Catching up Webserver config

This commit is contained in:
DarkFeather 2022-12-18 22:21:39 -06:00
parent 72a62b63eb
commit 890e20c64c
Signed by: DarkFeather
GPG Key ID: 1CC1E3F4ED06F296
10 changed files with 81 additions and 46 deletions

View File

@ -1,21 +1,12 @@
server { server {
listen 443 ssl http2; listen 443 ssl http2;
server_name default_server; server_name default_server;
include sec.conf;
include letsencrypt.conf;
include default.csp.conf;
rewrite ^/(.*)$ https://aninix.net/$1 permanent;
}
server {
listen 443 ssl http2;
server_name aninix.net;
include sec.conf; include sec.conf;
include letsencrypt.conf;
include default.csp.conf; include default.csp.conf;
include letsencrypt.conf;
location / { location / {
rewrite ^/martialarts(\/)*(\/index.html)*$ /assets/martialarts/index.html; rewrite ^/martialarts(\/)*(\/index.html)*$ /assets/martialarts/index.html;
@ -54,3 +45,16 @@ server {
} }
} }
server {
listen 443 ssl http2;
server_name foundation.aninix.net;
include sec.conf;
include letsencrypt.conf;
include default.csp.conf;
location / {
rewrite ^/(.*)$ https://aninix.net/$1 permanent;
}
}

View File

@ -4,7 +4,6 @@ server {
include sec.conf; include sec.conf;
include default.csp.conf; include default.csp.conf;
include letsencrypt.conf;
location / location /
{ {
@ -19,4 +18,7 @@ server {
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-PORT $remote_port; proxy_set_header X-Real-PORT $remote_port;
} }
include letsencrypt.conf;
} }

View File

@ -15,15 +15,15 @@ server {
location / location /
{ {
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://geth.msn0.aninix.net:8123; proxy_pass http://geth.msn0.aninix.net:8123;
proxy_redirect http:// https://; proxy_redirect http:// https://;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade; proxy_set_header Connection $connection_upgrade;
proxy_read_timeout 86400; proxy_read_timeout 86400;
} }
} }

View File

@ -2,7 +2,7 @@ server {
listen 443 ssl; listen 443 ssl;
server_name lykos.aninix.net; server_name lykos.aninix.net;
include letsencrypt.conf; # include local.conf;
root /usr/share/webapps/; root /usr/share/webapps/;
@ -34,4 +34,6 @@ server {
deny all; deny all;
} }
include letsencrypt.conf;
} }

View File

@ -6,28 +6,30 @@ server {
include default.csp.conf; include default.csp.conf;
include letsencrypt.conf; include letsencrypt.conf;
root /usr/share/webapps/self-service-password/htdocs/; location / {
root /usr/share/webapps/self-service-password/htdocs/;
# https://ltb-project.org/documentation/self-service-password/1.3/config_nginx # https://ltb-project.org/documentation/self-service-password/1.3/config_nginx
index index.php index.html index.htm; index index.php index.html index.htm;
# Disable sendfile as per https://docs.vagrantup.com/v2/synced-folders/virtualbox.html # Disable sendfile as per https://docs.vagrantup.com/v2/synced-folders/virtualbox.html
sendfile off; sendfile off;
gzip on; gzip on;
gzip_comp_level 6; gzip_comp_level 6;
gzip_min_length 1000; gzip_min_length 1000;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js; gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js;
gzip_vary on; gzip_vary on;
gzip_proxied any; gzip_proxied any;
gzip_disable "MSIE [1-6]\.(?!.*SV1)"; gzip_disable "MSIE [1-6]\.(?!.*SV1)";
# Add stdout logging # Add stdout logging
#error_log /dev/stdout warn; #error_log /dev/stdout warn;
#access_log /dev/stdout info; #access_log /dev/stdout info;
include ../conf.d/fastcgi.config; include ../conf.d/fastcgi.config;
}
# deny access to . files, for security # deny access to . files, for security
# #

View File

@ -0,0 +1,14 @@
server {
listen 443 ssl;
server_name travelpawscvt.com;
#include local.conf;
include letsencrypt.conf;
include ../conf.d/fastcgi.config;
root /opt/travelpawscvt;
client_max_body_size 5m;
client_body_timeout 60;
}

View File

@ -4,7 +4,6 @@ server {
include sec.conf; include sec.conf;
include default.csp.conf; include default.csp.conf;
include letsencrypt.conf;
location / location /
{ {
@ -12,4 +11,6 @@ server {
autoindex on; autoindex on;
autoindex_format html; autoindex_format html;
} }
include letsencrypt.conf;
} }

View File

@ -1,5 +1,4 @@
location ~ ^/.well-known/acme-challenge location /.well-known/acme-challenge {
{
allow all; allow all;
root /var/lib/letsencrypt/; root /var/lib/letsencrypt/;
default_type "text/plain"; default_type "text/plain";

View File

@ -53,6 +53,17 @@
mode: 0660 mode: 0660
register: conf register: conf
- name: Populate security config
become: yes
template:
src: sec.conf.j2
dest: /opt/openresty/nginx/conf/sec.conf
owner: http
group: http
mode: 0660
register: secconf
- name: Ensure default openresty service file is off. - name: Ensure default openresty service file is off.
become: yes become: yes
service: service:
@ -62,7 +73,7 @@
- name: Ensure service is started - name: Ensure service is started
become: yes become: yes
when: conf.changed or confd.changed when: conf.changed or confd.changed or secconf.changed
service: service:
name: "{{ item }}" name: "{{ item }}"
enabled: yes enabled: yes

View File

@ -1,12 +1,12 @@
ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_certificate /etc/letsencrypt/live/aninix.net-0001/fullchain.pem; ssl_certificate /etc/letsencrypt/live/{{ ssl.identity }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/aninix.net-0001/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/{{ ssl.identity }}/privkey.pem;
ssl_session_cache shared:SSL:1m; ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m; ssl_session_timeout 5m;
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "!NULL:!SSLv2:!SSLv3:!TLSv1:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ciphers "{{ ssl.ciphersuite }}";
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
add_header "Strict-Transport-Security" "max-age=63072000; includeSubDomains; preload"; add_header "Strict-Transport-Security" "max-age=63072000; includeSubDomains; preload";