From e91ff95efa738dae0293f7e23b05c91df32c1e45 Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Sat, 22 Jul 2023 01:57:12 +0200 Subject: [PATCH 1/2] nginx: fix http2 directive --- examples/nginx/nginx/templates/default.conf.template | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/examples/nginx/nginx/templates/default.conf.template b/examples/nginx/nginx/templates/default.conf.template index ce59f68..7babf0a 100644 --- a/examples/nginx/nginx/templates/default.conf.template +++ b/examples/nginx/nginx/templates/default.conf.template @@ -7,9 +7,10 @@ server { } server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name example.com; + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + server_name example.com; server_tokens off; add_header X-Frame-Options "SAMEORIGIN"; From 0536f0e3a26635786ebc8ef01cea89807e868b7e Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Sat, 22 Jul 2023 01:58:00 +0200 Subject: [PATCH 2/2] nginx: lint config --- .../nginx/templates/default.conf.template | 108 +++++++++--------- .../nginx/templates/mta-sts.conf.template | 8 +- 2 files changed, 57 insertions(+), 59 deletions(-) diff --git a/examples/nginx/nginx/templates/default.conf.template b/examples/nginx/nginx/templates/default.conf.template index 7babf0a..d69f802 100644 --- a/examples/nginx/nginx/templates/default.conf.template +++ b/examples/nginx/nginx/templates/default.conf.template @@ -7,59 +7,57 @@ server { } server { - listen 443 ssl; - listen [::]:443 ssl; - http2 on; - server_name example.com; - server_tokens off; - - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Content-Type-Options "nosniff"; - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; - add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'"; - add_header Referrer-Policy "origin-when-cross-origin"; - add_header Expect-CT "enforce, max-age=604800"; - - charset utf-8; - - ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem; - - ssl_prefer_server_ciphers on; - ssl_session_timeout 5m; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_stapling on; - ssl_stapling_verify on; - ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; - ssl_ecdh_curve secp384r1; - ssl_session_cache shared:SSL:20m; - ssl_session_tickets off; - ssl_dhparam /etc/ssl/dhparam.pem; - - location = /robots.txt { - add_header Content-Type text/plain; - return 200 "User-agent: *\nDisallow: /\n"; - } - - location /rspamd { - proxy_pass http://anonaddy:11334; - - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location / { - proxy_pass http://anonaddy:8000; - - proxy_redirect off; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_read_timeout 90s; - } + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + server_name example.com; + server_tokens off; + + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options "nosniff"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'"; + add_header Referrer-Policy "origin-when-cross-origin"; + add_header Expect-CT "enforce, max-age=604800"; + + charset utf-8; + + ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem; + + ssl_prefer_server_ciphers on; + ssl_session_timeout 5m; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_stapling on; + ssl_stapling_verify on; + ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; + ssl_ecdh_curve secp384r1; + ssl_session_cache shared:SSL:20m; + ssl_session_tickets off; + ssl_dhparam /etc/ssl/dhparam.pem; + + location = /robots.txt { + add_header Content-Type text/plain; + return 200 "User-agent: *\nDisallow: /\n"; + } + + location /rspamd { + proxy_pass http://anonaddy:11334; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location / { + proxy_pass http://anonaddy:8000; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 90s; + } } diff --git a/examples/nginx/nginx/templates/mta-sts.conf.template b/examples/nginx/nginx/templates/mta-sts.conf.template index e7649a5..75caf88 100644 --- a/examples/nginx/nginx/templates/mta-sts.conf.template +++ b/examples/nginx/nginx/templates/mta-sts.conf.template @@ -26,9 +26,9 @@ server { location @mta-sts { return 200 "version: STSv1 -mode: enforce -max_age: 86400 -mx: example.com -mx: example.com\n"; + mode: enforce + max_age: 86400 + mx: example.com + mx: example.com\n"; } }