From ca1aa3dc5e59e8fd0356141a3e61b518b7aa6b70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Torma=20Krist=C3=B3f?= Date: Sat, 28 May 2022 19:07:15 +0200 Subject: [PATCH] improve nginx security --- host_vars/nextcloud.yaml | 4 ++++ host_vars/nexus.yaml | 2 ++ roles/webgateway/templates/nginx.conf | 7 ++++++- roles/webgateway/vars/main.yaml | 25 ++++++++++++------------- roles/webserver/defaults/main.yaml | 1 + roles/webserver/templates/nginx.conf | 5 ++++- 6 files changed, 29 insertions(+), 15 deletions(-) diff --git a/host_vars/nextcloud.yaml b/host_vars/nextcloud.yaml index 7088a1d..a31ef20 100644 --- a/host_vars/nextcloud.yaml +++ b/host_vars/nextcloud.yaml @@ -1,3 +1,7 @@ --- ansible_host: nextcloud.intra.tormakris.dev +webserver: + - domain: "nextcloud.tormakristof.eu" + port: 8080 + bigrequests: true ... diff --git a/host_vars/nexus.yaml b/host_vars/nexus.yaml index 1cf41ae..81943e2 100644 --- a/host_vars/nexus.yaml +++ b/host_vars/nexus.yaml @@ -3,6 +3,8 @@ ansible_host: nexus.intra.tormakris.dev webserver: - domain: "nexus.kmlabz.com" port: 8080 + bigrequests: true - domain: "registry.kmlabz.com" port: 4269 + bigrequests: true ... diff --git a/roles/webgateway/templates/nginx.conf b/roles/webgateway/templates/nginx.conf index ca58453..b4e2abd 100644 --- a/roles/webgateway/templates/nginx.conf +++ b/roles/webgateway/templates/nginx.conf @@ -47,7 +47,6 @@ http { proxy_set_header Connection $http_connection; proxy_set_header X-Forwarded-Proto https; proxy_ssl_server_name on; - client_max_body_size 8G; client_body_buffer_size 128k; proxy_connect_timeout 90; proxy_send_timeout 120; @@ -57,6 +56,7 @@ http { proxy_busy_buffers_size 256k; proxy_buffering off; proxy_request_buffering off; + server_tokens off; server { @@ -74,6 +74,11 @@ http { proxy_ssl_name {{ proxysite.domain}}; ssl_certificate /etc/letsencrypt/live/{{ proxysite.domain }}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/{{ proxysite.domain }}/privkey.pem; + ssl_stapling on; + ssl_stapling_verify on; + {%- if proxysite.bigrequests %} + client_max_body_size 8G; + {%- endif %} location /{ proxy_pass https://{{ proxysite.ip }}; proxy_ssl_verify off; diff --git a/roles/webgateway/vars/main.yaml b/roles/webgateway/vars/main.yaml index 19ddabe..2c25783 100644 --- a/roles/webgateway/vars/main.yaml +++ b/roles/webgateway/vars/main.yaml @@ -1,17 +1,16 @@ proxy: - - {domain: bitwarden.tormakristof.eu, ip: bitwarden.intra.tormakris.dev} - - {domain: nextcloud.tormakristof.eu, ip: nextcloud.intra.tormakris.dev} - - {domain: drone.kmlabz.com, ip: drone.intra.tormakris.dev} - - {domain: git.kmlabz.com, ip: git.intra.tormakris.dev} - - {domain: guacamole.tormakristof.eu, ip: guacamole.intra.tormakris.dev} - - {domain: matrix.tormakristof.eu, ip: matrix.intra.tormakris.dev} - - {domain: chat.tormakristof.eu, ip: matrix.intra.tormakris.dev} - - {domain: nexus.kmlabz.com, ip: nexus.intra.tormakris.dev} - - {domain: registry.kmlabz.com, ip: nexus.intra.tormakris.dev} - - {domain: swagger.kmlabz.com, ip: swagger.intra.tormakris.dev} - - {domain: fs.tormakristof.eu, ip: adfs.intra.tormakris.dev} - - {domain: certauth.fs.tormakristof.eu, ip: adfs.intra.tormakris.dev} - - {domain: certauth.fs.tormakris.dev, ip: adfs.intra.tormakris.dev} + - {domain: bitwarden.tormakristof.eu, ip: bitwarden.intra.tormakris.dev, bigrequests: false} + - {domain: nextcloud.tormakristof.eu, ip: nextcloud.intra.tormakris.dev, bigrequests: true} + - {domain: drone.kmlabz.com, ip: drone.intra.tormakris.dev, bigrequests: false} + - {domain: git.kmlabz.com, ip: git.intra.tormakris.dev, bigrequests: false} + - {domain: guacamole.tormakristof.eu, ip: guacamole.intra.tormakris.dev, bigrequests: false} + - {domain: matrix.tormakristof.eu, ip: matrix.intra.tormakris.dev, bigrequests: false} + - {domain: chat.tormakristof.eu, ip: matrix.intra.tormakris.dev, bigrequests: false} + - {domain: nexus.kmlabz.com, ip: nexus.intra.tormakris.dev, bigrequests: true} + - {domain: registry.kmlabz.com, ip: nexus.intra.tormakris.dev, bigrequests: true} + - {domain: swagger.kmlabz.com, ip: swagger.intra.tormakris.dev, bigrequests: false} + - {domain: fs.tormakristof.eu, ip: adfs.intra.tormakris.dev, bigrequests: false} + - {domain: certauth.fs.tormakristof.eu, ip: adfs.intra.tormakris.dev, bigrequests: false} static: [] diff --git a/roles/webserver/defaults/main.yaml b/roles/webserver/defaults/main.yaml index 4099df9..8c663ae 100644 --- a/roles/webserver/defaults/main.yaml +++ b/roles/webserver/defaults/main.yaml @@ -1,4 +1,5 @@ webserver: - domain: "_" port: 8080 + bigrequests: false ... diff --git a/roles/webserver/templates/nginx.conf b/roles/webserver/templates/nginx.conf index 1982984..ac52bc4 100644 --- a/roles/webserver/templates/nginx.conf +++ b/roles/webserver/templates/nginx.conf @@ -43,7 +43,6 @@ http { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; - client_max_body_size 8G; client_body_buffer_size 128k; proxy_connect_timeout 90; proxy_send_timeout 120; @@ -53,6 +52,7 @@ http { proxy_busy_buffers_size 256k; proxy_buffering off; proxy_request_buffering off; + server_tokens off; server { @@ -69,6 +69,9 @@ http { server_name {{ server.domain }}; ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; + {%- if server.bigrequests %} + client_max_body_size 8G; + {%- endif %} location /{ proxy_pass http://127.0.0.1:{{ server.port }}; }