Add certbot renew service

2026-01-18 12:42:37 +01:00
parent 8e13e2004a
commit f811e72e64
7 changed files with 51 additions and 23 deletions
--- a/conf/nginx/0_security.conf
+++ b/conf/nginx/0_security.conf
@@ -0,0 +1,27 @@
+# Configure secure access with letsencrypt
+ssl_certificate              /etc/letsencrypt/live/netoik.io/fullchain.pem;
+ssl_certificate_key          /etc/letsencrypt/live/netoik.io/privkey.pem;
+ssl_dhparam                  /etc/letsencrypt/ssl-dhparams.pem;
+
+# Add some ssl settings from Mozilla
+# see: https://ssl-config.mozilla.org
+ssl_protocols                TLSv1.3;
+ssl_ecdh_curve               X25519:prime256v1:secp384r1;
+ssl_prefer_server_ciphers    off;
+ssl_stapling                 on;
+ssl_stapling_verify          on;
+resolver                     127.0.0.1;
+
+# Add some basic security headers from OWASP
+# see: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
+add_header                   Strict-Transport-Security      "max-age=63072000; includeSubDomains; preload;"                      always;
+add_header                   X-Frame-Options                "DENY"                                                               always;
+add_header                   X-XSS-Protection               "0"                                                                  always;
+add_header                   X-Content-Type-Options         "nosniff"                                                            always;
+add_header                   Referrer-Policy                "strict-origin-when-cross-origin"                                    always;
+add_header                   Content-Security-Policy        "default-src 'self'; frame-ancestors 'self'; form-action 'self';"    always;
+add_header                   Cross-Origin-Opener-Policy     "same-origin"                                                        always;
+add_header                   Cross-Origin-Resource-Policy   "same-site"                                                          always;
+add_header                   Permissions-Policy             "geolocation=(), camera=(), microphone=()"                           always;
+add_header                   Server                         "webserver"                                                          always;
+add_header                   X-Robots-Tag                   "noindex, nofollow"                                                  always;
--- a/conf/nginx/default.conf
+++ b/conf/nginx/default.conf
@@ -0,0 +1,13 @@
+server {
+	listen 443 default_server;
+	server_name _;
+
+	return 404;
+}
+
+server {
+	listen 80 default_server;
+	server_name _;
+
+	return 301 https://$host$request_uri;    
+}