From b523cf86c8cbedb43cf625a1a847ca828afd5fba Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sun, 13 Oct 2019 17:29:11 +0200 Subject: nextcloud basic installation is finally working properly --- roles/nginx/base/files/conf.d/connection-upgrade.conf | 6 ++++++ roles/nginx/base/files/snippets/hsts.conf | 1 + roles/nginx/base/files/snippets/proxy-nobuff.conf | 4 ++++ roles/nginx/base/files/snippets/security-headers.conf | 4 ++++ roles/nginx/base/files/snippets/ssl.conf | 10 ++++++++++ 5 files changed, 25 insertions(+) create mode 100644 roles/nginx/base/files/conf.d/connection-upgrade.conf create mode 100644 roles/nginx/base/files/snippets/hsts.conf create mode 100644 roles/nginx/base/files/snippets/proxy-nobuff.conf create mode 100644 roles/nginx/base/files/snippets/security-headers.conf create mode 100644 roles/nginx/base/files/snippets/ssl.conf (limited to 'roles/nginx/base/files') diff --git a/roles/nginx/base/files/conf.d/connection-upgrade.conf b/roles/nginx/base/files/conf.d/connection-upgrade.conf new file mode 100644 index 00000000..4153effe --- /dev/null +++ b/roles/nginx/base/files/conf.d/connection-upgrade.conf @@ -0,0 +1,6 @@ +# used for websockets +# set http_connection to either upgrade or close (as normal) +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} diff --git a/roles/nginx/base/files/snippets/hsts.conf b/roles/nginx/base/files/snippets/hsts.conf new file mode 100644 index 00000000..4ca8396e --- /dev/null +++ b/roles/nginx/base/files/snippets/hsts.conf @@ -0,0 +1 @@ +add_header Strict-Transport-Security max-age=15768000; diff --git a/roles/nginx/base/files/snippets/proxy-nobuff.conf b/roles/nginx/base/files/snippets/proxy-nobuff.conf new file mode 100644 index 00000000..b08de70c --- /dev/null +++ b/roles/nginx/base/files/snippets/proxy-nobuff.conf @@ -0,0 +1,4 @@ +proxy_buffering off; +proxy_ignore_headers "X-Accel-Buffering"; +proxy_request_buffering off; +proxy_http_version 1.1; diff --git a/roles/nginx/base/files/snippets/security-headers.conf b/roles/nginx/base/files/snippets/security-headers.conf new file mode 100644 index 00000000..b94d479d --- /dev/null +++ b/roles/nginx/base/files/snippets/security-headers.conf @@ -0,0 +1,4 @@ +add_header X-Frame-Options DENY; +add_header X-Content-Type-Options nosniff; +add_header X-XSS-Protection "1; mode=block"; +# add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'"; diff --git a/roles/nginx/base/files/snippets/ssl.conf b/roles/nginx/base/files/snippets/ssl.conf new file mode 100644 index 00000000..d187a7c0 --- /dev/null +++ b/roles/nginx/base/files/snippets/ssl.conf @@ -0,0 +1,10 @@ +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AES:!ADH:!AECDH:!MD5; +ssl_prefer_server_ciphers on; + +# openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048 +ssl_dhparam /etc/ssl/dhparams.pem; + +ssl_session_cache shared:SSL:10m; +ssl_session_timeout 10m; +ssl_session_tickets off; -- cgit v1.2.3