forked from GNUsocial/gnu-social
[TOOLS][SSL] Added bin/boostrap_certificates.sh, allowing for easy configuration of SSL certificates with Let's Encrypt
This commit is contained in:
Hugo Sales
90
docker/nginx/nginx.conf
Normal file
90
docker/nginx/nginx.conf
Normal file
@@ -0,0 +1,90 @@
|
||||
server {
|
||||
|
||||
listen [::]:80;
|
||||
listen 80;
|
||||
|
||||
server_name %hostname%;
|
||||
|
||||
# redirect all traffic to HTTPS
|
||||
rewrite ^ https://$host$request_uri? permanent;
|
||||
}
|
||||
|
||||
server {
|
||||
|
||||
include ssl-common.conf
|
||||
|
||||
root /var/www/social/public;
|
||||
|
||||
# Server name
|
||||
server_name %hostname%;
|
||||
|
||||
# Index
|
||||
index index.php;
|
||||
|
||||
# X-Accel/X-Sendfile. Still needs to be enabled in the config
|
||||
location /file {
|
||||
internal;
|
||||
root /var/www/social;
|
||||
}
|
||||
|
||||
# PHP
|
||||
location ~ ^/(index|install)\.php(/.*)?$ {
|
||||
include fastcgi_params;
|
||||
|
||||
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
|
||||
set $path_info $fastcgi_path_info;
|
||||
try_files $fastcgi_script_name =404;
|
||||
|
||||
fastcgi_pass php:9000;
|
||||
fastcgi_index index.php;
|
||||
|
||||
fastcgi_param PATH_INFO $path_info;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
}
|
||||
|
||||
# Don't allow any PHP file other than index.php to be executed
|
||||
# This will ensure that nor config.php nor plugin files with eventual hardcoded security information are downloadable
|
||||
# And this is better than allowing php files to be executed in case of forgotten `if (!defined('GNUSOCIAL')) { exit(1); }`
|
||||
location ~ \.php$ {
|
||||
deny all;
|
||||
}
|
||||
|
||||
# Location
|
||||
location / {
|
||||
try_files $uri $uri/ @index_handler;
|
||||
}
|
||||
|
||||
# Fancy URLs
|
||||
error_page 404 @index_handler;
|
||||
location @index_handler {
|
||||
rewrite ^(.*)$ /index.php?p=$1 last;
|
||||
}
|
||||
|
||||
# Restrict access that is unnecessary anyway
|
||||
location ~ /\.(ht|git) {
|
||||
deny all;
|
||||
}
|
||||
|
||||
#
|
||||
# Hardening (optional)
|
||||
#
|
||||
add_header Strict-Transport-Security "max-age=15768000; preload;";
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header Referrer-Policy strict-origin-when-cross-origin;
|
||||
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self'; style-src 'self' 'unsafe-inline'; img-src * blob: data:;";
|
||||
add_header X-Permitted-Cross-Domain-Policies none;
|
||||
add_header X-Robots-Tag all; # Not really hardening, just here for strictness purposes
|
||||
|
||||
client_max_body_size 15M;
|
||||
client_body_buffer_size 128k;
|
||||
gzip_vary on;
|
||||
|
||||
location ~* \.(?:css|js|woff|svg|gif|png|webp|ttf|ico|jpe?g)$ {
|
||||
gzip on;
|
||||
gzip_comp_level 4;
|
||||
add_header Cache-Control "public";
|
||||
expires 30d;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
}
|
||||
10
docker/nginx/ssl-common.conf
Normal file
10
docker/nginx/ssl-common.conf
Normal file
@@ -0,0 +1,10 @@
|
||||
|
||||
listen [::]:443 ssl http2;
|
||||
listen 443 ssl http2;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/hsal.es/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/hsal.es/privkey.pem;
|
||||
|
||||
# Let's Encrypt best practices
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
Reference in New Issue
Block a user