Browse Source

Update Nginx config + SFTP http authentication + SQLite db from sql

main
Miraty 3 months ago
parent
commit
5db15e973e
  1. 2
      README.md
  2. 1
      mkosi.default
  3. 11
      mkosi.extra/etc/nginx/inc/ffdhe3072.pem
  4. 13
      mkosi.extra/etc/nginx/inc/ffdhe4096.pem
  5. 3
      mkosi.extra/etc/nginx/inc/ht-onion.conf
  6. 4
      mkosi.extra/etc/nginx/inc/ht-tls.conf
  7. 6
      mkosi.extra/etc/nginx/inc/ht.conf
  8. 1003
      mkosi.extra/etc/nginx/inc/nginx-types.conf
  9. 5
      mkosi.extra/etc/nginx/inc/niver.conf
  10. 16
      mkosi.extra/etc/nginx/inc/security.conf
  11. 5
      mkosi.extra/etc/nginx/inc/tls-inter.conf
  12. 6
      mkosi.extra/etc/nginx/inc/tls-laxist.conf
  13. 4
      mkosi.extra/etc/nginx/inc/tls-strict.conf
  14. 2
      mkosi.extra/etc/nginx/inc/tls.conf
  15. 27
      mkosi.extra/etc/nginx/nginx.conf
  16. 14
      mkosi.extra/etc/nginx/sites/sftpgo-auth.conf
  17. 4
      mkosi.postinst
  18. 3
      mkosi.prepare
  19. 2
      mkosi.skeleton/etc/sftpgo/sftpgo.toml
  20. 2
      mkosi.skeleton/srv/php/niver

2
README.md

@ -18,7 +18,7 @@ The full explanation of the structure in this repository can be found on the mko
1. Load configuration from `mkosi.default` and `mkosi.default.d/<sysid>/mkosi.default`
2. Add `mkosi.skeleton`
3. Install packages
3. Install packages according to configuration
4. Run `mkosi.prepare`
5. Add `mkosi.extra`
6. Run `mkosi.postinst`

1
mkosi.default

@ -20,6 +20,7 @@ Packages =
cargo
sudo
git
sqlite3
man-db
curl
lsof

11
mkosi.extra/etc/nginx/inc/ffdhe3072.pem

@ -1,11 +0,0 @@
-----BEGIN DH PARAMETERS-----
MIIBiAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZsYu
N///////////AgEC
-----END DH PARAMETERS-----

13
mkosi.extra/etc/nginx/inc/ffdhe4096.pem

@ -1,13 +0,0 @@
-----BEGIN DH PARAMETERS-----
MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
-----END DH PARAMETERS-----

3
mkosi.extra/etc/nginx/inc/ht-onion.conf

@ -0,0 +1,3 @@
more_set_headers "Content-Security-Policy : default-src 'none'; style-src 'self' 'unsafe-inlinde' http: data:; img-src 'self' http: data:; font-src 'self' http: data:; media-src 'self' http: data:; frame-ancestors 'none'; form-action 'none';";
include inc/ht.conf

4
mkosi.extra/etc/nginx/inc/ht-tls.conf

@ -0,0 +1,4 @@
more_set_headers "Content-Security-Policy : default-src 'none'; style-src 'self' 'unsafe-inlinde' https: data:; img-src 'self' https: data:; font-src 'self' https: data:; media-src 'self' https: data:; frame-ancestors 'none'; form-action 'none';";
include inc/ht.conf
include inc/tls.conf;

6
mkosi.extra/etc/nginx/inc/ht.conf

@ -0,0 +1,6 @@
location / {
index index.gmi index.md index.html;
try_files $uri $uri/ =404;
}
include inc/errors.conf;

1003
mkosi.extra/etc/nginx/inc/nginx-types.conf

File diff suppressed because it is too large

5
mkosi.extra/etc/nginx/inc/niver.conf

@ -1,5 +0,0 @@
more_set_headers "Content-Security-Policy : default-src 'self'; object-src 'none'; frame-ancestors 'none'; form-action 'none';";
default_type text/plain;
include inc/tls.conf;

16
mkosi.extra/etc/nginx/inc/security.conf

@ -1,16 +0,0 @@
more_set_headers "X-Content-Type-Options : nosniff";
#more_set_headers "X-XSS-Protection : 1; mode=block";
#more_set_headers "X-Download-Options : noopen";
#more_set_headers "X-Permitted-Cross-Domain-Policies : none";
#more_set_headers "X-Frame-Options : DENY";
more_set_headers "Referrer-Policy : no-referrer";
more_set_headers "Strict-Transport-Security : max-age=94608000; includeSubDomains; preload";
more_clear_headers Server;
ssl_prefer_server_ciphers off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_early_data off;

5
mkosi.extra/etc/nginx/inc/tls-inter.conf

@ -1,5 +0,0 @@
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384;
ssl_ecdh_curve X25519:X448;
include inc/security.conf;

6
mkosi.extra/etc/nginx/inc/tls-laxist.conf

@ -1,6 +0,0 @@
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-CCM8:DHE-RSA-AES256-CCM8:DHE-RSA-AES128-CCM:DHE-RSA-AES256-CCM;
ssl_ecdh_curve X25519:X448:secp521r1:secp384r1:prime256v1;
ssl_dhparam inc/ffdhe3072.pem;
include inc/security.conf;

4
mkosi.extra/etc/nginx/inc/tls-strict.conf

@ -1,4 +0,0 @@
ssl_protocols TLSv1.3;
ssl_ecdh_curve X25519:X448;
include inc/security.conf;

2
mkosi.extra/etc/nginx/inc/tls.conf

@ -1,4 +1,2 @@
ssl_protocols TLSv1.3;
ssl_ecdh_curve X25519:X448;
include inc/security.conf;

27
mkosi.extra/etc/nginx/nginx.conf

@ -7,8 +7,8 @@ events {
}
http {
types_hash_bucket_size 128; # Default: 64
types_hash_max_size 1024; # Default: 1024
types_hash_bucket_size 128;
types_hash_max_size 1024;
server_names_hash_bucket_size 128;
# Performance optimisation
@ -24,15 +24,28 @@ http {
gzip_static on;
# Logging
log_format niver '|$time_local| [$remote_addr]@$server_name {$ssl_protocol $ssl_cipher} "$request" $status $body_bytes_sent "$http_user_agent"';
log_format niver '|$time_local| [$remote_addr]@$server_name {$ssl_protocol $ssl_cipher} $status $body_bytes_sent "$request" "$http_user_agent"';
access_log /var/log/nginx/access.log niver;
error_log /var/log/nginx/error.log notice;
# Possible security threats
server_tokens off;
# Disable useless/dangerous features
etag off;
autoindex off;
gzip off;
server_tokens off;
more_clear_headers Server;
# Basic security headers
more_set_headers "Referrer-Policy : no-referrer";
more_set_headers "Strict-Transport-Security : max-age=94608000; includeSubDomains; preload";
more_set_headers "X-Content-Type-Options : nosniff";
#more_set_headers "X-XSS-Protection : 1; mode=block";
#more_set_headers "X-Download-Options : noopen";
#more_set_headers "X-Permitted-Cross-Domain-Policies : none";
#more_set_headers "X-Frame-Options : DENY";
# Basic TLS settings
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Include other configuration
include sites/*.conf;

14
mkosi.extra/etc/nginx/sites/sftpgo-auth.conf

@ -0,0 +1,14 @@
server {
listen [::1]:8055;
root /srv/php/niver/;
include inc/errors.conf;
location / {
try_files /sftpgo-auth.php =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php-fpm/niver.sock;
include inc/fastcgi.conf;
}
}

4
mkosi.postinst

@ -43,10 +43,6 @@ chown -R php-niver:nginx /srv/php/niver
chmod -R u=rX,g=rX,o=X /srv/php/niver
chmod -R u=rwX,g=rX,o= /srv/php/niver/public/css/
chmod -R u=rwX,g=,o= /srv/php/niver/db /srv/php/niver/niver.log
chown sftpgo:sftpgo /srv/php/niver/sftpgo-auth.php
chmod -R u=rx,g=rx,o= /srv/php/niver/sftpgo-auth.php
chown sftpgo:sftpgo /srv/php/niver/auth.log
chmod -R u=rw,g=rw,o= /srv/php/niver/auth.log
# Load configuration in Knot database
sudo -u knot knotc conf-import /etc/knot/knot.conf

3
mkosi.prepare

@ -28,3 +28,6 @@ ssh-keygen -lvf /etc/ssh/ed25519 > /etc/ssh/ed25519.fp
# Generate SFTPGo key pair
ssh-keygen -f /etc/sftpgo/ed25519 -t ed25519 -N ""
ssh-keygen -lvf /etc/sftpgo/ed25519 > /etc/sftpgo/ed25519.fp
# Create database
sqlite3 /srv/php/niver/db/niver.db < /srv/php/niver/db/source.sql

2
mkosi.skeleton/etc/sftpgo/sftpgo.toml

@ -33,7 +33,7 @@ address = "127.0.0.1"
[data_provider]
driver = "memory"
users_base_dir = "/srv/ht"
external_auth_hook = "/srv/php/niver/sftpgo-auth.php"
external_auth_hook = "http://[::1]:8055/sftpgo-auth.php"
external_auth_scope = 0
[[httpd.bindings]]

2
mkosi.skeleton/srv/php/niver

@ -1 +1 @@
Subproject commit f773c2fe8e49d070490a52452d750d205efe4ce0
Subproject commit 7964b86c70332ad2d5779cc0ab6a8ba476857aaa
Loading…
Cancel
Save