From af2b40516f2580a896d9fb9b8e41ace2aefb5c7f Mon Sep 17 00:00:00 2001 From: samuel Date: Thu, 1 Jan 2026 15:40:05 +0100 Subject: [PATCH] Add nginx security conf --- Makefile | 4 +++- conf/_security.conf | 22 ++++++++++++++++++++++ conf/{ovh.ini.tpl => ovh.ini} | 0 netoik-rp.spec | 15 ++++++++------- services/netoik-rp.service | 14 -------------- 5 files changed, 33 insertions(+), 22 deletions(-) create mode 100644 conf/_security.conf rename conf/{ovh.ini.tpl => ovh.ini} (100%) delete mode 100644 services/netoik-rp.service diff --git a/Makefile b/Makefile index 08b1885..b50eb99 100644 --- a/Makefile +++ b/Makefile @@ -28,5 +28,7 @@ tarball: $(RPM_TARBALL_PATH) .PHONY: install install: + install --directory $(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d + install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d conf/_security.conf install --directory $(DESTDIR)$(RPM_SYSCONFDIR)/certbot - install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/certbot/ conf/ovh.ini.tpl + install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/certbot/ conf/ovh.ini diff --git a/conf/_security.conf b/conf/_security.conf new file mode 100644 index 0000000..529aecc --- /dev/null +++ b/conf/_security.conf @@ -0,0 +1,22 @@ +# Configure secure access with letsencrypt +ssl_certificate /etc/letsencrypt/live/netoik.io/fullchain.pem; +ssl_certificate_key /etc/letsencrypt/live/netoik.io/privkey.pem; +include /etc/letsencrypt/options-ssl-nginx.conf; +ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; +ssl_session_cache shared:SSL:1m; + +# Add some basic security headers from OWASP +# see: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html +add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;" always; +add_header X-Frame-Options "DENY" always; +add_header X-XSS-Protection "0" always; +add_header X-Content-Type-Options "nosniff" always; +add_header Referrer-Policy "strict-origin-when-cross-origin" always; +add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'self'; form-action 'self';" always; +add_header Cross-Origin-Opener-Policy "same-origin" always; +add_header Cross-Origin-Resource-Policy "same-site" always; +add_header Permissions-Policy "geolocation=(), camera=(), microphone=()" always; +add_header Server "webserver" always; +add_header X-Robots-Tag "noindex, nofollow" always; + + diff --git a/conf/ovh.ini.tpl b/conf/ovh.ini similarity index 100% rename from conf/ovh.ini.tpl rename to conf/ovh.ini diff --git a/netoik-rp.spec b/netoik-rp.spec index ee7a45b..1f38eca 100644 --- a/netoik-rp.spec +++ b/netoik-rp.spec @@ -25,14 +25,15 @@ Install the reverse proxy called nginx with a predefined configuration and with # After install if [ $1 == 1 ]; then # Replace secrets in ovh.ini - %{_bindir}/env envsubst < %{_sysconfdir}/certbot/ovh.ini.tpl > %{_sysconfdir}/certbot/ovh.ini + %{_bindir}/env envsubst < %{_sysconfdir}/certbot/ovh.ini > %{_sysconfdir}/certbot/.ovh.ini.swp + %{_bindir}/env mv %{_sysconfdir}/certbot/.ovh.ini.swp %{_sysconfdir}/certbot/ovh.ini %{_bindir}/env chmod 600 %{_sysconfdir}/certbot/ovh.ini # Create virutal env with certbot cli %{_bindir}/env python3 -m venv /opt/certbot /opt/certbot/bin/pip install --upgrade pip certbot certbot-nginx certbot-dns-ovh %{_bindir}/env ln --symbolic --force --target-directory %{_sbindir} /opt/certbot/bin/certbot - %{_bindir}/env certbot --installer nginx --non-interactive --agree-tos --email samuel.campos@netoik.io --dns-ovh --dns-ovh-credentials "%{_sysconfdir}/certbot/ovh.ini" -d "*.netoik.io" -d "*.samuel-campos.fr" + %{_bindir}/env certbot certonly --non-interactive --agree-tos --email samuel.campos@netoik.io --dns-ovh --dns-ovh-credentials "%{_sysconfdir}/certbot/ovh.ini" -d "*.netoik.io" -d "*.samuel-campos.fr" %{_bindir}/env printf "\nAutomatic certbot renew\n0 12 * * * root sleep $((RANDOM % 3600)) && certbot renew -q\n" >> %{_sysconfdir}/crontab # Stop nginx to be sure changes are taken in account @@ -50,12 +51,12 @@ if [ $1 == 0 ]; then fi %files +%attr(644, root, root) %{_sysconfdir}/nginx/conf.d/_security.conf %attr(755, root, root) %dir %{_sysconfdir}/certbot -%attr(600, root, root) %config %ghost %{_sysconfdir}/certbot/ovh.ini -%attr(644, root, root) %{_sysconfdir}/certbot/ovh.ini.tpl -%attr(755, root, root) %dir %ghost /opt/certbot -%attr(755, root, root) %ghost %{_sbindir}/certbot -%attr(755, root, root) %dir %ghost %{_sysconfdir}/letsencrypt +%attr(600, root, root) %config %{_sysconfdir}/certbot/ovh.ini +%ghost %attr(755, root, root) %dir /opt/certbot +%ghost %attr(755, root, root) %{_sbindir}/certbot +%ghost %attr(755, root, root) %dir %{_sysconfdir}/letsencrypt %changelog %autochangelog diff --git a/services/netoik-rp.service b/services/netoik-rp.service deleted file mode 100644 index dd89e69..0000000 --- a/services/netoik-rp.service +++ /dev/null @@ -1,14 +0,0 @@ -[Service] -Type=forking -PIDFile=/run/netoik-rp.pid -ExecStartPre=/usr/bin/env rm -f /run/netoik-rp.pid -ExecStartPre=/usr/bin/env nginx -t -c /etc/netoik-rp/netoik-rp.conf -ExecStart=/usr/bin/env nginx -c /etc/netoik-rp/netoik-rp.conf -ExecReload=/usr/bin/env nginx -s reload -c /etc/netoik-rp/netoik-rp.conf -KillSignal=SIGQUIT -TimeoutStopSec=5 -KillMode=mixed -PrivateTmp=true - -[Install] -WantedBy=multi-user.target