From 82e27ef5e168644e081015e9659cb4e5d9a5be01 Mon Sep 17 00:00:00 2001 From: zino Date: Wed, 6 Dec 2023 00:33:03 +0100 Subject: [PATCH] m --- volumes/conf.d/4netplayers.zinomedia.de.conf | 7 +------ volumes/conf.d/dl.zinomedia.de.conf | 10 ++-------- volumes/conf.d/git.zinomedia.de.conf | 7 +------ volumes/conf.d/joplin.zinomedia.de.conf | 7 +------ volumes/conf.d/pkrstarsbot.zinomedia.de.conf | 8 ++------ volumes/conf.d/portainer.armos.zinomedia.de.conf | 10 ++-------- volumes/conf.d/seafile.zinomedia.de.conf | 8 ++------ .../conf.d/validate.vouch.armos.zinomedia.de.conf | 7 +------ volumes/conf.d/vouch.armos.zinomedia.de.conf | 12 ++++-------- 9 files changed, 16 insertions(+), 60 deletions(-) diff --git a/volumes/conf.d/4netplayers.zinomedia.de.conf b/volumes/conf.d/4netplayers.zinomedia.de.conf index 3bbdd3a..0ad71c4 100644 --- a/volumes/conf.d/4netplayers.zinomedia.de.conf +++ b/volumes/conf.d/4netplayers.zinomedia.de.conf @@ -14,13 +14,8 @@ server { ssl_certificate /etc/letsencrypt/live/4netplayers.zinomedia.de/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/4netplayers.zinomedia.de/privkey.pem; - # SSL Optimizations - ssl_protocols TLSv1.2 TLSv1.3; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - ssl_prefer_server_ciphers on; + include "snippets/ssl-optimizations.conf"; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self' data:;" always; location ~ /(\.user\.ini|debug\.log) { diff --git a/volumes/conf.d/dl.zinomedia.de.conf b/volumes/conf.d/dl.zinomedia.de.conf index 6dea1e2..3e338c8 100644 --- a/volumes/conf.d/dl.zinomedia.de.conf +++ b/volumes/conf.d/dl.zinomedia.de.conf @@ -12,19 +12,13 @@ server { ssl_certificate /etc/letsencrypt/live/dl.zinomedia.de/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/dl.zinomedia.de/privkey.pem; - # SSL Optimizations - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384'; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; + include "snippets/ssl-optimizations.conf"; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header Content-Security-Policy "default-src 'self';" always; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options "nosniff"; - + gzip on; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; } diff --git a/volumes/conf.d/git.zinomedia.de.conf b/volumes/conf.d/git.zinomedia.de.conf index bd377c3..be26a94 100644 --- a/volumes/conf.d/git.zinomedia.de.conf +++ b/volumes/conf.d/git.zinomedia.de.conf @@ -9,12 +9,7 @@ server { ssl_certificate /etc/letsencrypt/live/git.zinomedia.de/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/git.zinomedia.de/privkey.pem; - # SSL Optimizations - ssl_protocols TLSv1.2 TLSv1.3; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + include "snippets/ssl-optimizations.conf"; # Gzip Compression gzip on; diff --git a/volumes/conf.d/joplin.zinomedia.de.conf b/volumes/conf.d/joplin.zinomedia.de.conf index 16c520e..102f672 100644 --- a/volumes/conf.d/joplin.zinomedia.de.conf +++ b/volumes/conf.d/joplin.zinomedia.de.conf @@ -9,12 +9,7 @@ server { ssl_certificate /etc/letsencrypt/live/joplin.zinomedia.de/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/joplin.zinomedia.de/privkey.pem; - # SSL Optimizations - ssl_protocols TLSv1.2 TLSv1.3; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + include "snippets/ssl-optimizations.conf"; # Gzip Compression gzip on; diff --git a/volumes/conf.d/pkrstarsbot.zinomedia.de.conf b/volumes/conf.d/pkrstarsbot.zinomedia.de.conf index 7081807..62c4883 100644 --- a/volumes/conf.d/pkrstarsbot.zinomedia.de.conf +++ b/volumes/conf.d/pkrstarsbot.zinomedia.de.conf @@ -13,12 +13,8 @@ server { ssl_certificate /etc/letsencrypt/live/pkrstarsbot.zinomedia.de/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/pkrstarsbot.zinomedia.de/privkey.pem; - # SSL Optimizations - ssl_protocols TLSv1.2 TLSv1.3; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + include "snippets/ssl-optimizations.conf"; + add_header Content-Security-Policy "default-src 'self'; script-src 'self'; img-src 'self' data:; style-src 'self'; font-src 'self' data:;" always; location / { diff --git a/volumes/conf.d/portainer.armos.zinomedia.de.conf b/volumes/conf.d/portainer.armos.zinomedia.de.conf index 1a0d00e..9f53768 100644 --- a/volumes/conf.d/portainer.armos.zinomedia.de.conf +++ b/volumes/conf.d/portainer.armos.zinomedia.de.conf @@ -9,19 +9,13 @@ server { ssl_certificate /etc/letsencrypt/live/portainer.armos.zinomedia.de/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/portainer.armos.zinomedia.de/privkey.pem; - # SSL optimizations - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384'; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - + include "snippets/ssl-optimizations.conf"; include "snippets/enable-vouch.conf"; location / { resolver 127.0.0.11; set $upstream "portainer:9000"; - + add_header Content-Security-Policy "font-src * data: blob: 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * 'unsafe-inline';" always; proxy_set_header X-Forwarded-Host $host:$server_port; proxy_set_header X-Forwarded-Server $host; diff --git a/volumes/conf.d/seafile.zinomedia.de.conf b/volumes/conf.d/seafile.zinomedia.de.conf index b3fa8e9..71ceac7 100644 --- a/volumes/conf.d/seafile.zinomedia.de.conf +++ b/volumes/conf.d/seafile.zinomedia.de.conf @@ -11,12 +11,8 @@ server { ssl_certificate /etc/letsencrypt/live/seafile.zinomedia.de/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/seafile.zinomedia.de/privkey.pem; - # SSL Optimizations - ssl_protocols TLSv1.2 TLSv1.3; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + include "snippets/ssl-optimizations.conf"; + add_header Content-Security-Policy "default-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data: http://seafile.zinomedia.de; style-src 'self' 'unsafe-inline'; font-src 'self' data:;" always; location / { diff --git a/volumes/conf.d/validate.vouch.armos.zinomedia.de.conf b/volumes/conf.d/validate.vouch.armos.zinomedia.de.conf index e5bc1c4..fb8f6f8 100644 --- a/volumes/conf.d/validate.vouch.armos.zinomedia.de.conf +++ b/volumes/conf.d/validate.vouch.armos.zinomedia.de.conf @@ -12,12 +12,7 @@ server { ssl_certificate /etc/letsencrypt/live/validate.vouch.armos.zinomedia.de/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/validate.vouch.armos.zinomedia.de/privkey.pem; - # SSL Optimizations - ssl_protocols TLSv1.2 TLSv1.3; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + include "snippets/ssl-optimizations.conf"; location = /validate { # forward the /validate request to Vouch Proxy diff --git a/volumes/conf.d/vouch.armos.zinomedia.de.conf b/volumes/conf.d/vouch.armos.zinomedia.de.conf index 14e9553..85263f8 100644 --- a/volumes/conf.d/vouch.armos.zinomedia.de.conf +++ b/volumes/conf.d/vouch.armos.zinomedia.de.conf @@ -1,4 +1,4 @@ -log_format vouch '[$time_iso8601] VOUCH | request_uri: $request_uri | status: $status | http_host: $http_host | auth_resp_x_vouch_user: $auth_resp_x_vouch_user | upstream_http_x_vouch_user: $upstream_http_x_vouch_user | auth_resp_jwt: $auth_resp_jwt | upstream_http_x_vouch_jwt: $upstream_http_x_vouch_jwt | auth_resp_err: $auth_resp_err | upstream_http_x_vouch_err: $upstream_http_x_vouch_err | auth_resp_failcount: $auth_resp_failcount | upstream_http_x_vouch_failcount: $upstream_http_x_vouch_failcount'; +#log_format vouch '[$time_iso8601] VOUCH | request_uri: $request_uri | status: $status | http_host: $http_host | auth_resp_x_vouch_user: $auth_resp_x_vouch_user | upstream_http_x_vouch_user: $upstream_http_x_vouch_user | auth_resp_jwt: $auth_resp_jwt | upstream_http_x_vouch_jwt: $upstream_http_x_vouch_jwt | auth_resp_err: $auth_resp_err | upstream_http_x_vouch_err: $upstream_http_x_vouch_err | auth_resp_failcount: $auth_resp_failcount | upstream_http_x_vouch_failcount: $upstream_http_x_vouch_failcount'; server { @@ -6,18 +6,14 @@ server { listen [::]:443 ssl; server_name vouch.armos.zinomedia.de; - access_log /var/log/nginx/access.log vouch; + #access_log /var/log/nginx/access.log vouch; + access_log off; error_log /var/log/nginx/error.log debug; ssl_certificate /etc/letsencrypt/live/vouch.armos.zinomedia.de/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/vouch.armos.zinomedia.de/privkey.pem; - # SSL Optimizations - ssl_protocols TLSv1.2 TLSv1.3; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + include "snippets/ssl-optimizations.conf"; location / { resolver 127.0.0.11;