-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathhologram-nginx.pkg.toml
169 lines (143 loc) · 5.7 KB
/
hologram-nginx.pkg.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
[package]
name = "hologram-nginx"
version = "1.5.0"
description = "Modular baseline configuration for nginx with sane defaults"
requires = [
"nginx",
"hologram-letsencrypt",
"logrotate",
]
# skip nginx logs in logrotate (since we disable logging to files anyway, there
# will just be useless errors)
[[file]]
path = "/usr/share/holo/files/20-nginx/etc/logrotate.d/nginx"
contentFrom = "/dev/null"
################################################################################
# nginx baseline configuration
[[symlink]]
path = "/etc/systemd/system/multi-user.target.wants/nginx.service"
target = "/usr/lib/systemd/system/nginx.service"
[[file]]
path = "/etc/nginx/server-baseline-https.inc"
content = """
# This file sets sane defaults for all the TLS shebang, so just include it
# for every "server" directive that is TLS-enabled. Use like this:
#
# server_name $host;
# include /etc/nginx/server-baseline-tls.inc;
#
# ssl_certificate /etc/letsencrypt/live/$host/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/$host/privkey.pem;
# ssl_trusted_certificate /etc/letsencrypt/live/$host/chain.pem;
#
# It's also recommended to set a Content-Security-Policy that's appropriate
# for the service in question. For example:
#
# add_header Content-Security-Policy "default-src 'self'" always;
#
# IPv4
listen 443 ssl;
# IPv6
listen [::]:443 ssl;
ssl on;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# source esp. for cipher suite selection: https://wiki.mozilla.org/Security/Server_Side_TLS
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
# recommended HTTP headers according to https://securityheaders.io
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always; # six months
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
# NOTE: generate this with `sudo openssl dhparam -out /etc/nginx/dhparam.pem 2048`
ssl_dhparam /etc/nginx/dhparam.pem;
# activate OCSP stapling (source: https://github.com/letsencrypt/letsencrypt/blob/master/letsencrypt-nginx/letsencrypt_nginx/configurator.py)
ssl_stapling on;
ssl_stapling_verify on;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
"""
# make the default /etc/nginx/nginx.conf more modular by linking to /etc/nginx/sites-enabled
[[file]]
path = "/usr/share/holo/files/00-base/etc/nginx/nginx.conf"
content = """
user http;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
access_log off;
include /etc/nginx/sites-enabled/*.conf;
}
"""
[[directory]]
path = "/etc/nginx/sites-available"
[[directory]]
path = "/etc/nginx/sites-enabled"
# all domains mentioned in /etc/nginx/sites-enabled and
# /etc/nginx/sites-available are relevant for letsencrypt-allofthem
[[file]]
path = "/etc/letsencrypt-allofthem/nginx.sh"
mode = "0755"
content = '''
#!/bin/sh
find /etc/nginx/sites-{available,enabled} -name \*.conf -exec cat {} + | grep -o '/etc/letsencrypt/live/[^/]\+' | cut -d/ -f5 | sort -u
'''
[[file]]
path = "/etc/letsencrypt-allofthem/then/nginx.sh"
mode = "0755"
content = '''
#!/bin/sh
systemctl reload-or-restart nginx.service
'''
################################################################################
# auto-generation of nginx virtual hosts for static domains below /data/static-web
[[directory]]
path = "/data/static-web"
mode = "0755"
user = "http"
group = "http"
[[file]]
path = "/etc/nginx/sites-enabled/static-web.conf"
content = """
server {
server_name $host;
include /etc/nginx/server-baseline-https.inc;
# CSP includes unsafe-inline to allow <style> tags in hand-written HTML
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline'" always;
ssl_certificate /etc/letsencrypt/live/$host/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$host/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/$host/chain.pem;
location / {
root /data/static-web/$host;
index index.html index.htm;
charset utf-8;
autoindex on;
}
}
"""
[[file]]
path = "/usr/share/holo/files/20-nginx/etc/nginx/sites-enabled/static-web.conf.holoscript"
mode = "0755"
content = '''
#!/bin/sh
CONFIG="$(cat)"
find /data/static-web -mindepth 1 -maxdepth 1 \( -type l -o -type d \) -exec basename {} \; | while read DOMAIN; do
if [ -f "/data/static-web/${DOMAIN}/.autoindex" ]; then
echo "$CONFIG" | sed s/\$host/"$DOMAIN"/g
else
echo "$CONFIG" | sed s/\$host/"$DOMAIN"/g | sed /autoindex/d
fi
done
'''