4 years ago · 9cad2e15e0
--- a/nginx/ff-frontend.conf
+++ b/nginx/ff-frontend.conf
@@ -32,6 +32,9 @@ server {
 
				 	server_name "{{ domain }}";
			
 
				   {%- endif %}
			
 
				 
			
 
				+	access_log /var/log/nginx/{{ domain }}.access.log;
			
 
				+	error_log /var/log/nginx/{{ domain }}.error.log;
			
 
				+
			
 
				   {%- if https %}
			
 
				 	ssl on;
			
 
				 	ssl_certificate /etc/ssl/certs/{{ domain }}.cert.pem;
			
@@ -44,6 +47,7 @@ server {
 
				 		proxy_redirect		default;
			
 
				 		proxy_set_header	Host "{{ host }}";
			
 
				 		proxy_set_header	X-Forwarded-For $remote_addr;
			
 
				+		include			/etc/nginx/ffho.d/proxy-headers.conf;
			
 
				 	}
			
 
				   {%- elif 'redirect' in config %}
			
 
				 	location / {
			
@@ -58,6 +62,7 @@ server {
 
				 		proxy_redirect		default;
			
 
				 		proxy_set_header	Host "{{ loc_host }}";
			
 
				 		proxy_set_header	X-Forwarded-For $remote_addr;
			
 
				+		include			/etc/nginx/ffho.d/proxy-headers.conf;
			
 
				       {%- elif 'redirect' in loc_conf %}
			
 
				 		return 302 {{ loc_conf.redirect }};
			
 
				       {%- endif %}
			
--- a/nginx/ffho.d/add-headers.conf
+++ b/nginx/ffho.d/add-headers.conf
@@ -0,0 +1,7 @@
 
				+# Include for header to be set in webserver mode (Salt managed)
			
 
				+add_header	X-Frame-Options "SAMEORIGIN; always;";
			
 
				+add_header	X-Content-Type-Options nosniff;
			
 
				+add_header	X-XSS-Protection "1; mode=block";
			
 
				+add_header	Strict-Transport-Security "max-age=15552000;includeSubDomains";
			
 
				+add_header	Content-Security-Policy "default-src blob: https: data: 'unsafe-inline' 'unsafe-eval' always; upgrade-insecure-requests";
			
 
				+add_header	Referrer-Policy "strict-origin-when-cross-origin";
			
--- a/nginx/ffho.d/proxy-headers.conf
+++ b/nginx/ffho.d/proxy-headers.conf
@@ -0,0 +1,7 @@
 
				+# Include for headers to be (re)set in proxy mode (Salt managed)
			
 
				+proxy_set_header	X-Frame-Options "SAMEORIGIN; always;";
			
 
				+proxy_set_header	X-Content-Type-Options nosniff;
			
 
				+proxy_set_header	X-XSS-Protection "1; mode=block";
			
 
				+proxy_set_header 	Strict-Transport-Security "max-age=15552000;includeSubDomains";
			
 
				+proxy_set_header	Content-Security-Policy "default-src blob: https: data: 'unsafe-inline' 'unsafe-eval' always; upgrade-insecure-requests";
			
 
				+proxy_set_header	Referrer-Policy "strict-origin-when-cross-origin";
			
--- a/nginx/init.sls
+++ b/nginx/init.sls
@@ -38,6 +38,17 @@ nginx-cache:
 
				     - watch_in:
			
 
				       - cmd: nginx-configtest
			
 
				 
			
 
				+/etc/nginx/ffho.d:
			
 
				+  file.recurse:
			
 
				+    - source: salt://nginx/ffho.d
			
 
				+    - file_mode: 755
			
 
				+    - dir_mode: 755
			
 
				+    - user: root
			
 
				+    - group: root
			
 
				+    - clean: True
			
 
				+    - watch_in:
			
 
				+      - cmd: nginx-configtest
			
 
				+
			
 
				 # Disable default configuration
			
 
				 /etc/nginx/sites-enabled/default:
			
 
				   file.absent:
			
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -42,12 +42,6 @@ http {
 
				 	ssl_dhparam /etc/ssl/dhparam.pem;
			
 
				 	ssl_ecdh_curve secp384r1;
			
 
				 	ssl_session_cache shared:SSL:10m;
			
 
				-	add_header Strict-Transport-Security "max-age=2592000; preload";
			
 
				-	add_header X-Frame-Options SAMEORIGIN;
			
 
				-	add_header X-Content-Type-Options nosniff;
			
 
				-	add_header X-XSS-Protection "1; mode=block";
			
 
				-	add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval' always; upgrade-insecure-requests";
			
 
				-	add_header Referrer-Policy "strict-origin-when-cross-origin";
			
 
				 	ssl_session_timeout 1d;
			
 
				 
			
 
				 	##
			
@@ -78,25 +72,3 @@ http {
 
				 	include /etc/nginx/conf.d/*.conf;
			
 
				 	include /etc/nginx/sites-enabled/*;
			
 
				 }
			
 
				-
			
 
				-
			
 
				-#mail {
			
 
				-#	# See sample authentication script at:
			
 
				-#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
			
 
				-# 
			
 
				-#	# auth_http localhost/auth.php;
			
 
				-#	# pop3_capabilities "TOP" "USER";
			
 
				-#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
			
 
				-# 
			
 
				-#	server {
			
 
				-#		listen     localhost:110;
			
 
				-#		protocol   pop3;
			
 
				-#		proxy      on;
			
 
				-#	}
			
 
				-# 
			
 
				-#	server {
			
 
				-#		listen     localhost:143;
			
 
				-#		protocol   imap;
			
 
				-#		proxy      on;
			
 
				-#	}
			
 
				-#}
			
--- a/nginx/www2.ffho.net
+++ b/nginx/www2.ffho.net
@@ -0,0 +1,38 @@
 
				+#
			
 
				+# /etc/nginx/sites-enabled/www2.ffho.net (Salt managed)
			
 
				+#
			
 
				+
			
 
				+{%- set acme_thumbprint = salt['pillar.get']('acme:thumbprint', False) %}
			
 
				+
			
 
				+server {
			
 
				+	listen 443;
			
 
				+	listen [::]:443;
			
 
				+
			
 
				+	ssl on;
			
 
				+	ssl_certificate /etc/ssl/certs/www2.ffho.net.cert.pem;
			
 
				+	ssl_certificate_key /etc/ssl/private/www2.ffho.net.key.pem;
			
 
				+
			
 
				+	include /etc/nginx/ffho.d/add-headers.conf;
			
 
				+
			
 
				+	root /srv/www2/
			
 
				+
			
 
				+	server_name www2.ffho.net
			
 
				+	fancyindex on;
			
 
				+	fancyindex_exact_size off;
			
 
				+	fancyindex_name_length 70;
			
 
				+	fancyindex_header /header.html;
			
 
				+	fancyindex_localtime on;
			
 
				+	fancyindex_default_sort name;
			
 
				+
			
 
				+	location / {
			
 
				+		try_files $uri $uri/ /index.html =404;
			
 
				+		fancyindex_ignore header.html favicon.ico models-short.txt models.txt robots.txt scripts;
			
 
				+	}
			
 
				+
			
 
				+  {%- if acme_thumbprint %}
			
 
				+	location ~ "^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$" {
			
 
				+		default_type text/plain;
			
 
				+		return 200 "$1.{{ acme_thumbprint }}";
			
 
				+	}
			
 
				+  {%- endif %}
			
 
				+}