Add nginx security conf

2026-01-01 15:40:05 +01:00
parent 1ee9c0402d
commit af2b40516f
5 changed files with 33 additions and 22 deletions
--- a/4
+++ b/4
@@ -28,5 +28,7 @@ tarball: $(RPM_TARBALL_PATH)

 .PHONY: install
 install:
+	install --directory $(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d
+	install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d conf/_security.conf
 	install --directory $(DESTDIR)$(RPM_SYSCONFDIR)/certbot
-	install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/certbot/ conf/ovh.ini.tpl
+	install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/certbot/ conf/ovh.ini
--- a/conf/_security.conf
+++ b/conf/_security.conf
@@ -0,0 +1,22 @@
+# Configure secure access with letsencrypt
+ssl_certificate           /etc/letsencrypt/live/netoik.io/fullchain.pem;
+ssl_certificate_key       /etc/letsencrypt/live/netoik.io/privkey.pem;
+include                   /etc/letsencrypt/options-ssl-nginx.conf;
+ssl_dhparam               /etc/letsencrypt/ssl-dhparams.pem;
+ssl_session_cache         shared:SSL:1m;
+
+# Add some basic security headers from OWASP
+# see: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
+add_header                Strict-Transport-Security      "max-age=63072000; includeSubDomains; preload;"                    always;
+add_header                X-Frame-Options                "DENY"                                                             always;
+add_header                X-XSS-Protection               "0"                                                                always;
+add_header                X-Content-Type-Options         "nosniff"                                                          always;
+add_header                Referrer-Policy                "strict-origin-when-cross-origin"                                  always;
+add_header                Content-Security-Policy        "default-src 'self'; frame-ancestors 'self'; form-action 'self';"  always;
+add_header                Cross-Origin-Opener-Policy     "same-origin"                                                      always;
+add_header                Cross-Origin-Resource-Policy   "same-site"                                                        always;
+add_header                Permissions-Policy             "geolocation=(), camera=(), microphone=()"                         always;
+add_header                Server                         "webserver"                                                        always;
+add_header                X-Robots-Tag                   "noindex, nofollow"                                                always;
+
+
--- a/conf/ovh.ini.tpl
+++ b/conf/ovh.ini.tpl
--- a/netoik-rp.spec
+++ b/netoik-rp.spec
@@ -25,14 +25,15 @@ Install the reverse proxy called nginx with a predefined configuration and with
 # After install
 if [ $1 == 1 ]; then
  # Replace secrets in ovh.ini
-  %{_bindir}/env envsubst < %{_sysconfdir}/certbot/ovh.ini.tpl > %{_sysconfdir}/certbot/ovh.ini
+  %{_bindir}/env envsubst < %{_sysconfdir}/certbot/ovh.ini > %{_sysconfdir}/certbot/.ovh.ini.swp
+  %{_bindir}/env mv %{_sysconfdir}/certbot/.ovh.ini.swp %{_sysconfdir}/certbot/ovh.ini
  %{_bindir}/env chmod 600 %{_sysconfdir}/certbot/ovh.ini

  # Create virutal env with certbot cli
  %{_bindir}/env python3 -m venv /opt/certbot
  /opt/certbot/bin/pip install --upgrade pip certbot certbot-nginx certbot-dns-ovh
 	%{_bindir}/env ln --symbolic --force --target-directory %{_sbindir} /opt/certbot/bin/certbot
-  %{_bindir}/env certbot --installer nginx --non-interactive	--agree-tos --email samuel.campos@netoik.io --dns-ovh --dns-ovh-credentials "%{_sysconfdir}/certbot/ovh.ini" -d "*.netoik.io" -d "*.samuel-campos.fr"
+  %{_bindir}/env certbot certonly --non-interactive --agree-tos --email samuel.campos@netoik.io --dns-ovh --dns-ovh-credentials "%{_sysconfdir}/certbot/ovh.ini" -d "*.netoik.io" -d "*.samuel-campos.fr"
  %{_bindir}/env printf "\nAutomatic certbot renew\n0 12 * * * root sleep $((RANDOM % 3600)) && certbot renew -q\n" >> %{_sysconfdir}/crontab

  # Stop nginx to be sure changes are taken in account
@@ -50,12 +51,12 @@ if [ $1 == 0 ]; then
 fi

 %files
+%attr(644, root, root) %{_sysconfdir}/nginx/conf.d/_security.conf
 %attr(755, root, root) %dir %{_sysconfdir}/certbot
-%attr(600, root, root) %config %ghost %{_sysconfdir}/certbot/ovh.ini
-%attr(644, root, root) %{_sysconfdir}/certbot/ovh.ini.tpl
-%attr(755, root, root) %dir %ghost /opt/certbot
-%attr(755, root, root) %ghost %{_sbindir}/certbot
-%attr(755, root, root) %dir %ghost %{_sysconfdir}/letsencrypt
+%attr(600, root, root) %config %{_sysconfdir}/certbot/ovh.ini
+%ghost %attr(755, root, root) %dir /opt/certbot
+%ghost %attr(755, root, root) %{_sbindir}/certbot
+%ghost %attr(755, root, root) %dir %{_sysconfdir}/letsencrypt

 %changelog
 %autochangelog
--- a/services/netoik-rp.service
+++ b/services/netoik-rp.service
@@ -1,14 +0,0 @@
-[Service]
-Type=forking
-PIDFile=/run/netoik-rp.pid
-ExecStartPre=/usr/bin/env rm -f /run/netoik-rp.pid
-ExecStartPre=/usr/bin/env nginx -t -c /etc/netoik-rp/netoik-rp.conf
-ExecStart=/usr/bin/env nginx -c /etc/netoik-rp/netoik-rp.conf
-ExecReload=/usr/bin/env nginx -s reload -c /etc/netoik-rp/netoik-rp.conf
-KillSignal=SIGQUIT
-TimeoutStopSec=5
-KillMode=mixed
-PrivateTmp=true
-
-[Install]
-WantedBy=multi-user.target