Browse Source

Update configs

main
Miraty 12 months ago
parent
commit
f2d7106f7d
  1. 27
      config/knot.conf
  2. 48
      config/knot/primary.conf
  3. 40
      config/knot/secondary.conf
  4. 29
      config/nginx/default-server.conf
  5. 8
      config/nginx/dhparam
  6. 20
      config/nginx/http.conf
  7. 25
      config/nginx/inc/errors.conf
  8. 0
      config/nginx/inc/fastcgi.conf
  9. 11
      config/nginx/inc/ffdhe3072.pem
  10. 13
      config/nginx/inc/ffdhe4096.pem
  11. 5
      config/nginx/inc/intermediate.conf
  12. 0
      config/nginx/inc/niver-csp.conf
  13. 15
      config/nginx/inc/security.conf
  14. 8
      config/nginx/inc/tls.conf
  15. 0
      config/nginx/inc/tls1.3.conf
  16. 1
      config/nginx/mimetypes/full.conf
  17. 1
      config/nginx/mimetypes/strict.conf
  18. 22
      config/nginx/nginx.conf
  19. 48
      config/nginx/sites/freebox.conf.dis
  20. 47
      config/nginx/sites/niver.4.niv.re.conf
  21. 31
      config/nginx/sites/niver.atope.art.conf
  22. 10
      config/php-fpm/errors.conf
  23. 8
      config/php-fpm/niver.conf
  24. 0
      config/share/banner.txt
  25. 5
      config/share/knot.template
  26. 15
      config/share/nginx/dns.template
  27. 7
      config/share/nginx/onion.template
  28. 4
      config/share/skel/about.txt
  29. 11
      config/sshd_config

27
config/knot.conf

@ -1,27 +0,0 @@
server:
rundir: "/run/knot"
user: "knot:knot"
listen: [ "0.0.0.0@53", "::@53" ]
log:
- target: "/var/log/knot.log"
any: "debug"
database:
storage: "/var/lib/knot"
policy:
- id: "niver"
algorithm: "ed25519"
nsec3: "on"
template:
- id: "niver"
storage: "/var/lib/knot/zones"
file: "%s.zone"
dnssec-signing: "on"
dnssec-policy: "niver"
zone:
- domain: "niv.re."
template: "niver"

48
config/knot/primary.conf

@ -0,0 +1,48 @@
server:
version: "Knot DNS"
nsid: "Potiron"
rundir: "/run/knot"
user: "knot:knot"
listen: [ "2a01:e0a:15c:2e40:acab:3:3:3@53", "0.0.0.0@53" ]
log:
- target: "/var/log/knot.log"
any: "debug"
database:
storage: "/var/lib/knot"
key:
- id: "potironframboise."
algorithm: "hmac-sha512"
secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
remote:
- id: "Framboise"
address: [ "2a0b:cbc0:1103:2::106f@53", "45.13.104.169@53" ]
key: "potironframboise."
acl:
- id: "FramboiseTrans"
address: [ "2a0b:cbc0:1103:2::106f", "45.13.104.169" ]
key: "potironframboise."
action: "transfer"
policy:
- id: "niver"
algorithm: "ed25519"
nsec3: "on"
template:
- id: "niver"
storage: "/var/lib/knot/zones"
file: "%s.zone"
notify: "Framboise"
acl: "FramboiseTrans"
zonefile-load: "difference"
dnssec-signing: "on"
dnssec-policy: "niver"
zone:
- domain: "niv.re."
template: "niver"

40
config/knot/secondary.conf

@ -0,0 +1,40 @@
server:
version: "Knot DNS"
nsid: "Framboise"
rundir: "/run/knot"
user: "knot:knot"
listen: [ "2a0b:cbc0:1103:2::106f@53", "0.0.0.0@53" ]
log:
- target: "/var/log/knot.log"
any: "debug"
database:
storage: "/var/lib/knot"
key:
- id: "potironframboise."
algorithm: "hmac-sha512"
secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
remote:
- id: "Potiron"
address: [ "2a01:e0a:15c:2e40:acab:3:3:3@53", "82.66.61.19@53" ]
key: "potironframboise."
acl:
- id: "PotironNotif"
address: [ "2a01:e0a:15c:2e40:acab:3:3:3", "82.66.61.19" ]
key: "potironframboise."
action: "notify"
template:
- id: "niver"
storage: "/var/lib/knot/zones"
file: "%s.zone"
master: "Potiron"
acl: "PotironNotif"
zone:
- domain: "niv.re."
template: "niver"

29
config/nginx/default-server.conf

@ -0,0 +1,29 @@
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
ssl_certificate /etc/ssl/certs/niver.crt;
ssl_certificate_key /etc/ssl/private/niver.key;
ssl_stapling off;
root /var/www/errors;
try_files index.php index.html $uri $uri/;
index index.php index.html;
location / {
root /var/www/errors;
try_files /index.php =500;
index index.php;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/errors.sock;
include /etc/nginx/inc/fastcgi.conf;
}
include /etc/nginx/inc/tls.conf;
include /etc/nginx/inc/errors.conf;
error_log /var/log/nginx/default-server-error.log info;
access_log /var/log/nginx/default-server-access.log;
more_set_headers "Content-Security-Policy : default-src 'none'; frame-ancestors 'none';";
}

8
config/nginx/dhparam

@ -1,8 +0,0 @@
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----

20
config/nginx/http.conf

@ -0,0 +1,20 @@
server {
listen 80 default_server;
listen [::]:80 default_server;
return 400; # Don't allow unsecure HTTP requests
# Display an explanation page
error_page 400 @http400;
location @http400 {
root /var/www/errors;
try_files /http.php =500;
index http.php;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/errors.sock;
include inc/fastcgi.conf;
}
error_log /var/log/nginx/http-error.log info;
access_log /var/log/nginx/http-access.log;
}

25
config/nginx/inc/errors.conf

@ -1,9 +1,9 @@
recursive_error_pages on;
return 404;
# 403 Forbidden
error_page 403 @403;
location @403 {
root /srv/http/errors;
root /var/www/errors;
try_files /403.html =500;
}
@ -13,59 +13,60 @@ location @local404 {
try_files /404.html /404.md /404.gmi @niver404;
}
location @niver404 {
root /srv/http/errors;
root /var/www/errors;
try_files /404.php =500;
index 404.php;
index /404.php;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php-fpm/errors.sock;
fastcgi_pass unix:/var/run/php/errors.sock;
include inc/fastcgi.conf;
fastcgi_index /404.php;
}
# 405 Method Not Allowed
error_page 405 @405;
location @405 {
root /srv/http/errors;
root /var/www/errors;
try_files /405.html =500;
}
# 410 Gone
error_page 410 @410;
location @410 {
root /srv/http/errors;
root /var/www/errors;
try_files /410.html =500;
}
# 418 I'm a teapot
error_page 418 @418;
location @418 {
root /srv/http/errors;
root /var/www/errors;
try_files /418.html =500;
}
# 500 Internal Server Error
error_page 500 @500;
location @500 {
root /srv/http/errors;
root /var/www/errors;
try_files /500.html =500;
}
# 502 Bad Gateway
error_page 502 @502;
location @502 {
root /srv/http/errors;
root /var/www/errors;
try_files /502.html =500;
}
# 503 Service Unavailable
error_page 503 @503;
location @503 {
root /srv/http/errors;
root /var/www/errors;
try_files /503.html =500;
}
# 504 Gateway Timeout
error_page 504 @504;
location @504 {
root /srv/http/errors;
root /var/www/errors;
try_files /504.html =500;
}

0
config/nginx/inc/fastcgi.conf

11
config/nginx/inc/ffdhe3072.pem

@ -0,0 +1,11 @@
-----BEGIN DH PARAMETERS-----
MIIBiAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZsYu
N///////////AgEC
-----END DH PARAMETERS-----

13
config/nginx/inc/ffdhe4096.pem

@ -0,0 +1,13 @@
-----BEGIN DH PARAMETERS-----
MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
-----END DH PARAMETERS-----

5
config/nginx/inc/intermediate.conf

@ -1,5 +0,0 @@
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_dhparam /etc/nginx/dhparam;
include inc/security.conf;

0
config/nginx/inc/niver-csp.conf

15
config/nginx/inc/security.conf

@ -3,22 +3,17 @@ more_set_headers "X-XSS-Protection : 1; mode=block";
more_set_headers "X-Download-Options : noopen";
more_set_headers "X-Permitted-Cross-Domain-Policies : none";
more_set_headers "X-Frame-Options : DENY";
more_set_headers "Referrer-Policy : no-referrer";
more_set_headers "Referrer-Policy : same-origin"; # no-referrer
more_set_headers "Strict-Transport-Security : max-age=94608000; includeSubDomains; preload";
#more_set_headers "Server : nginx Niver";
more_clear_headers Server;
ssl_prefer_server_ciphers off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_prefer_server_ciphers off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_certificate /etc/letsencrypt/live/niver.atope.art/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/niver.atope.art/privkey.pem;
autoindex off;
gzip off;
#ssl_stapling on;
#ssl_stapling_verify on;

8
config/nginx/inc/tls.conf

@ -0,0 +1,8 @@
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384;#:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_ecdh_curve X25519:X448;
#ssl_dhparam /etc/nginx/inc/ffdhe3072.pem;
include inc/security.conf;

0
config/nginx/inc/modern.conf → config/nginx/inc/tls1.3.conf

1
config/nginx/mimetypes/full.conf

@ -1,3 +1,4 @@
default_type application/octet-stream;
types {
application/A2L a2l;
application/AML aml;

1
config/nginx/mimetypes/strict.conf

@ -1,3 +1,4 @@
default_type text/plain;
types {
text/plain txt;
text/gemini gmi;

22
config/nginx/nginx.conf

@ -1,24 +1,34 @@
load_module "/usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so";
worker_processes auto;
user www-data www-data;
events {}
http {
include mimetypes/strict.conf;
default_type application/octet-stream;
include mimetypes/strict.conf;
#types_hash_bucket_size 128; # Default: 64
#types_hash_max_size 1024; # Default: 1024
types_hash_bucket_size 128; # Default: 64
types_hash_max_size 1024; # Default: 1024
server_names_hash_bucket_size 128;
sendfile on;
#sendfile on;
#tcp_nopush on;
gzip_static on;
log_format tls '$remote_addr $ssl_protocol $ssl_cipher [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
include http.conf;
include default-server.conf;
include sites/*.conf;
include inc/security.conf;
include ht/*.conf;
server_tokens off;
autoindex off;
gzip off;
#map $http_accept_language $lang {
# default en;
# ~en en;

48
config/nginx/sites/freebox.conf.dis

@ -0,0 +1,48 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name mafreebox.freebox.fr;
#root /var/www/niver;
#index index.php index.html index.htm;
#try_files $uri $uri/ @extensionless-php; # $uri.html
include inc/tls.conf;
include inc/errors.conf;
error_log /var/log/nginx/freebox-error.log info;
access_log /var/log/nginx/freebox-access.log;
#more_set_headers "Content-Security-Policy : default-src 'none'; style-src 'self'; frame-ancestors 'none';";
#location ~ ^/motrig/(db|less|lessphp|inc|niver.log) {
# return 403;
#}
location / {
allow 2a0b:cbc0:1103:2::106f;
allow 192.168.1.9;
deny all;
proxy_pass https://mafreebox.freebox.fr;
proxy_ssl_verify off;
}
#location ~ \.inc.php$ {
# return 403;
# }
#location ~ \.php$ {
# fastcgi_split_path_info ^(.+\.php)(/.+)$;
# fastcgi_pass unix:/var/run/php/niver.sock;
# #fastcgi_index index.php;
# include inc/fastcgi.conf;
# try_files $uri =404;
#}
#location @extensionless-php {
# rewrite ^(.*)$ $1.php last;
#}
ssl_certificate /etc/letsencrypt/live/niver.4.niv.re/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/niver.4.niv.re/privkey.pem;
}

47
config/nginx/sites/niver.4.niv.re.conf

@ -0,0 +1,47 @@
#server {
# listen 80;
# listen [::]:80;
# server_name niver.4.niv.re;
# return 301 https://niver.4.niv.re$request_uri;
#}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name niver.4.niv.re;
root /var/www/niver;
index index.php index.html index.htm;
try_files $uri $uri/ @extensionless-php;
include inc/tls.conf;
include inc/errors.conf;
error_log /var/log/nginx/niver.4.niv.re-error.log info;
access_log /var/log/nginx/niver.4.niv.re-access.log tls;
more_set_headers "Content-Security-Policy : default-src 'none'; style-src 'self'; frame-ancestors 'none';";
location ~ ^/motrig/(db|less|lessphp|inc|niver.log) {
return 403;
}
location ~ \.inc.php$ {
return 403;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/niver.sock;
#fastcgi_index index.php;
include inc/fastcgi.conf;
try_files $uri =404;
}
location @extensionless-php {
rewrite ^(.*)$ $1.php last;
}
ssl_certificate /etc/letsencrypt/live/niver.4.niv.re/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/niver.4.niv.re/privkey.pem;
}

31
config/nginx/sites/niver.atope.art.conf

@ -1,31 +0,0 @@
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name niver.atope.art;
root /srv/http/niver;
index index.php index.html index.htm;
try_files $uri $uri/ @extensionless-php; # $uri.html
index index.php;
include inc/modern.conf;
include inc/errors.conf;
error_log /var/log/nginx/niver.atope.art-error.log;
access_log /var/log/nginx/niver.atope.art-access.log;
more_set_headers "Content-Security-Policy : default-src 'none'; style-src 'self';";
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php-fpm/niver.sock;
#fastcgi_index index.php;
include inc/fastcgi.conf;
try_files $uri =404;
}
location @extensionless-php {
rewrite ^(.*)$ $1.php last;
}
}

10
config/php-fpm/errors.conf

@ -3,10 +3,10 @@
user = php-$pool
group = php-$pool
listen = /run/php-fpm/$pool.sock
listen = /run/php/$pool.sock
listen.owner = http
listen.group = http
listen.owner = www-data
listen.group = www-data
pm = dynamic
pm.max_children = 5
@ -16,8 +16,8 @@ pm.max_spare_servers = 3
access.log = /var/log/php/$pool-access.log
chdir = /srv/http/$pool
;chroot = /srv/http/$pool
;chroot = /var/www/errors
chdir = /var/www/errors
catch_workers_output = yes
decorate_workers_output = yes

8
config/php-fpm/niver.conf

@ -3,10 +3,10 @@
user = php-$pool
group = knot
listen = /run/php-fpm/$pool.sock
listen = /run/php/$pool.sock
listen.owner = http
listen.group = http
listen.owner = www-data
listen.group = www-data
pm = dynamic
pm.max_children = 5
@ -16,7 +16,7 @@ pm.max_spare_servers = 3
access.log = /var/log/php/$pool-access.log
chdir = /srv/http/$pool
chdir = /var/www/$pool
catch_workers_output = yes
decorate_workers_output = yes

0
config/share/banner.txt

5
config/share/knot.template

@ -1,2 +1,3 @@
DOMAIN 3600 SOA ns1.atope.art. hostmaster.antopie.org. 1 21600 7200 3628800 3600
DOMAIN 86400 NS ns1.atope.art.
DOMAIN 3600 SOA potiron.niver.4.niv.re. hostmaster.antopie.org. 1 21600 7200 3628800 3600
DOMAIN 86400 NS potiron.niver.4.niv.re.
DOMAIN 86400 NS framboise.niver.4.niv.re.

15
config/share/nginx/dns.template

@ -1,23 +1,16 @@
server {
listen 80;
listen [::]:80;
server_name DOMAIN;
return 301 https://DOMAIN$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name DOMAIN;
root /srv/hyper/USER/hyper/DIR;
root /srv/ht/USER/ht/DIR;
ssl_certificate /etc/letsencrypt/live/host.atope.art/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/host.atope.art/privkey.pem;
ssl_certificate /etc/ssl/certs/niver.crt;
ssl_certificate_key /etc/ssl/private/niver.key;
access_log /var/log/nginx/DOMAIN-access.log;
error_log /var/log/nginx/DOMAIN-error.log;
include /etc/nginx/inc/intermediate.conf.inc;
include inc/tls.conf;
default_type text/plain;

7
config/share/nginx/onion.template

@ -1,7 +1,12 @@
server {
listen [::1]:80;
server_name DOMAIN;
root /srv/hyper/USER/hyper/DIR;
root /srv/ht/USER/ht/DIR;
include inc/errors.conf;
access_log off;
error_log off;
location / {
try_files $uri $uri.html $uri/ =404;

4
config/share/skel/about.txt

@ -1,5 +1,5 @@
Ceci est le dossier personnel des utilisataires de Niver.
Ceci est l'espace dédié à vos sites.
Vous pouvez téléverser votre site dans un sous-dossier d'ht/.
This is the personnal directory for Niver users.
This is the space dedicated to your sites.
You can upload your site into a subdirectory of ht/.

11
config/sshd_config

@ -3,7 +3,8 @@
LogLevel INFO # The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
#VersionAddendum Niver
AllowGroups root ht
Subsystem sftp /usr/lib/ssh/sftp-server
Subsystem sftp internal-sftp
#Subsystem sftp sftp-server
## Network
@ -14,8 +15,8 @@ Port 22
## Cryptography
HostKey /etc/ssh/keys/ed25519
HostKey /etc/ssh/keys/rsa-3072
HostKey /etc/ssh/ed25519
HostKey /etc/ssh/rsa-3072
Ciphers chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
HostKeyAlgorithms ssh-ed25519,rsa-sha2-256,rsa-sha2-512
@ -32,6 +33,8 @@ MaxStartups 3:20:200
LoginGraceTime 3m
PrintMotd yes
UsePAM yes
## Disable everything
PermitTTY no
@ -55,8 +58,6 @@ KbdInteractiveAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM no
## Enable usefull features
### Administrator access