From bcf960dce4b809162367adcbae8640a9a6405e23 Mon Sep 17 00:00:00 2001 From: Disassembler Date: Mon, 18 Sep 2017 17:50:13 +0200 Subject: [PATCH] Move TLS config to nginx.conf, add client_max_body_size 100m; --- 01-basic.sh | 5 +- basic/etc/nginx/nginx.conf | 94 +++++++++++++++++++++++ basic/etc/nginx/sites-available/default | 8 -- pandora/etc/nginx/sites-available/pandora | 9 --- sambro/etc/nginx/sites-available/sambro | 9 --- 5 files changed, 98 insertions(+), 27 deletions(-) create mode 100644 basic/etc/nginx/nginx.conf diff --git a/01-basic.sh b/01-basic.sh index 356a720..4cf97bf 100755 --- a/01-basic.sh +++ b/01-basic.sh @@ -83,9 +83,12 @@ apt-get -y --no-install-recommends install nginx-light uwsgi uwsgi-plugin-python openssl req -x509 -new -out /etc/ssl/certs/services.pem -keyout /etc/ssl/private/services.key -nodes -days 3654 -subj "/C=CZ/CN=$(hostname -f)" chmod 640 /etc/ssl/private/services.key -# Modify default nginx site +# Configure nginx mkdir /etc/nginx/apps-available /etc/nginx/apps-enabled +cp ${SOURCE_DIR}/basic/etc/nginx/nginx.conf /etc/nginx/nginx.conf cp ${SOURCE_DIR}/basic/etc/nginx/sites-available/default /etc/nginx/sites-available/default + +# Copy Portal resources cp -r ${SOURCE_DIR}/basic/srv/portal /srv/portal chown -R www-data:www-data /srv/portal diff --git a/basic/etc/nginx/nginx.conf b/basic/etc/nginx/nginx.conf new file mode 100644 index 0000000..b2295bc --- /dev/null +++ b/basic/etc/nginx/nginx.conf @@ -0,0 +1,94 @@ +user www-data; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + # server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + client_max_body_size 100m; + + ## + # SSL Settings + ## + + ssl_protocols TLSv1.2; + ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 1d; + ssl_session_tickets off; + ssl_certificate /etc/ssl/certs/services.pem; + ssl_certificate_key /etc/ssl/private/services.key; + + ## + # Logging Settings + ## + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + ## + # Gzip Settings + ## + + gzip on; + gzip_disable "msie6"; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + ## + # Virtual Host Configs + ## + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} + + +#mail { +# # See sample authentication script at: +# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript +# +# # auth_http localhost/auth.php; +# # pop3_capabilities "TOP" "USER"; +# # imap_capabilities "IMAP4rev1" "UIDPLUS"; +# +# server { +# listen localhost:110; +# protocol pop3; +# proxy on; +# } +# +# server { +# listen localhost:143; +# protocol imap; +# proxy on; +# } +#} diff --git a/basic/etc/nginx/sites-available/default b/basic/etc/nginx/sites-available/default index 1302fdc..2845e41 100644 --- a/basic/etc/nginx/sites-available/default +++ b/basic/etc/nginx/sites-available/default @@ -8,14 +8,6 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; - ssl_certificate /etc/ssl/certs/services.pem; - ssl_certificate_key /etc/ssl/private/services.key; - ssl_protocols TLSv1.2; - ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 1d; - ssl_session_tickets off; add_header Strict-Transport-Security "max-age=31536000;"; root /srv/portal; diff --git a/pandora/etc/nginx/sites-available/pandora b/pandora/etc/nginx/sites-available/pandora index 367b36c..08322b9 100644 --- a/pandora/etc/nginx/sites-available/pandora +++ b/pandora/etc/nginx/sites-available/pandora @@ -2,15 +2,6 @@ server { listen 8001 ssl http2; listen [::]:8001 ssl http2; - ssl_certificate /etc/ssl/certs/services.pem; - ssl_certificate_key /etc/ssl/private/services.key; - ssl_protocols TLSv1.2; - ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 1d; - ssl_session_tickets off; - access_log /var/log/nginx/pandora.access.log; error_log /var/log/nginx/pandora.error.log; diff --git a/sambro/etc/nginx/sites-available/sambro b/sambro/etc/nginx/sites-available/sambro index e26cddd..87e1099 100644 --- a/sambro/etc/nginx/sites-available/sambro +++ b/sambro/etc/nginx/sites-available/sambro @@ -2,15 +2,6 @@ server { listen 8099 ssl http2; listen [::]:8099 ssl http2; - ssl_certificate /etc/ssl/certs/services.pem; - ssl_certificate_key /etc/ssl/private/services.key; - ssl_protocols TLSv1.2; - ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 1d; - ssl_session_tickets off; - access_log /var/log/nginx/sambro.access.log; error_log /var/log/nginx/sambro.error.log;