Update Nginx config + SFTP http authentication + SQLite db from sql

README.md

@@ -18,7 +18,7 @@ The full explanation of the structure in this repository can be found on the mko
 
 1. Load configuration from `mkosi.default` and `mkosi.default.d/<sysid>/mkosi.default`
 2. Add `mkosi.skeleton`
-3. Install packages
+3. Install packages according to configuration
 4. Run `mkosi.prepare`
 5. Add `mkosi.extra`
 6. Run `mkosi.postinst`

mkosi.default

@@ -20,6 +20,7 @@ Packages =
 	cargo
 	sudo
 	git
+	sqlite3
 	man-db
 	curl
 	lsof

mkosi.extra/etc/nginx/inc/ffdhe3072.pem

@@ -1,11 +0,0 @@
------BEGIN DH PARAMETERS-----
-MIIBiAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
-+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
-87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
-YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
-7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
-ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
-7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
-nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZsYu
-N///////////AgEC
------END DH PARAMETERS-----

mkosi.extra/etc/nginx/inc/ffdhe4096.pem

@@ -1,13 +0,0 @@
------BEGIN DH PARAMETERS-----
-MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
-+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
-87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
-YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
-7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
-ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
-7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
-nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
-8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
-iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
-zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
------END DH PARAMETERS-----

mkosi.extra/etc/nginx/inc/ht-onion.conf

@@ -0,0 +1,3 @@
+more_set_headers "Content-Security-Policy : default-src 'none'; style-src 'self' 'unsafe-inlinde' http: data:; img-src 'self' http: data:; font-src 'self' http: data:; media-src 'self' http: data:; frame-ancestors 'none'; form-action 'none';";
+
+include inc/ht.conf

mkosi.extra/etc/nginx/inc/ht-tls.conf

@@ -0,0 +1,4 @@
+more_set_headers "Content-Security-Policy : default-src 'none'; style-src 'self' 'unsafe-inlinde' https: data:; img-src 'self' https: data:; font-src 'self' https: data:; media-src 'self' https: data:; frame-ancestors 'none'; form-action 'none';";
+
+include inc/ht.conf
+include inc/tls.conf;

mkosi.extra/etc/nginx/inc/ht.conf

@@ -0,0 +1,6 @@
+location / {
+	index index.gmi index.md index.html;
+	try_files $uri $uri/ =404;
+}
+
+include inc/errors.conf;

mkosi.extra/etc/nginx/inc/niver.conf

@@ -1,5 +0,0 @@
-more_set_headers "Content-Security-Policy : default-src 'self'; object-src 'none'; frame-ancestors 'none'; form-action 'none';";
-
-default_type text/plain;
-
-include inc/tls.conf; 

mkosi.extra/etc/nginx/inc/security.conf

@@ -1,16 +0,0 @@
-more_set_headers "X-Content-Type-Options : nosniff";
-#more_set_headers "X-XSS-Protection : 1; mode=block";
-#more_set_headers "X-Download-Options : noopen";
-#more_set_headers "X-Permitted-Cross-Domain-Policies : none";
-#more_set_headers "X-Frame-Options : DENY";
-more_set_headers "Referrer-Policy : no-referrer";
-more_set_headers "Strict-Transport-Security : max-age=94608000; includeSubDomains; preload";
-more_clear_headers Server;
-
-ssl_prefer_server_ciphers off;
-
-ssl_session_timeout 1d;
-ssl_session_cache shared:SSL:50m;
-ssl_session_tickets off;
-
-ssl_early_data off;

mkosi.extra/etc/nginx/inc/tls-inter.conf

@@ -1,5 +0,0 @@
-ssl_protocols TLSv1.2 TLSv1.3;
-ssl_ciphers ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384;
-ssl_ecdh_curve X25519:X448;
-
-include inc/security.conf;

mkosi.extra/etc/nginx/inc/tls-laxist.conf

@@ -1,6 +0,0 @@
-ssl_protocols TLSv1.2 TLSv1.3;
-ssl_ciphers ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-CCM8:DHE-RSA-AES256-CCM8:DHE-RSA-AES128-CCM:DHE-RSA-AES256-CCM;
-ssl_ecdh_curve X25519:X448:secp521r1:secp384r1:prime256v1;
-ssl_dhparam inc/ffdhe3072.pem;
-
-include inc/security.conf;

mkosi.extra/etc/nginx/inc/tls-strict.conf

@@ -1,4 +0,0 @@
-ssl_protocols TLSv1.3;
-ssl_ecdh_curve X25519:X448;
-
-include inc/security.conf;

mkosi.extra/etc/nginx/inc/tls.conf

@@ -1,4 +1,2 @@
 ssl_protocols TLSv1.3;
 ssl_ecdh_curve X25519:X448;
-
-include inc/security.conf;

mkosi.extra/etc/nginx/nginx.conf

@@ -7,8 +7,8 @@ events {
 }
 
 http {
-	types_hash_bucket_size 128; # Default: 64
-	types_hash_max_size 1024; # Default: 1024
+	types_hash_bucket_size 128;
+	types_hash_max_size 1024;
 	server_names_hash_bucket_size 128;
 
 	# Performance optimisation
@@ -24,15 +24,28 @@ http {
 	gzip_static on;
 
 	# Logging
-	log_format niver '|$time_local| [$remote_addr]@$server_name {$ssl_protocol $ssl_cipher} "$request" $status $body_bytes_sent "$http_user_agent"';
+	log_format niver '|$time_local| [$remote_addr]@$server_name {$ssl_protocol $ssl_cipher} $status $body_bytes_sent "$request" "$http_user_agent"';
 	access_log /var/log/nginx/access.log niver;
 	error_log /var/log/nginx/error.log notice;
 
-	# Possible security threats
-	server_tokens off;
+	# Disable useless/dangerous features
 	etag off;
-	autoindex off;
-	gzip off;
+	server_tokens off;
+	more_clear_headers Server;
+
+	# Basic security headers
+	more_set_headers "Referrer-Policy : no-referrer";
+	more_set_headers "Strict-Transport-Security : max-age=94608000; includeSubDomains; preload";
+	more_set_headers "X-Content-Type-Options : nosniff";
+	#more_set_headers "X-XSS-Protection : 1; mode=block";
+	#more_set_headers "X-Download-Options : noopen";
+	#more_set_headers "X-Permitted-Cross-Domain-Policies : none";
+	#more_set_headers "X-Frame-Options : DENY";
+
+	# Basic TLS settings
+	ssl_session_timeout 1d;
+	ssl_session_cache shared:SSL:50m;
+	ssl_session_tickets off;
 
 	# Include other configuration
 	include sites/*.conf;

mkosi.extra/etc/nginx/sites/sftpgo-auth.conf

@@ -0,0 +1,14 @@
+server {
+	listen [::1]:8055;
+
+	root /srv/php/niver/;
+
+	include inc/errors.conf;
+
+	location / {
+		try_files /sftpgo-auth.php =404;
+		fastcgi_split_path_info ^(.+\.php)(/.+)$;
+		fastcgi_pass unix:/run/php-fpm/niver.sock;
+		include inc/fastcgi.conf;
+	}
+}

mkosi.postinst

@@ -43,10 +43,6 @@ chown -R php-niver:nginx /srv/php/niver
 chmod -R u=rX,g=rX,o=X /srv/php/niver
 chmod -R u=rwX,g=rX,o= /srv/php/niver/public/css/
 chmod -R u=rwX,g=,o= /srv/php/niver/db /srv/php/niver/niver.log
-chown sftpgo:sftpgo /srv/php/niver/sftpgo-auth.php
-chmod -R u=rx,g=rx,o= /srv/php/niver/sftpgo-auth.php
-chown sftpgo:sftpgo /srv/php/niver/auth.log
-chmod -R u=rw,g=rw,o= /srv/php/niver/auth.log
 
 # Load configuration in Knot database
 sudo -u knot knotc conf-import /etc/knot/knot.conf

mkosi.prepare

@@ -28,3 +28,6 @@ ssh-keygen -lvf /etc/ssh/ed25519 > /etc/ssh/ed25519.fp
 # Generate SFTPGo key pair
 ssh-keygen -f /etc/sftpgo/ed25519 -t ed25519 -N ""
 ssh-keygen -lvf /etc/sftpgo/ed25519 > /etc/sftpgo/ed25519.fp
+
+# Create database
+sqlite3 /srv/php/niver/db/niver.db < /srv/php/niver/db/source.sql

mkosi.skeleton/etc/sftpgo/sftpgo.toml

@@ -33,7 +33,7 @@ address = "127.0.0.1"
 [data_provider]
 driver = "memory"
 users_base_dir = "/srv/ht"
-external_auth_hook = "/srv/php/niver/sftpgo-auth.php"
+external_auth_hook = "http://[::1]:8055/sftpgo-auth.php"
 external_auth_scope = 0
 
 [[httpd.bindings]]

mkosi.skeleton/srv/php/niver

@@ -1 +1 @@
-Subproject commit f773c2fe8e49d070490a52452d750d205efe4ce0
+Subproject commit 7964b86c70332ad2d5779cc0ab6a8ba476857aaa