diff --git a/conf/_security.conf b/conf/_security.conf index 529aecc..95129ea 100644 --- a/conf/_security.conf +++ b/conf/_security.conf @@ -1,22 +1,29 @@ # Configure secure access with letsencrypt -ssl_certificate /etc/letsencrypt/live/netoik.io/fullchain.pem; -ssl_certificate_key /etc/letsencrypt/live/netoik.io/privkey.pem; -include /etc/letsencrypt/options-ssl-nginx.conf; -ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; -ssl_session_cache shared:SSL:1m; +ssl_certificate /etc/letsencrypt/live/netoik.io/fullchain.pem; +ssl_certificate_key /etc/letsencrypt/live/netoik.io/privkey.pem; +ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + +# Add some ssl settings from Mozilla +# see: https://ssl-config.mozilla.org +ssl_protocols TLSv1.3; +ssl_ecdh_curve X25519:prime256v1:secp384r1; +ssl_prefer_server_ciphers off; +ssl_stapling on; +ssl_stapling_verify on; +resolver 127.0.0.1; # Add some basic security headers from OWASP # see: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html -add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;" always; -add_header X-Frame-Options "DENY" always; -add_header X-XSS-Protection "0" always; -add_header X-Content-Type-Options "nosniff" always; -add_header Referrer-Policy "strict-origin-when-cross-origin" always; -add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'self'; form-action 'self';" always; -add_header Cross-Origin-Opener-Policy "same-origin" always; -add_header Cross-Origin-Resource-Policy "same-site" always; -add_header Permissions-Policy "geolocation=(), camera=(), microphone=()" always; -add_header Server "webserver" always; -add_header X-Robots-Tag "noindex, nofollow" always; +add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;" always; +add_header X-Frame-Options "DENY" always; +add_header X-XSS-Protection "0" always; +add_header X-Content-Type-Options "nosniff" always; +add_header Referrer-Policy "strict-origin-when-cross-origin" always; +add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'self'; form-action 'self';" always; +add_header Cross-Origin-Opener-Policy "same-origin" always; +add_header Cross-Origin-Resource-Policy "same-site" always; +add_header Permissions-Policy "geolocation=(), camera=(), microphone=()" always; +add_header Server "webserver" always; +add_header X-Robots-Tag "noindex, nofollow" always; diff --git a/netoik-rp.spec b/netoik-rp.spec index 1f38eca..7d862f7 100644 --- a/netoik-rp.spec +++ b/netoik-rp.spec @@ -10,7 +10,7 @@ URL: https://git.netoik.io/samuel/netoik-rp Source0: %{name}-%{version}.tar.gz Buildarch: noarch BuildRequires: make -Requires: nginx,python3,python-devel,augeas-devel,gcc +Requires: nginx python3 python-devel augeas-devel gcc openssl %description Install the reverse proxy called nginx with a predefined configuration and with TLS certificates attached to netoik.io @@ -29,13 +29,20 @@ if [ $1 == 1 ]; then %{_bindir}/env mv %{_sysconfdir}/certbot/.ovh.ini.swp %{_sysconfdir}/certbot/ovh.ini %{_bindir}/env chmod 600 %{_sysconfdir}/certbot/ovh.ini - # Create virutal env with certbot cli + # Create virutal env with certbot %{_bindir}/env python3 -m venv /opt/certbot /opt/certbot/bin/pip install --upgrade pip certbot certbot-nginx certbot-dns-ovh %{_bindir}/env ln --symbolic --force --target-directory %{_sbindir} /opt/certbot/bin/certbot - %{_bindir}/env certbot certonly --non-interactive --agree-tos --email samuel.campos@netoik.io --dns-ovh --dns-ovh-credentials "%{_sysconfdir}/certbot/ovh.ini" -d "*.netoik.io" -d "*.samuel-campos.fr" + + # Create certificate with certbot + %{_bindir}/env certbot certonly --dns-ovh --dns-ovh-credentials "%{_sysconfdir}/certbot/ovh.ini" -d "*.netoik.io" -d "*.samuel-campos.fr" + + # Add crontab rule for automatic renew %{_bindir}/env printf "\nAutomatic certbot renew\n0 12 * * * root sleep $((RANDOM % 3600)) && certbot renew -q\n" >> %{_sysconfdir}/crontab + # Create ssl dh params + %{_bindir}/env openssl dhparam -out %{_sysconfdir}/letsencrypt/ssl-dhparams.pem + # Stop nginx to be sure changes are taken in account %{_bindir}/env systemctl stop nginx fi @@ -57,6 +64,7 @@ fi %ghost %attr(755, root, root) %dir /opt/certbot %ghost %attr(755, root, root) %{_sbindir}/certbot %ghost %attr(755, root, root) %dir %{_sysconfdir}/letsencrypt +%ghost %attr(755, root, root) %{_sysconfdir}/letsencrypt/ssl-dhparams.pem %changelog %autochangelog