Add nginx security conf

Makefile

@@ -2,6 +2,7 @@ NAME = $(shell basename $(PWD))
 VERSION = $(shell git describe | sed 's/-/./g')
 BRANCH = $(shell git branch --show-current)
 
+RPM_SBINDIR = $(shell rpm --eval '%{_sbindir}')
 RPM_SOURCEDIR = $(shell rpm --eval '%{_sourcedir}')
 RPM_SYSCONFDIR = $(shell rpm --eval '%{_sysconfdir}')
 RPM_UNITDIR = $(shell rpm --eval '%{_unitdir}')
@@ -27,8 +28,7 @@ tarball: $(RPM_TARBALL_PATH)
 
 .PHONY: install
 install:
-	install --directory $(DESTDIR)$(RPM_SYSCONFDIR)/netoik-rp
-	install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/netoik-rp/ conf/netoik-rp.conf
-	install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/netoik-rp/ conf/ovh.ini
-	install --directory $(DESTDIR)$(RPM_UNITDIR)
-	install --target-directory=$(DESTDIR)$(RPM_UNITDIR)/ services/netoik-rp.service
+	install --directory $(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d
+	install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d conf/_security.conf
+	install --directory $(DESTDIR)$(RPM_SYSCONFDIR)/certbot
+	install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/certbot/ conf/ovh.ini

conf/_security.conf

@@ -0,0 +1,22 @@
+# Configure secure access with letsencrypt
+ssl_certificate           /etc/letsencrypt/live/netoik.io/fullchain.pem;
+ssl_certificate_key       /etc/letsencrypt/live/netoik.io/privkey.pem;
+include                   /etc/letsencrypt/options-ssl-nginx.conf;
+ssl_dhparam               /etc/letsencrypt/ssl-dhparams.pem;
+ssl_session_cache         shared:SSL:1m;
+
+# Add some basic security headers from OWASP
+# see: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
+add_header                Strict-Transport-Security      "max-age=63072000; includeSubDomains; preload;"                    always;
+add_header                X-Frame-Options                "DENY"                                                             always;
+add_header                X-XSS-Protection               "0"                                                                always;
+add_header                X-Content-Type-Options         "nosniff"                                                          always;
+add_header                Referrer-Policy                "strict-origin-when-cross-origin"                                  always;
+add_header                Content-Security-Policy        "default-src 'self'; frame-ancestors 'self'; form-action 'self';"  always;
+add_header                Cross-Origin-Opener-Policy     "same-origin"                                                      always;
+add_header                Cross-Origin-Resource-Policy   "same-site"                                                        always;
+add_header                Permissions-Policy             "geolocation=(), camera=(), microphone=()"                         always;
+add_header                Server                         "webserver"                                                        always;
+add_header                X-Robots-Tag                   "noindex, nofollow"                                                always;
+
+

conf/netoik-rp.conf

@@ -1,61 +0,0 @@
-# For more information on configuration
-# See: http://nginx.org/en/docs/
-
-# Configure core
-# See: https://nginx.org/en/docs/ngx_core_module.html
-user             nginx;
-worker_processes auto;
-error_log        /var/log/nginx/error.log;
-pid              /run/nginx.pid;
-
-# Load dynamic modules
-# See: /usr/share/doc/nginx/README.dynamic.
-include /usr/share/nginx/modules/*.conf;
-
-events {
-    worker_connections 1024;
-}
-
-http {
-    # Configure logs
-    # See: https://nginx.org/en/docs/http/ngx_http_log_module.html
-    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-                      '$status $body_bytes_sent "$http_referer" '
-                      '"$http_user_agent" "$http_x_forwarded_for"';
-    access_log  /var/log/nginx/access.log  main;
-
-    # Configure core
-    # See: https://nginx.org/en/docs/ngx_core_module.html
-    include             /etc/nginx/mime.types;
-    default_type        text/html;
-    sendfile            on;
-    tcp_nopush          on;
-    tcp_nodelay         on;
-    keepalive_timeout   65;
-    types_hash_max_size 4096;
-
-    # Configure ssl module
-    # See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html 
-    include                   /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_certificate           /etc/letsencrypt/live/netoik.io/fullchain.pem;
-    ssl_certificate_key       /etc/letsencrypt/live/netoik.io/privkey.pem;
-    ssl_dhparam               /etc/letsencrypt/ssl-dhparams.pem;
-    ssl_session_cache         shared:SSL:1m;
-    ssl_prefer_server_ciphers on;
-
-    # Configure headers
-    # See: https://nginx.org/en/docs/http/ngx_http_headers_module.html
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
-
-    # Configure http2
-    # See: https://nginx.org/en/docs/http/ngx_http_v2_module.html
-    http2 on;
-
-    # Configure http3
-    # See: https://nginx.org/en/docs/http/ngx_http_v3_module.html
-    http3 on;
-
-    # Load modular configuration files from the /etc/nginx/conf.d directory.
-    # See: http://nginx.org/en/docs/ngx_core_module.html#include
-    include /etc/nginx/conf.d/*.conf;
-}

conf/ovh.ini

@@ -1,6 +1,9 @@
 # OVH API credentials used by Certbot
-# Name referenced in OVH: rasp.netoik.io
-dns_ovh_endpoint = $DNS_OVH_ENDPOINT
-dns_ovh_application_key = $DNS_OVH_APPLICATION_KEY
-dns_ovh_application_secret = $DNS_OVH_APPLICATION_SECRET
-dns_ovh_consumer_key = $DNS_OVH_CONSUMER_KEY
+# To generate a new token, go to: https://www.ovh.com/auth/api/createToken
+
+dns_ovh_endpoint = "$OVH_ENDPOINT"
+dns_ovh_application_name = "$OVH_APPLICATION_NAME"
+dns_ovh_application_description = "$OVH_APPLICATION_DESCRIPTION"
+dns_ovh_application_key = "$OVH_APPLICATION_KEY"
+dns_ovh_application_secret = "$OVH_APPLICATION_SECRET"
+dns_ovh_consumer_key = "$OVH_CONSUMER_KEY"

netoik-rp.spec

@@ -22,28 +22,41 @@ Install the reverse proxy called nginx with a predefined configuration and with
 %make_install
 
 %post
+# After install
 if [ $1 == 1 ]; then
   # Replace secrets in ovh.ini
-  %{_bindir}/env envsubst < %{_sysconfdir}/%{name}/ovh.ini > %{_sysconfdir}/%{name}/ovh.ini.tmp
-  %{_bindir}/env mv %{_sysconfdir}/%{name}/ovh.ini.tmp %{_sysconfdir}/%{name}/ovh.ini
-  
+  %{_bindir}/env envsubst < %{_sysconfdir}/certbot/ovh.ini > %{_sysconfdir}/certbot/.ovh.ini.swp
+  %{_bindir}/env mv %{_sysconfdir}/certbot/.ovh.ini.swp %{_sysconfdir}/certbot/ovh.ini
+  %{_bindir}/env chmod 600 %{_sysconfdir}/certbot/ovh.ini
+
   # Create virutal env with certbot cli
   %{_bindir}/env python3 -m venv /opt/certbot
-  /opt/certbot/bin/pip install --upgrade pip certbot certbot-dns-ovh
-	%{_bindir}/env ln --symbolic --target-directory %{_sbindir} /opt/certbot/bin/certbot
-  %{_bindir}/env certbot certonly --dns-ovh --dns-ovh-credentials "%{_sysconfdir}/%{name}/ovh.ini" -d "*.netoik.io" -d "*.samuel-campos.fr"
+  /opt/certbot/bin/pip install --upgrade pip certbot certbot-nginx certbot-dns-ovh
+	%{_bindir}/env ln --symbolic --force --target-directory %{_sbindir} /opt/certbot/bin/certbot
+  %{_bindir}/env certbot certonly --non-interactive --agree-tos --email samuel.campos@netoik.io --dns-ovh --dns-ovh-credentials "%{_sysconfdir}/certbot/ovh.ini" -d "*.netoik.io" -d "*.samuel-campos.fr"
   %{_bindir}/env printf "\nAutomatic certbot renew\n0 12 * * * root sleep $((RANDOM % 3600)) && certbot renew -q\n" >> %{_sysconfdir}/crontab
+
+  # Stop nginx to be sure changes are taken in account
+  %{_bindir}/env systemctl stop nginx
+fi
+%{_bindir}/env systemctl enable nginx
+%{_bindir}/env systemctl start nginx
+
+%postun
+# After uninstall
+if [ $1 == 0 ]; then
+  %{_bindir}/env rm --recursive --force /opt/certbot
+  %{_bindir}/env rm --recursive --force %{_sysconfdir}/certbot
+  %{_bindir}/env rm --recursive --force %{_sysconfdir}/letsencrypt
 fi
-%{_bindir}/env systemctl disable nginx
-%{_bindir}/env systemctl stop nginx
-%{_bindir}/env systemctl enable %{name}
-%{_bindir}/env systemctl start %{name}
 
 %files
-%attr(755, root, root) %dir %{_sysconfdir}/%{name}
-%attr(600, root, root) %config %{_sysconfdir}/%{name}/ovh.ini
-%attr(644, root, root) %config %{_sysconfdir}/%{name}/netoik-rp.conf
-%attr(644, root, root) %config %{_unitdir}/%{name}.service
+%attr(644, root, root) %{_sysconfdir}/nginx/conf.d/_security.conf
+%attr(755, root, root) %dir %{_sysconfdir}/certbot
+%attr(600, root, root) %config %{_sysconfdir}/certbot/ovh.ini
+%ghost %attr(755, root, root) %dir /opt/certbot
+%ghost %attr(755, root, root) %{_sbindir}/certbot
+%ghost %attr(755, root, root) %dir %{_sysconfdir}/letsencrypt
 
 %changelog
 %autochangelog

services/netoik-rp.service

@@ -1,14 +0,0 @@
-[Service]
-Type=forking
-PIDFile=/run/netoik-rp.pid
-ExecStartPre=/usr/bin/env rm -f /run/netoik-rp.pid
-ExecStartPre=/usr/bin/env nginx -t -c /etc/netoik-rp/netoik-rp.conf
-ExecStart=/usr/bin/env nginx -c /etc/netoik-rp/netoik-rp.conf
-ExecReload=/usr/bin/env nginx -s reload -c /etc/netoik-rp/netoik-rp.conf
-KillSignal=SIGQUIT
-TimeoutStopSec=5
-KillMode=mixed
-PrivateTmp=true
-
-[Install]
-WantedBy=multi-user.target