improve nginx security

This commit is contained in:
Torma Kristóf 2022-05-28 19:07:15 +02:00
parent b7d81dc75e
commit ca1aa3dc5e
6 changed files with 29 additions and 15 deletions

View File

@ -1,3 +1,7 @@
---
ansible_host: nextcloud.intra.tormakris.dev
webserver:
- domain: "nextcloud.tormakristof.eu"
port: 8080
bigrequests: true
...

View File

@ -3,6 +3,8 @@ ansible_host: nexus.intra.tormakris.dev
webserver:
- domain: "nexus.kmlabz.com"
port: 8080
bigrequests: true
- domain: "registry.kmlabz.com"
port: 4269
bigrequests: true
...

View File

@ -47,7 +47,6 @@ http {
proxy_set_header Connection $http_connection;
proxy_set_header X-Forwarded-Proto https;
proxy_ssl_server_name on;
client_max_body_size 8G;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 120;
@ -57,6 +56,7 @@ http {
proxy_busy_buffers_size 256k;
proxy_buffering off;
proxy_request_buffering off;
server_tokens off;
server {
@ -74,6 +74,11 @@ http {
proxy_ssl_name {{ proxysite.domain}};
ssl_certificate /etc/letsencrypt/live/{{ proxysite.domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ proxysite.domain }}/privkey.pem;
ssl_stapling on;
ssl_stapling_verify on;
{%- if proxysite.bigrequests %}
client_max_body_size 8G;
{%- endif %}
location /{
proxy_pass https://{{ proxysite.ip }};
proxy_ssl_verify off;

View File

@ -1,17 +1,16 @@
proxy:
- {domain: bitwarden.tormakristof.eu, ip: bitwarden.intra.tormakris.dev}
- {domain: nextcloud.tormakristof.eu, ip: nextcloud.intra.tormakris.dev}
- {domain: drone.kmlabz.com, ip: drone.intra.tormakris.dev}
- {domain: git.kmlabz.com, ip: git.intra.tormakris.dev}
- {domain: guacamole.tormakristof.eu, ip: guacamole.intra.tormakris.dev}
- {domain: matrix.tormakristof.eu, ip: matrix.intra.tormakris.dev}
- {domain: chat.tormakristof.eu, ip: matrix.intra.tormakris.dev}
- {domain: nexus.kmlabz.com, ip: nexus.intra.tormakris.dev}
- {domain: registry.kmlabz.com, ip: nexus.intra.tormakris.dev}
- {domain: swagger.kmlabz.com, ip: swagger.intra.tormakris.dev}
- {domain: fs.tormakristof.eu, ip: adfs.intra.tormakris.dev}
- {domain: certauth.fs.tormakristof.eu, ip: adfs.intra.tormakris.dev}
- {domain: certauth.fs.tormakris.dev, ip: adfs.intra.tormakris.dev}
- {domain: bitwarden.tormakristof.eu, ip: bitwarden.intra.tormakris.dev, bigrequests: false}
- {domain: nextcloud.tormakristof.eu, ip: nextcloud.intra.tormakris.dev, bigrequests: true}
- {domain: drone.kmlabz.com, ip: drone.intra.tormakris.dev, bigrequests: false}
- {domain: git.kmlabz.com, ip: git.intra.tormakris.dev, bigrequests: false}
- {domain: guacamole.tormakristof.eu, ip: guacamole.intra.tormakris.dev, bigrequests: false}
- {domain: matrix.tormakristof.eu, ip: matrix.intra.tormakris.dev, bigrequests: false}
- {domain: chat.tormakristof.eu, ip: matrix.intra.tormakris.dev, bigrequests: false}
- {domain: nexus.kmlabz.com, ip: nexus.intra.tormakris.dev, bigrequests: true}
- {domain: registry.kmlabz.com, ip: nexus.intra.tormakris.dev, bigrequests: true}
- {domain: swagger.kmlabz.com, ip: swagger.intra.tormakris.dev, bigrequests: false}
- {domain: fs.tormakristof.eu, ip: adfs.intra.tormakris.dev, bigrequests: false}
- {domain: certauth.fs.tormakristof.eu, ip: adfs.intra.tormakris.dev, bigrequests: false}
static:
[]

View File

@ -1,4 +1,5 @@
webserver:
- domain: "_"
port: 8080
bigrequests: false
...

View File

@ -43,7 +43,6 @@ http {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
client_max_body_size 8G;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 120;
@ -53,6 +52,7 @@ http {
proxy_busy_buffers_size 256k;
proxy_buffering off;
proxy_request_buffering off;
server_tokens off;
server {
@ -69,6 +69,9 @@ http {
server_name {{ server.domain }};
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
{%- if server.bigrequests %}
client_max_body_size 8G;
{%- endif %}
location /{
proxy_pass http://127.0.0.1:{{ server.port }};
}