Update nginx, configure empty security.txt

This commit is contained in:
Miraty 2023-04-25 19:30:53 +02:00
parent 58951c5a4f
commit 157613c5bf
14 changed files with 44 additions and 34 deletions

View file

@ -6,8 +6,9 @@ Alias /http-messages/ "/http-messages/"
AddLanguage fr fr
AddLanguage en en
AddType text/html html
AddType text/plain txt
LanguagePriority en fr
ForceLanguagePriority Fallback
ForceLanguagePriority Prefer Fallback
</Directory>

View file

View file

@ -0,0 +1,5 @@
proxy_pass http://[::1]:42999/;
proxy_ignore_client_abort on;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_redirect http://$host:42999/ /;

View file

@ -4,6 +4,6 @@ fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
# Required by ServNest
# Required by the ServNest interface
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param SERVER_NAME $server_name;

View file

@ -1,11 +1,7 @@
recursive_error_pages on;
# Error pages are managed by Apache
location /http-messages {
proxy_pass http://[::1]:42999;
proxy_ignore_client_abort on;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_redirect http://$host:42999/ /;
include inc/apache-proxy.conf;
}
error_page 400 /http-messages/400;
@ -18,3 +14,16 @@ error_page 500 /http-messages/500;
error_page 502 /http-messages/502;
error_page 503 /http-messages/503;
error_page 504 /http-messages/504;
recursive_error_pages on;
# security.txt
location = /security.txt {
return 301 /.well-known/security.txt;
}
location = /.well-known/security.txt {
root /srv/servnest/ht/http-messages/;
try_files /security.txt =500;
}

View file

@ -1,4 +1,4 @@
include inc/errors.conf;
include inc/messages.conf;
more_clear_headers "Set-Cookie";
more_clear_input_headers "Cookie";
@ -6,9 +6,5 @@ more_clear_input_headers "Cookie";
more_set_headers "Content-Security-Policy : default-src 'none'; style-src 'self' 'unsafe-inline' data:; img-src 'self' data:; font-src 'self' data:; media-src 'self' data:; frame-ancestors 'none'; form-action 'none';";
location / {
proxy_pass http://[::1]:42999/;
proxy_ignore_client_abort on;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_redirect http://$host:42999/ /;
include inc/apache-proxy.conf;
}

View file

@ -8,12 +8,6 @@ events {
}
http {
types_hash_bucket_size 128;
types_hash_max_size 1024;
server_names_hash_bucket_size 128;
absolute_redirect off;
# Performance optimisation
sendfile on;
tcp_nopush on;
@ -61,5 +55,6 @@ http {
# Include other configuration
include sites/*.conf;
include /srv/servnest/nginx/*.conf;
absolute_redirect off;
}

View file

@ -1,4 +1,5 @@
# DNS+TLS site access
# Dedicated DNS+TLS access
server {
listen [::1]:42443 ssl http2 default_server;
listen 127.0.0.1:42443 ssl http2 default_server;
@ -6,5 +7,5 @@ server {
ssl_certificate /etc/ssl/certs/${ssl_server_name}.crt;
ssl_certificate_key /etc/ssl/private/${ssl_server_name}.key;
include inc/proxy.conf;
include inc/serve-static.conf;
}

View file

@ -8,9 +8,9 @@ server {
root /srv/servnest/core;
include inc/errors.conf;
include inc/messages.conf;
more_set_headers "Content-Security-Policy : default-src 'none'; style-src 'self'; frame-ancestors 'none'; form-action 'self';";
more_set_headers "Content-Security-Policy : default-src 'none'; style-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'none';";
# Main ServNest interface
location / {

View file

@ -4,14 +4,17 @@ server {
listen [::1]:42080 default_server;
listen 127.0.0.1:42080 default_server;
include inc/errors.conf;
location / {
return 403; # Don't allow unsecure HTTP requests
}
error_page 403 /http-messages/unsecure;
location /http-messages {
include inc/apache-proxy.conf;
}
# To get TLS certificates
location /.well-known/acme-challenge {
root /srv/servnest/acme/;
}

View file

@ -1,6 +1,6 @@
# Onion service site access
# Dedicated Onion service access
server {
listen [::1]:9080 default_server;
include inc/proxy.conf;
include inc/serve-static.conf;
}

View file

@ -5,7 +5,7 @@ server {
root /srv/servnest/core;
include inc/errors.conf;
include inc/messages.conf;
location / {
try_files /sftpgo-auth.php =500;

View file

@ -1,4 +1,4 @@
# Maps subdomain to filesystem subpath
# Subdomain access
server {
listen [::1]:42443 ssl http2;
@ -8,5 +8,5 @@ server {
ssl_certificate /etc/ssl/certs/wildcard.ht.servnest.test.crt;
ssl_certificate_key /etc/ssl/private/wildcard.ht.servnest.test.key;
include inc/proxy.conf;
include inc/serve-static.conf;
}

View file

@ -1,4 +1,4 @@
# Maps HTTP subpath to filesystem subpath
# Subpath access
server {
listen [::1]:42443 ssl http2;
@ -8,5 +8,5 @@ server {
ssl_certificate /etc/ssl/certs/ht.servnest.test.crt;
ssl_certificate_key /etc/ssl/private/ht.servnest.test.key;
include inc/proxy.conf;
include inc/serve-static.conf;
}