Compare commits
3 Commits
v0.1.33
...
33754a20fc
| Author | SHA1 | Date | |
|---|---|---|---|
| 33754a20fc | |||
| 9e8290b7df | |||
| 9f16b7e8db |
@@ -1,22 +1,29 @@
|
||||
# Configure secure access with letsencrypt
|
||||
ssl_certificate /etc/letsencrypt/live/netoik.io/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/netoik.io/privkey.pem;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
ssl_session_cache shared:SSL:1m;
|
||||
ssl_certificate /etc/letsencrypt/live/netoik.io/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/netoik.io/privkey.pem;
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
|
||||
# Add some ssl settings from Mozilla
|
||||
# see: https://ssl-config.mozilla.org
|
||||
ssl_protocols TLSv1.3;
|
||||
ssl_ecdh_curve X25519:prime256v1:secp384r1;
|
||||
ssl_prefer_server_ciphers off;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
resolver 127.0.0.1;
|
||||
|
||||
# Add some basic security headers from OWASP
|
||||
# see: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
|
||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;" always;
|
||||
add_header X-Frame-Options "DENY" always;
|
||||
add_header X-XSS-Protection "0" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||||
add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'self'; form-action 'self';" always;
|
||||
add_header Cross-Origin-Opener-Policy "same-origin" always;
|
||||
add_header Cross-Origin-Resource-Policy "same-site" always;
|
||||
add_header Permissions-Policy "geolocation=(), camera=(), microphone=()" always;
|
||||
add_header Server "webserver" always;
|
||||
add_header X-Robots-Tag "noindex, nofollow" always;
|
||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;" always;
|
||||
add_header X-Frame-Options "DENY" always;
|
||||
add_header X-XSS-Protection "0" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||||
add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'self'; form-action 'self';" always;
|
||||
add_header Cross-Origin-Opener-Policy "same-origin" always;
|
||||
add_header Cross-Origin-Resource-Policy "same-site" always;
|
||||
add_header Permissions-Policy "geolocation=(), camera=(), microphone=()" always;
|
||||
add_header Server "webserver" always;
|
||||
add_header X-Robots-Tag "noindex, nofollow" always;
|
||||
|
||||
|
||||
|
||||
@@ -10,7 +10,7 @@ URL: https://git.netoik.io/samuel/netoik-rp
|
||||
Source0: %{name}-%{version}.tar.gz
|
||||
Buildarch: noarch
|
||||
BuildRequires: make
|
||||
Requires: nginx,python3,python-devel,augeas-devel,gcc
|
||||
Requires: nginx python3 python-devel augeas-devel gcc openssl
|
||||
|
||||
%description
|
||||
Install the reverse proxy called nginx with a predefined configuration and with TLS certificates attached to netoik.io
|
||||
@@ -29,13 +29,20 @@ if [ $1 == 1 ]; then
|
||||
%{_bindir}/env mv %{_sysconfdir}/certbot/.ovh.ini.swp %{_sysconfdir}/certbot/ovh.ini
|
||||
%{_bindir}/env chmod 600 %{_sysconfdir}/certbot/ovh.ini
|
||||
|
||||
# Create virutal env with certbot cli
|
||||
# Create virutal env with certbot
|
||||
%{_bindir}/env python3 -m venv /opt/certbot
|
||||
/opt/certbot/bin/pip install --upgrade pip certbot certbot-nginx certbot-dns-ovh
|
||||
%{_bindir}/env ln --symbolic --force --target-directory %{_sbindir} /opt/certbot/bin/certbot
|
||||
%{_bindir}/env certbot certonly --non-interactive --agree-tos --email samuel.campos@netoik.io --dns-ovh --dns-ovh-credentials "%{_sysconfdir}/certbot/ovh.ini" -d "*.netoik.io" -d "*.samuel-campos.fr"
|
||||
|
||||
# Create certificate with certbot
|
||||
%{_bindir}/env certbot certonly --non-interactive --agree-tos --email "samuel.campos@netoik.io" --dns-ovh --dns-ovh-credentials "%{_sysconfdir}/certbot/ovh.ini" -d "*.netoik.io" -d "*.samuel-campos.fr"
|
||||
|
||||
# Add crontab rule for automatic renew
|
||||
%{_bindir}/env printf "\nAutomatic certbot renew\n0 12 * * * root sleep $((RANDOM % 3600)) && certbot renew -q\n" >> %{_sysconfdir}/crontab
|
||||
|
||||
# Create ssl dh params
|
||||
%{_bindir}/env openssl dhparam -out %{_sysconfdir}/letsencrypt/ssl-dhparams.pem 2048
|
||||
|
||||
# Stop nginx to be sure changes are taken in account
|
||||
%{_bindir}/env systemctl stop nginx
|
||||
fi
|
||||
@@ -57,6 +64,7 @@ fi
|
||||
%ghost %attr(755, root, root) %dir /opt/certbot
|
||||
%ghost %attr(755, root, root) %{_sbindir}/certbot
|
||||
%ghost %attr(755, root, root) %dir %{_sysconfdir}/letsencrypt
|
||||
%ghost %attr(755, root, root) %{_sysconfdir}/letsencrypt/ssl-dhparams.pem
|
||||
|
||||
%changelog
|
||||
%autochangelog
|
||||
|
||||
Reference in New Issue
Block a user