocket.html
map $http_upgrade $connection_upgrade { map $http_upgrade $connection_upgrade {
default upgrade; default upgrade;
'' close; '' close;
@ -10,7 +9,7 @@ server {
listen 80; listen 80;
listen [::]:80; listen [::]:80;
server_name dev.api.c2a-systeme.fr; server_name api.dev.c2a-systeme.fr;
location / { location / {
# redirect everything to HTTPS # redirect everything to HTTPS
@ -20,28 +19,45 @@ server {
# https server # https server
server { server {
server_name dev.api.c2a-systeme.fr; server_name api.dev.c2a-systeme.fr;
listen 443 http2; listen 443 http2;
listen [::]:443 http2; listen [::]:443 http2;
ssl on; ssl on;
# paths are relative to prefix and not to this file ssl_certificate /etc/letsencrypt/live/api.dev.c2a-systeme.fr/fullchain.pem;
ssl_certificate /etc/letsencrypt/live/dev.api.c2a-systeme.fr/cert.pem; ssl_certificate_key /etc/letsencrypt/live/api.dev.c2a-systeme.fr/privkey.pem;
ssl_certificate_key /etc/letsencrypt/live/dev.api.c2a-systeme.fr/privkey.pem; ssl_session_timeout 10m;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m; ssl_session_cache shared:SSL:50m;
# https://bettercrypto.org/static/applied-crypto-hardening.pdf # Enable server-side protection against BEAST attacks
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
# https://cipherli.st/
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
# ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern # RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_dhparam /etc/ssl/ffdhe4096.pem;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; ssl_ecdh_curve secp521r1:secp384r1;
add_header Strict-Transport-Security "max-age=15768000";
# Aditional Security Headers
# ref: https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
add_header X-Frame-Options DENY always;
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
add_header X-Content-Type-Options nosniff always;
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
add_header X-Xss-Protection "1; mode=block" always;
# Enable OCSP stapling
# ref. http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/api.dev.c2a-systeme.fr/fullchain.pem;
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare
resolver_timeout 5s;
# https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options # https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
add_header X-Frame-Options "SAMEORIGIN"; add_header X-Frame-Options "SAMEORIGIN";
@ -78,6 +94,12 @@ server {
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade; proxy_set_header Connection $connection_upgrade;
# Required for LE certificate enrollment using certbot
location '/.well-known/acme-challenge' {
default_type "text/plain";
root /var/www/html;
}
location / { location / {
# No buffering to temp files, it fails for large downloads # No buffering to temp files, it fails for large downloads
proxy_max_temp_file_size 0; proxy_max_temp_file_size 0;

View File

@ -1,5 +1,4 @@
# http://nginx.org/en/docs/http/websocket.html # http://nginx.org/en/docs/http/websocket.html
# http://nginx.org/en/docs/http/websocket.html
map $http_upgrade $connection_upgrade { map $http_upgrade $connection_upgrade {
default upgrade; default upgrade;
'' close; '' close;
@ -25,23 +24,40 @@ server {
listen [::]:443 http2; listen [::]:443 http2;
ssl on; ssl on;
# paths are relative to prefix and not to this file ssl_certificate /etc/letsencrypt/live/git.c2a-systeme.fr/fullchain.pem;
ssl_certificate /etc/letsencrypt/live/git.c2a-systeme.fr/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/git.c2a-systeme.fr/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/git.c2a-systeme.fr/privkey.pem;
ssl_session_timeout 5m; ssl_session_timeout 10m;
ssl_session_cache shared:SSL:50m; ssl_session_cache shared:SSL:50m;
# https://bettercrypto.org/static/applied-crypto-hardening.pdf # Enable server-side protection against BEAST attacks
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
# https://cipherli.st/
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
# ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern # RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_dhparam /etc/ssl/ffdhe4096.pem;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; ssl_ecdh_curve secp521r1:secp384r1;
add_header Strict-Transport-Security "max-age=15768000";
# Aditional Security Headers
# ref: https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
add_header X-Frame-Options DENY always;
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
add_header X-Content-Type-Options nosniff always;
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
add_header X-Xss-Protection "1; mode=block" always;
# Enable OCSP stapling
# ref. http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/git.c2a-systeme.fr/fullchain.pem;
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare
resolver_timeout 5s;
# https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options # https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
add_header X-Frame-Options "SAMEORIGIN"; add_header X-Frame-Options "SAMEORIGIN";
@ -78,6 +94,12 @@ server {
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade; proxy_set_header Connection $connection_upgrade;
# Required for LE certificate enrollment using certbot
location '/.well-known/acme-challenge' {
default_type "text/plain";
root /var/www/html;
}
location / { location / {
# No buffering to temp files, it fails for large downloads # No buffering to temp files, it fails for large downloads
proxy_max_temp_file_size 0; proxy_max_temp_file_size 0;

View File

@ -1,5 +1,4 @@
# http://nginx.org/en/docs/http/websocket.html # http://nginx.org/en/docs/http/websocket.html
# http://nginx.org/en/docs/http/websocket.html
map $http_upgrade $connection_upgrade { map $http_upgrade $connection_upgrade {
default upgrade; default upgrade;
'' close; '' close;
@ -25,23 +24,40 @@ server {
listen [::]:443 http2; listen [::]:443 http2;
ssl on; ssl on;
# paths are relative to prefix and not to this file ssl_certificate /etc/letsencrypt/live/gitlab.c2a-systeme.fr/fullchain.pem;
ssl_certificate /etc/letsencrypt/live/gitlab.c2a-systeme.fr/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/gitlab.c2a-systeme.fr/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/gitlab.c2a-systeme.fr/privkey.pem;
ssl_session_timeout 5m; ssl_session_timeout 10m;
ssl_session_cache shared:SSL:50m; ssl_session_cache shared:SSL:50m;
# https://bettercrypto.org/static/applied-crypto-hardening.pdf # Enable server-side protection against BEAST attacks
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
# https://cipherli.st/
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
# ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern # RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_dhparam /etc/ssl/ffdhe4096.pem;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; ssl_ecdh_curve secp521r1:secp384r1;
add_header Strict-Transport-Security "max-age=15768000";
# Aditional Security Headers
# ref: https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
add_header X-Frame-Options DENY always;
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
add_header X-Content-Type-Options nosniff always;
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
add_header X-Xss-Protection "1; mode=block" always;
# Enable OCSP stapling
# ref. http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/gitlab.c2a-systeme.fr/fullchain.pem;
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare
resolver_timeout 5s;
# https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options # https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
add_header X-Frame-Options "SAMEORIGIN"; add_header X-Frame-Options "SAMEORIGIN";
@ -78,6 +94,12 @@ server {
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade; proxy_set_header Connection $connection_upgrade;
# Required for LE certificate enrollment using certbot
location '/.well-known/acme-challenge' {
default_type "text/plain";
root /var/www/html;
}
location / { location / {
# No buffering to temp files, it fails for large downloads # No buffering to temp files, it fails for large downloads
proxy_max_temp_file_size 0; proxy_max_temp_file_size 0;

View File

@ -24,23 +24,40 @@ server {
listen [::]:443 http2; listen [::]:443 http2;
ssl on; ssl on;
# paths are relative to prefix and not to this file ssl_certificate /etc/letsencrypt/live/jenkins.c2a-systeme.fr/fullchain.pem;
ssl_certificate /etc/letsencrypt/live/jenkins.c2a-systeme.fr/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/jenkins.c2a-systeme.fr/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/jenkins.c2a-systeme.fr/privkey.pem;
ssl_session_timeout 5m; ssl_session_timeout 10m;
ssl_session_cache shared:SSL:50m; ssl_session_cache shared:SSL:50m;
# https://bettercrypto.org/static/applied-crypto-hardening.pdf # Enable server-side protection against BEAST attacks
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
# https://cipherli.st/
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
# ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern # RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_dhparam /etc/ssl/ffdhe4096.pem;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; ssl_ecdh_curve secp521r1:secp384r1;
add_header Strict-Transport-Security "max-age=15768000";
# Aditional Security Headers
# ref: https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
add_header X-Frame-Options DENY always;
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
add_header X-Content-Type-Options nosniff always;
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
add_header X-Xss-Protection "1; mode=block" always;
# Enable OCSP stapling
# ref. http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/jenkins.c2a-systeme.fr/fullchain.pem;
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare
resolver_timeout 5s;
# https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options # https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
add_header X-Frame-Options "SAMEORIGIN"; add_header X-Frame-Options "SAMEORIGIN";
@ -77,6 +94,12 @@ server {
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade; proxy_set_header Connection $connection_upgrade;
# Required for LE certificate enrollment using certbot
location '/.well-known/acme-challenge' {
default_type "text/plain";
root /var/www/html;
}
location / { location / {
# No buffering to temp files, it fails for large downloads # No buffering to temp files, it fails for large downloads
proxy_max_temp_file_size 0; proxy_max_temp_file_size 0;

View File

@ -24,23 +24,40 @@ server {
listen [::]:443 http2; listen [::]:443 http2;
ssl on; ssl on;
# paths are relative to prefix and not to this file ssl_certificate /etc/letsencrypt/live/portainer.c2a-systeme.fr/fullchain.pem;
ssl_certificate /etc/letsencrypt/live/portainer.c2a-systeme.fr/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/portainer.c2a-systeme.fr/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/portainer.c2a-systeme.fr/privkey.pem;
ssl_session_timeout 5m; ssl_session_timeout 10m;
ssl_session_cache shared:SSL:50m; ssl_session_cache shared:SSL:50m;
# https://bettercrypto.org/static/applied-crypto-hardening.pdf # Enable server-side protection against BEAST attacks
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
# https://cipherli.st/
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
# ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern # RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_dhparam /etc/ssl/ffdhe4096.pem;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; ssl_ecdh_curve secp521r1:secp384r1;
add_header Strict-Transport-Security "max-age=15768000";
# Aditional Security Headers
# ref: https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
add_header X-Frame-Options DENY always;
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
add_header X-Content-Type-Options nosniff always;
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
add_header X-Xss-Protection "1; mode=block" always;
# Enable OCSP stapling
# ref. http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/portainer.c2a-systeme.fr/fullchain.pem;
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare
resolver_timeout 5s;
# https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options # https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
add_header X-Frame-Options "SAMEORIGIN"; add_header X-Frame-Options "SAMEORIGIN";
@ -77,6 +94,12 @@ server {
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade; proxy_set_header Connection $connection_upgrade;
# Required for LE certificate enrollment using certbot
location '/.well-known/acme-challenge' {
default_type "text/plain";
root /var/www/html;
}
location / { location / {
# No buffering to temp files, it fails for large downloads # No buffering to temp files, it fails for large downloads
proxy_max_temp_file_size 0; proxy_max_temp_file_size 0;

View File

@ -25,27 +25,37 @@ server {
listen [::]:443 http2; listen [::]:443 http2;
ssl on; ssl on;
# paths are relative to prefix and not to this file ssl_certificate /etc/letsencrypt/live/portainer.c2a-systeme.fr/fullchain.pem;
ssl_certificate /etc/letsencrypt/live/www.c2a-systeme.fr/cert.pem; ssl_certificate_key /etc/letsencrypt/live/portainer.c2a-systeme.fr/privkey.pem;
ssl_certificate_key /etc/letsencrypt/live/www.c2a-systeme.fr/privkey.pem; ssl_session_timeout 10m;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m; ssl_session_cache shared:SSL:50m;
# https://bettercrypto.org/static/applied-crypto-hardening.pdf # Enable server-side protection against BEAST attacks
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
# https://cipherli.st/
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
# ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern # RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_dhparam /etc/ssl/ffdhe4096.pem;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; ssl_ecdh_curve secp521r1:secp384r1;
add_header Strict-Transport-Security "max-age=15768000";
# Enable OCSP stapling
# ref. http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/www.c2a-systeme.fr/fullchain.pem;
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare
resolver_timeout 5s;
root /var/www/html/c2a-web-platform; root /var/www/html/c2a-web-platform;
index index.html; index index.html;
# Required for LE certificate enrollment using certbot
location '/.well-known/acme-challenge' {
default_type "text/plain";
root /var/www/html;
}
location / { location / {
try_files $uri $uri/ /index.html =404; try_files $uri $uri/ /index.html =404;
} }

View File

@ -1,12 +1,13 @@
apt-get install -y nginx apt-get install -y nginx
/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d www.c2a-systeme.fr
/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d git.c2a-systeme.fr certbot certonly --manual --preferred-challenges=dns --email mathieu.sanchez@outlook.fr -i nginx -d www.c2a-systeme.fr
/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d api.c2a-systeme.fr certbot certonly --manual --preferred-challenges=dns --email mathieu.sanchez@outlook.fr -i nginx -d git.c2a-systeme.fr
/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d gitlab.c2a-systeme.fr certbot certonly --manual --preferred-challenges=dns --email mathieu.sanchez@outlook.fr -i nginx -d api.c2a-systeme.fr
/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d dev.api.c2a-systeme.fr certbot certonly --manual --preferred-challenges=dns --email mathieu.sanchez@outlook.fr -i nginx -d gitlab.c2a-systeme.fr
/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d jenkins.c2a-systeme.fr certbot certonly --manual --preferred-challenges=dns --email mathieu.sanchez@outlook.fr -i nginx -d dev.api.c2a-systeme.fr
/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d portainer.c2a-systeme.fr certbot certonly --manual --preferred-challenges=dns --email mathieu.sanchez@outlook.fr -i nginx -d jenkins.c2a-systeme.fr
certbot certonly --manual --preferred-challenges=dns --email mathieu.sanchez@outlook.fr -i nginx -d portainer.c2a-systeme.fr
cp ./docker/conf/nginx.conf /etc/nginx/ cp ./docker/conf/nginx.conf /etc/nginx/
cp ./docker/conf/mime.types /etc/nginx/ cp ./docker/conf/mime.types /etc/nginx/