Update nginx, configure empty security.txt

2023-04-25 19:30:53 +02:00 · 2023-04-25 19:30:53 +02:00 · 157613c5bf
parent 58951c5a4f
commit 157613c5bf
14 changed files with 44 additions and 34 deletions
--- a/install/apache/errors.conf
+++ b/install/apache/errors.conf
@ -6,8 +6,9 @@ Alias /http-messages/ "/http-messages/"
 	AddLanguage fr fr
 	AddLanguage en en
 	AddType text/html html
+	AddType text/plain txt
 	LanguagePriority en fr
-	ForceLanguagePriority Fallback
+	ForceLanguagePriority Prefer Fallback
 </Directory>


--- a/install/http-messages/security.txt
+++ b/install/http-messages/security.txt
--- a/install/nginx/inc/apache-proxy.conf
+++ b/install/nginx/inc/apache-proxy.conf
@ -0,0 +1,5 @@
+proxy_pass http://[::1]:42999/;
+proxy_ignore_client_abort on;
+proxy_http_version 1.1;
+proxy_set_header Host $host;
+proxy_redirect http://$host:42999/ /;
--- a/install/nginx/inc/fastcgi.conf
+++ b/install/nginx/inc/fastcgi.conf
@ -4,6 +4,6 @@ fastcgi_param  REQUEST_METHOD     $request_method;
 fastcgi_param  CONTENT_TYPE       $content_type;
 fastcgi_param  CONTENT_LENGTH     $content_length;

-# Required by ServNest
+# Required by the ServNest interface
 fastcgi_param  REQUEST_URI        $request_uri;
 fastcgi_param  SERVER_NAME        $server_name;
--- a/install/nginx/inc/messages.conf
+++ b/install/nginx/inc/messages.conf
@ -1,11 +1,7 @@
-recursive_error_pages on;
+# Error pages are managed by Apache

 location /http-messages {
-	proxy_pass http://[::1]:42999;
-	proxy_ignore_client_abort on;
-	proxy_http_version 1.1;
-	proxy_set_header Host $host;
-	proxy_redirect http://$host:42999/ /;
+	include inc/apache-proxy.conf;
 }

 error_page 400 /http-messages/400;
@ -18,3 +14,16 @@ error_page 500 /http-messages/500;
 error_page 502 /http-messages/502;
 error_page 503 /http-messages/503;
 error_page 504 /http-messages/504;
+
+recursive_error_pages on;
+
+# security.txt
+
+location = /security.txt {
+        return 301 /.well-known/security.txt;
+}
+
+location = /.well-known/security.txt {
+        root /srv/servnest/ht/http-messages/;
+        try_files /security.txt =500;
+}
--- a/install/nginx/inc/serve-static.conf
+++ b/install/nginx/inc/serve-static.conf
@ -1,4 +1,4 @@
-include inc/errors.conf;
+include inc/messages.conf;

 more_clear_headers "Set-Cookie";
 more_clear_input_headers "Cookie";
@ -6,9 +6,5 @@ more_clear_input_headers "Cookie";
 more_set_headers "Content-Security-Policy : default-src 'none'; style-src 'self' 'unsafe-inline' data:; img-src 'self' data:; font-src 'self' data:; media-src 'self' data:; frame-ancestors 'none'; form-action 'none';";

 location / {
-	proxy_pass http://[::1]:42999/;
-	proxy_ignore_client_abort on;
-	proxy_http_version 1.1;
-	proxy_set_header Host $host;
-	proxy_redirect http://$host:42999/ /;
+	include inc/apache-proxy.conf;
 }
--- a/install/nginx/nginx.conf
+++ b/install/nginx/nginx.conf
@ -8,12 +8,6 @@ events {
 }

 http {
-	types_hash_bucket_size 128;
-	types_hash_max_size 1024;
-	server_names_hash_bucket_size 128;
-
-	absolute_redirect off;
-
 	# Performance optimisation
 	sendfile on;
 	tcp_nopush on;
@ -61,5 +55,6 @@ http {

 	# Include other configuration
 	include sites/*.conf;
-	include /srv/servnest/nginx/*.conf;
+
+	absolute_redirect off;
 }
--- a/install/nginx/sites/dns.conf
+++ b/install/nginx/sites/dns.conf
@ -1,4 +1,5 @@
-# DNS+TLS site access
+# Dedicated DNS+TLS access
+
 server {
 	listen [::1]:42443 ssl http2 default_server;
 	listen 127.0.0.1:42443 ssl http2 default_server;
@ -6,5 +7,5 @@ server {
 	ssl_certificate /etc/ssl/certs/${ssl_server_name}.crt;
 	ssl_certificate_key /etc/ssl/private/${ssl_server_name}.key;

-	include inc/proxy.conf;
+	include inc/serve-static.conf;
 }
--- a/install/nginx/sites/interface.conf
+++ b/install/nginx/sites/interface.conf
@ -8,9 +8,9 @@ server {

 	root /srv/servnest/core;

-	include inc/errors.conf;
+	include inc/messages.conf;

-	more_set_headers "Content-Security-Policy : default-src 'none'; style-src 'self'; frame-ancestors 'none'; form-action 'self';";
+	more_set_headers "Content-Security-Policy : default-src 'none'; style-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'none';";

 	# Main ServNest interface
 	location / {
--- a/install/nginx/sites/no-tls.conf
+++ b/install/nginx/sites/no-tls.conf
@ -4,14 +4,17 @@ server {
 	listen [::1]:42080 default_server;
 	listen 127.0.0.1:42080 default_server;

-	include inc/errors.conf;
-
 	location / {
 		return 403; # Don't allow unsecure HTTP requests
 	}

 	error_page 403 /http-messages/unsecure;

+	location /http-messages {
+		include inc/apache-proxy.conf;
+	}
+
+	# To get TLS certificates
 	location /.well-known/acme-challenge {
 		root /srv/servnest/acme/;
 	}
--- a/install/nginx/sites/onion.conf
+++ b/install/nginx/sites/onion.conf
@ -1,6 +1,6 @@
-# Onion service site access
+# Dedicated Onion service access
 server {
 	listen [::1]:9080 default_server;

-	include inc/proxy.conf;
+	include inc/serve-static.conf;
 }
--- a/install/nginx/sites/sftpgo-auth.conf
+++ b/install/nginx/sites/sftpgo-auth.conf
@ -5,7 +5,7 @@ server {

 	root /srv/servnest/core;

-	include inc/errors.conf;
+	include inc/messages.conf;

 	location / {
 		try_files /sftpgo-auth.php =500;
--- a/install/nginx/sites/subdomain.conf
+++ b/install/nginx/sites/subdomain.conf
@ -1,4 +1,4 @@
-# Maps subdomain to filesystem subpath
+# Subdomain access

 server {
 	listen [::1]:42443 ssl http2;
@ -8,5 +8,5 @@ server {
 	ssl_certificate /etc/ssl/certs/wildcard.ht.servnest.test.crt;
 	ssl_certificate_key /etc/ssl/private/wildcard.ht.servnest.test.key;

-	include inc/proxy.conf;
+	include inc/serve-static.conf;
 }
--- a/install/nginx/sites/subpath.conf
+++ b/install/nginx/sites/subpath.conf
@ -1,4 +1,4 @@
-# Maps HTTP subpath to filesystem subpath
+# Subpath access

 server {
 	listen [::1]:42443 ssl http2;
@ -8,5 +8,5 @@ server {
 	ssl_certificate /etc/ssl/certs/ht.servnest.test.crt;
 	ssl_certificate_key /etc/ssl/private/ht.servnest.test.key;

-	include inc/proxy.conf;
+	include inc/serve-static.conf;
 }