Browse Source

nginx: Set headers only once, log per domain, add www.

Signed-off-by: Maximilian Wilhelm <max@sdn.clinic>
Maximilian Wilhelm 4 years ago
parent
commit
9cad2e15e0
6 changed files with 68 additions and 28 deletions
  1. 5 0
      nginx/ff-frontend.conf
  2. 7 0
      nginx/ffho.d/add-headers.conf
  3. 7 0
      nginx/ffho.d/proxy-headers.conf
  4. 11 0
      nginx/init.sls
  5. 0 28
      nginx/nginx.conf
  6. 38 0
      nginx/www2.ffho.net

+ 5 - 0
nginx/ff-frontend.conf

@@ -32,6 +32,9 @@ server {
 	server_name "{{ domain }}";
   {%- endif %}
 
+	access_log /var/log/nginx/{{ domain }}.access.log;
+	error_log /var/log/nginx/{{ domain }}.error.log;
+
   {%- if https %}
 	ssl on;
 	ssl_certificate /etc/ssl/certs/{{ domain }}.cert.pem;
@@ -44,6 +47,7 @@ server {
 		proxy_redirect		default;
 		proxy_set_header	Host "{{ host }}";
 		proxy_set_header	X-Forwarded-For $remote_addr;
+		include			/etc/nginx/ffho.d/proxy-headers.conf;
 	}
   {%- elif 'redirect' in config %}
 	location / {
@@ -58,6 +62,7 @@ server {
 		proxy_redirect		default;
 		proxy_set_header	Host "{{ loc_host }}";
 		proxy_set_header	X-Forwarded-For $remote_addr;
+		include			/etc/nginx/ffho.d/proxy-headers.conf;
       {%- elif 'redirect' in loc_conf %}
 		return 302 {{ loc_conf.redirect }};
       {%- endif %}

+ 7 - 0
nginx/ffho.d/add-headers.conf

@@ -0,0 +1,7 @@
+# Include for header to be set in webserver mode (Salt managed)
+add_header	X-Frame-Options "SAMEORIGIN; always;";
+add_header	X-Content-Type-Options nosniff;
+add_header	X-XSS-Protection "1; mode=block";
+add_header	Strict-Transport-Security "max-age=15552000;includeSubDomains";
+add_header	Content-Security-Policy "default-src blob: https: data: 'unsafe-inline' 'unsafe-eval' always; upgrade-insecure-requests";
+add_header	Referrer-Policy "strict-origin-when-cross-origin";

+ 7 - 0
nginx/ffho.d/proxy-headers.conf

@@ -0,0 +1,7 @@
+# Include for headers to be (re)set in proxy mode (Salt managed)
+proxy_set_header	X-Frame-Options "SAMEORIGIN; always;";
+proxy_set_header	X-Content-Type-Options nosniff;
+proxy_set_header	X-XSS-Protection "1; mode=block";
+proxy_set_header 	Strict-Transport-Security "max-age=15552000;includeSubDomains";
+proxy_set_header	Content-Security-Policy "default-src blob: https: data: 'unsafe-inline' 'unsafe-eval' always; upgrade-insecure-requests";
+proxy_set_header	Referrer-Policy "strict-origin-when-cross-origin";

+ 11 - 0
nginx/init.sls

@@ -38,6 +38,17 @@ nginx-cache:
     - watch_in:
       - cmd: nginx-configtest
 
+/etc/nginx/ffho.d:
+  file.recurse:
+    - source: salt://nginx/ffho.d
+    - file_mode: 755
+    - dir_mode: 755
+    - user: root
+    - group: root
+    - clean: True
+    - watch_in:
+      - cmd: nginx-configtest
+
 # Disable default configuration
 /etc/nginx/sites-enabled/default:
   file.absent:

+ 0 - 28
nginx/nginx.conf

@@ -42,12 +42,6 @@ http {
 	ssl_dhparam /etc/ssl/dhparam.pem;
 	ssl_ecdh_curve secp384r1;
 	ssl_session_cache shared:SSL:10m;
-	add_header Strict-Transport-Security "max-age=2592000; preload";
-	add_header X-Frame-Options SAMEORIGIN;
-	add_header X-Content-Type-Options nosniff;
-	add_header X-XSS-Protection "1; mode=block";
-	add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval' always; upgrade-insecure-requests";
-	add_header Referrer-Policy "strict-origin-when-cross-origin";
 	ssl_session_timeout 1d;
 
 	##
@@ -78,25 +72,3 @@ http {
 	include /etc/nginx/conf.d/*.conf;
 	include /etc/nginx/sites-enabled/*;
 }
-
-
-#mail {
-#	# See sample authentication script at:
-#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
-# 
-#	# auth_http localhost/auth.php;
-#	# pop3_capabilities "TOP" "USER";
-#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
-# 
-#	server {
-#		listen     localhost:110;
-#		protocol   pop3;
-#		proxy      on;
-#	}
-# 
-#	server {
-#		listen     localhost:143;
-#		protocol   imap;
-#		proxy      on;
-#	}
-#}

+ 38 - 0
nginx/www2.ffho.net

@@ -0,0 +1,38 @@
+#
+# /etc/nginx/sites-enabled/www2.ffho.net (Salt managed)
+#
+
+{%- set acme_thumbprint = salt['pillar.get']('acme:thumbprint', False) %}
+
+server {
+	listen 443;
+	listen [::]:443;
+
+	ssl on;
+	ssl_certificate /etc/ssl/certs/www2.ffho.net.cert.pem;
+	ssl_certificate_key /etc/ssl/private/www2.ffho.net.key.pem;
+
+	include /etc/nginx/ffho.d/add-headers.conf;
+
+	root /srv/www2/
+
+	server_name www2.ffho.net
+	fancyindex on;
+	fancyindex_exact_size off;
+	fancyindex_name_length 70;
+	fancyindex_header /header.html;
+	fancyindex_localtime on;
+	fancyindex_default_sort name;
+
+	location / {
+		try_files $uri $uri/ /index.html =404;
+		fancyindex_ignore header.html favicon.ico models-short.txt models.txt robots.txt scripts;
+	}
+
+  {%- if acme_thumbprint %}
+	location ~ "^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$" {
+		default_type text/plain;
+		return 200 "$1.{{ acme_thumbprint }}";
+	}
+  {%- endif %}
+}