improve nginx security

2022-05-28 19:07:15 +02:00 · 2022-05-28 19:07:15 +02:00 · ca1aa3dc5e
commit ca1aa3dc5e
parent b7d81dc75e
6 changed files with 29 additions and 15 deletions
--- a/host_vars/nextcloud.yaml
+++ b/host_vars/nextcloud.yaml
@ -1,3 +1,7 @@
 ---
 ansible_host: nextcloud.intra.tormakris.dev
+webserver:
+  - domain: "nextcloud.tormakristof.eu"
+    port: 8080
+    bigrequests: true
 ...
--- a/host_vars/nexus.yaml
+++ b/host_vars/nexus.yaml
@ -3,6 +3,8 @@ ansible_host: nexus.intra.tormakris.dev
 webserver:
  - domain: "nexus.kmlabz.com"
    port: 8080
+    bigrequests: true
  - domain: "registry.kmlabz.com"
    port: 4269
+    bigrequests: true
 ...
--- a/roles/webgateway/templates/nginx.conf
+++ b/roles/webgateway/templates/nginx.conf
@ -47,7 +47,6 @@ http {
 		proxy_set_header    Connection $http_connection;
        proxy_set_header    X-Forwarded-Proto https;
        proxy_ssl_server_name on;
-        client_max_body_size    8G;
        client_body_buffer_size 128k;
        proxy_connect_timeout   90;
        proxy_send_timeout 120;
@ -57,6 +56,7 @@ http {
        proxy_busy_buffers_size    256k;
        proxy_buffering    off;
        proxy_request_buffering off;
+        server_tokens off;

        server {

@ -74,6 +74,11 @@ http {
            proxy_ssl_name {{ proxysite.domain}};
            ssl_certificate /etc/letsencrypt/live/{{ proxysite.domain }}/fullchain.pem;
            ssl_certificate_key /etc/letsencrypt/live/{{ proxysite.domain }}/privkey.pem;
+            ssl_stapling on;
+            ssl_stapling_verify on;
+            {%- if proxysite.bigrequests %}
+            client_max_body_size    8G;
+            {%- endif %}
            location /{
                proxy_pass  https://{{ proxysite.ip }};
                proxy_ssl_verify    off;
--- a/roles/webgateway/vars/main.yaml
+++ b/roles/webgateway/vars/main.yaml
@ -1,17 +1,16 @@
 proxy:
-  - {domain: bitwarden.tormakristof.eu, ip: bitwarden.intra.tormakris.dev}
-  - {domain: nextcloud.tormakristof.eu, ip: nextcloud.intra.tormakris.dev}
-  - {domain: drone.kmlabz.com, ip: drone.intra.tormakris.dev}
-  - {domain: git.kmlabz.com, ip: git.intra.tormakris.dev}
-  - {domain: guacamole.tormakristof.eu, ip: guacamole.intra.tormakris.dev}
-  - {domain: matrix.tormakristof.eu, ip: matrix.intra.tormakris.dev}
-  - {domain: chat.tormakristof.eu, ip: matrix.intra.tormakris.dev}
-  - {domain: nexus.kmlabz.com, ip: nexus.intra.tormakris.dev}
-  - {domain: registry.kmlabz.com, ip: nexus.intra.tormakris.dev}
-  - {domain: swagger.kmlabz.com, ip: swagger.intra.tormakris.dev}
-  - {domain: fs.tormakristof.eu, ip: adfs.intra.tormakris.dev}
-  - {domain: certauth.fs.tormakristof.eu, ip: adfs.intra.tormakris.dev}
-  - {domain: certauth.fs.tormakris.dev, ip: adfs.intra.tormakris.dev}
+  - {domain: bitwarden.tormakristof.eu, ip: bitwarden.intra.tormakris.dev, bigrequests: false}
+  - {domain: nextcloud.tormakristof.eu, ip: nextcloud.intra.tormakris.dev, bigrequests: true}
+  - {domain: drone.kmlabz.com, ip: drone.intra.tormakris.dev, bigrequests: false}
+  - {domain: git.kmlabz.com, ip: git.intra.tormakris.dev, bigrequests: false}
+  - {domain: guacamole.tormakristof.eu, ip: guacamole.intra.tormakris.dev, bigrequests: false}
+  - {domain: matrix.tormakristof.eu, ip: matrix.intra.tormakris.dev, bigrequests: false}
+  - {domain: chat.tormakristof.eu, ip: matrix.intra.tormakris.dev, bigrequests: false}
+  - {domain: nexus.kmlabz.com, ip: nexus.intra.tormakris.dev, bigrequests: true}
+  - {domain: registry.kmlabz.com, ip: nexus.intra.tormakris.dev, bigrequests: true}
+  - {domain: swagger.kmlabz.com, ip: swagger.intra.tormakris.dev, bigrequests: false}
+  - {domain: fs.tormakristof.eu, ip: adfs.intra.tormakris.dev, bigrequests: false}
+  - {domain: certauth.fs.tormakristof.eu, ip: adfs.intra.tormakris.dev, bigrequests: false}

 static:
  []
--- a/roles/webserver/defaults/main.yaml
+++ b/roles/webserver/defaults/main.yaml
@ -1,4 +1,5 @@
 webserver:
  - domain: "_"
    port: 8080
+    bigrequests: false
 ...
--- a/roles/webserver/templates/nginx.conf
+++ b/roles/webserver/templates/nginx.conf
@ -43,7 +43,6 @@ http {
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
 	    proxy_set_header    Upgrade $http_upgrade;
 	    proxy_set_header    Connection $http_connection;
-        client_max_body_size    8G;
        client_body_buffer_size 128k;
        proxy_connect_timeout   90;
        proxy_send_timeout 120;
@ -53,6 +52,7 @@ http {
        proxy_busy_buffers_size    256k;
        proxy_buffering    off;
        proxy_request_buffering off;
+        server_tokens off;

        server {

@ -69,6 +69,9 @@ http {
            server_name {{ server.domain }};
            ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
            ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+            {%- if server.bigrequests %}
+            client_max_body_size    8G;
+            {%- endif %}
            location /{
                proxy_pass  http://127.0.0.1:{{ server.port }};
            }