From 157613c5bf5fb66a46f151418b7c3bf3ca6119ca Mon Sep 17 00:00:00 2001
From: Miraty <miraty+git@antopie.org>
Date: Tue, 25 Apr 2023 19:30:53 +0200
Subject: [PATCH] Update nginx, configure empty security.txt

---
 install/apache/errors.conf                    |  3 ++-
 install/http-messages/security.txt            |  0
 install/nginx/inc/apache-proxy.conf           |  5 +++++
 install/nginx/inc/fastcgi.conf                |  2 +-
 .../nginx/inc/{errors.conf => messages.conf}  | 21 +++++++++++++------
 .../inc/{proxy.conf => serve-static.conf}     |  8 ++-----
 install/nginx/nginx.conf                      |  9 ++------
 install/nginx/sites/dns.conf                  |  5 +++--
 install/nginx/sites/interface.conf            |  4 ++--
 .../nginx/sites/{http.conf => no-tls.conf}    |  7 +++++--
 install/nginx/sites/onion.conf                |  4 ++--
 install/nginx/sites/sftpgo-auth.conf          |  2 +-
 install/nginx/sites/subdomain.conf            |  4 ++--
 install/nginx/sites/subpath.conf              |  4 ++--
 14 files changed, 44 insertions(+), 34 deletions(-)
 create mode 100644 install/http-messages/security.txt
 create mode 100644 install/nginx/inc/apache-proxy.conf
 rename install/nginx/inc/{errors.conf => messages.conf} (58%)
 rename install/nginx/inc/{proxy.conf => serve-static.conf} (62%)
 rename install/nginx/sites/{http.conf => no-tls.conf} (80%)

diff --git a/install/apache/errors.conf b/install/apache/errors.conf
index d456bbc..0b0496d 100644
--- a/install/apache/errors.conf
+++ b/install/apache/errors.conf
@@ -6,8 +6,9 @@ Alias /http-messages/ "/http-messages/"
 	AddLanguage fr fr
 	AddLanguage en en
 	AddType text/html html
+	AddType text/plain txt
 	LanguagePriority en fr
-	ForceLanguagePriority Fallback
+	ForceLanguagePriority Prefer Fallback
 </Directory>
 
 
diff --git a/install/http-messages/security.txt b/install/http-messages/security.txt
new file mode 100644
index 0000000..e69de29
diff --git a/install/nginx/inc/apache-proxy.conf b/install/nginx/inc/apache-proxy.conf
new file mode 100644
index 0000000..44948c2
--- /dev/null
+++ b/install/nginx/inc/apache-proxy.conf
@@ -0,0 +1,5 @@
+proxy_pass http://[::1]:42999/;
+proxy_ignore_client_abort on;
+proxy_http_version 1.1;
+proxy_set_header Host $host;
+proxy_redirect http://$host:42999/ /;
diff --git a/install/nginx/inc/fastcgi.conf b/install/nginx/inc/fastcgi.conf
index 8ddfdd6..97e67ea 100644
--- a/install/nginx/inc/fastcgi.conf
+++ b/install/nginx/inc/fastcgi.conf
@@ -4,6 +4,6 @@ fastcgi_param  REQUEST_METHOD     $request_method;
 fastcgi_param  CONTENT_TYPE       $content_type;
 fastcgi_param  CONTENT_LENGTH     $content_length;
 
-# Required by ServNest
+# Required by the ServNest interface
 fastcgi_param  REQUEST_URI        $request_uri;
 fastcgi_param  SERVER_NAME        $server_name;
diff --git a/install/nginx/inc/errors.conf b/install/nginx/inc/messages.conf
similarity index 58%
rename from install/nginx/inc/errors.conf
rename to install/nginx/inc/messages.conf
index 787b7f5..b02db34 100644
--- a/install/nginx/inc/errors.conf
+++ b/install/nginx/inc/messages.conf
@@ -1,11 +1,7 @@
-recursive_error_pages on;
+# Error pages are managed by Apache
 
 location /http-messages {
-	proxy_pass http://[::1]:42999;
-	proxy_ignore_client_abort on;
-	proxy_http_version 1.1;
-	proxy_set_header Host $host;
-	proxy_redirect http://$host:42999/ /;
+	include inc/apache-proxy.conf;
 }
 
 error_page 400 /http-messages/400;
@@ -18,3 +14,16 @@ error_page 500 /http-messages/500;
 error_page 502 /http-messages/502;
 error_page 503 /http-messages/503;
 error_page 504 /http-messages/504;
+
+recursive_error_pages on;
+
+# security.txt
+
+location = /security.txt {
+        return 301 /.well-known/security.txt;
+}
+
+location = /.well-known/security.txt {
+        root /srv/servnest/ht/http-messages/;
+        try_files /security.txt =500;
+}
diff --git a/install/nginx/inc/proxy.conf b/install/nginx/inc/serve-static.conf
similarity index 62%
rename from install/nginx/inc/proxy.conf
rename to install/nginx/inc/serve-static.conf
index bc8ba2e..4db0cfe 100644
--- a/install/nginx/inc/proxy.conf
+++ b/install/nginx/inc/serve-static.conf
@@ -1,4 +1,4 @@
-include inc/errors.conf;
+include inc/messages.conf;
 
 more_clear_headers "Set-Cookie";
 more_clear_input_headers "Cookie";
@@ -6,9 +6,5 @@ more_clear_input_headers "Cookie";
 more_set_headers "Content-Security-Policy : default-src 'none'; style-src 'self' 'unsafe-inline' data:; img-src 'self' data:; font-src 'self' data:; media-src 'self' data:; frame-ancestors 'none'; form-action 'none';";
 
 location / {
-	proxy_pass http://[::1]:42999/;
-	proxy_ignore_client_abort on;
-	proxy_http_version 1.1;
-	proxy_set_header Host $host;
-	proxy_redirect http://$host:42999/ /;
+	include inc/apache-proxy.conf;
 }
diff --git a/install/nginx/nginx.conf b/install/nginx/nginx.conf
index 0291288..90489d6 100644
--- a/install/nginx/nginx.conf
+++ b/install/nginx/nginx.conf
@@ -8,12 +8,6 @@ events {
 }
 
 http {
-	types_hash_bucket_size 128;
-	types_hash_max_size 1024;
-	server_names_hash_bucket_size 128;
-
-	absolute_redirect off;
-
 	# Performance optimisation
 	sendfile on;
 	tcp_nopush on;
@@ -61,5 +55,6 @@ http {
 
 	# Include other configuration
 	include sites/*.conf;
-	include /srv/servnest/nginx/*.conf;
+
+	absolute_redirect off;
 }
diff --git a/install/nginx/sites/dns.conf b/install/nginx/sites/dns.conf
index ff0be45..15fc27d 100644
--- a/install/nginx/sites/dns.conf
+++ b/install/nginx/sites/dns.conf
@@ -1,4 +1,5 @@
-# DNS+TLS site access
+# Dedicated DNS+TLS access
+
 server {
 	listen [::1]:42443 ssl http2 default_server;
 	listen 127.0.0.1:42443 ssl http2 default_server;
@@ -6,5 +7,5 @@ server {
 	ssl_certificate /etc/ssl/certs/${ssl_server_name}.crt;
 	ssl_certificate_key /etc/ssl/private/${ssl_server_name}.key;
 
-	include inc/proxy.conf;
+	include inc/serve-static.conf;
 }
diff --git a/install/nginx/sites/interface.conf b/install/nginx/sites/interface.conf
index 55d6221..fdd8bcc 100644
--- a/install/nginx/sites/interface.conf
+++ b/install/nginx/sites/interface.conf
@@ -8,9 +8,9 @@ server {
 
 	root /srv/servnest/core;
 
-	include inc/errors.conf;
+	include inc/messages.conf;
 
-	more_set_headers "Content-Security-Policy : default-src 'none'; style-src 'self'; frame-ancestors 'none'; form-action 'self';";
+	more_set_headers "Content-Security-Policy : default-src 'none'; style-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'none';";
 
 	# Main ServNest interface
 	location / {
diff --git a/install/nginx/sites/http.conf b/install/nginx/sites/no-tls.conf
similarity index 80%
rename from install/nginx/sites/http.conf
rename to install/nginx/sites/no-tls.conf
index 8711d83..f694b92 100644
--- a/install/nginx/sites/http.conf
+++ b/install/nginx/sites/no-tls.conf
@@ -4,14 +4,17 @@ server {
 	listen [::1]:42080 default_server;
 	listen 127.0.0.1:42080 default_server;
 
-	include inc/errors.conf;
-
 	location / {
 		return 403; # Don't allow unsecure HTTP requests
 	}
 
 	error_page 403 /http-messages/unsecure;
 
+	location /http-messages {
+		include inc/apache-proxy.conf;
+	}
+
+	# To get TLS certificates
 	location /.well-known/acme-challenge {
 		root /srv/servnest/acme/;
 	}
diff --git a/install/nginx/sites/onion.conf b/install/nginx/sites/onion.conf
index 371a070..96d9c4e 100644
--- a/install/nginx/sites/onion.conf
+++ b/install/nginx/sites/onion.conf
@@ -1,6 +1,6 @@
-# Onion service site access
+# Dedicated Onion service access
 server {
 	listen [::1]:9080 default_server;
 
-	include inc/proxy.conf;
+	include inc/serve-static.conf;
 }
diff --git a/install/nginx/sites/sftpgo-auth.conf b/install/nginx/sites/sftpgo-auth.conf
index 7aeb6b2..83d28cd 100644
--- a/install/nginx/sites/sftpgo-auth.conf
+++ b/install/nginx/sites/sftpgo-auth.conf
@@ -5,7 +5,7 @@ server {
 
 	root /srv/servnest/core;
 
-	include inc/errors.conf;
+	include inc/messages.conf;
 
 	location / {
 		try_files /sftpgo-auth.php =500;
diff --git a/install/nginx/sites/subdomain.conf b/install/nginx/sites/subdomain.conf
index 79b9f10..d14cfd8 100644
--- a/install/nginx/sites/subdomain.conf
+++ b/install/nginx/sites/subdomain.conf
@@ -1,4 +1,4 @@
-# Maps subdomain to filesystem subpath
+# Subdomain access
 
 server {
 	listen [::1]:42443 ssl http2;
@@ -8,5 +8,5 @@ server {
 	ssl_certificate /etc/ssl/certs/wildcard.ht.servnest.test.crt;
 	ssl_certificate_key /etc/ssl/private/wildcard.ht.servnest.test.key;
 
-	include inc/proxy.conf;
+	include inc/serve-static.conf;
 }
diff --git a/install/nginx/sites/subpath.conf b/install/nginx/sites/subpath.conf
index ba79a60..156b23c 100644
--- a/install/nginx/sites/subpath.conf
+++ b/install/nginx/sites/subpath.conf
@@ -1,4 +1,4 @@
-# Maps HTTP subpath to filesystem subpath
+# Subpath access
 
 server {
 	listen [::1]:42443 ssl http2;
@@ -8,5 +8,5 @@ server {
 	ssl_certificate /etc/ssl/certs/ht.servnest.test.crt;
 	ssl_certificate_key /etc/ssl/private/ht.servnest.test.key;
 
-	include inc/proxy.conf;
+	include inc/serve-static.conf;
 }