Merge pull request #7 from nodetec/harden-nginx-https

jchiarulli · web-flow · commit ce8044970a3e · 2024-09-03T21:19:24.000-04:00
Harden nginx https
diff --git a/pkg/network/nginx_https.go b/pkg/network/nginx_https.go
@@ -30,12 +30,17 @@ upstream websocket {
 }
 
 server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
     server_name %s;
 
+    root /var/www/%s;
+
     location / {
-        proxy_pass http://websocket;
+	# First attempt to serve request as file, then
+ 	# as directory, then fall back to displaying 404.
+  	try_files $uri $uri/ =404;
+   	proxy_pass http://websocket;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection $connection_upgrade;
@@ -44,24 +49,66 @@ server {
     }
 
     #### SSL Configuration ####
+    # Test configuration:
+    # https://www.ssllabs.com/ssltest/analyze.html
+    # https://cryptcheck.fr/
     ssl_certificate /etc/letsencrypt/live/%s/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/%s/privkey.pem;
+    # Verify chain of trust of OCSP response using Root CA and Intermediate certs
+    ssl_trusted_certificate /etc/letsencrypt/live/%s/chain.pem;
 
-    ssl_session_cache shared:SSL:10m;
-    ssl_session_timeout 10m;
-    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
+    # Only return Nginx in server header
+    server_tokens off;
+
+    # TODO
+    # Add support to generate the file in the script
+    #ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+
+    # For more information on the security of different cipher suites, you can refer to the following link:
+    # https://ciphersuite.info/
+    # Compilation of the top cipher suites 2024:
+    # https://ssl-config.mozilla.org/#server=nginx
+    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305";
+    
+    # Perfect Forward Secrecy (PFS) is frequently compromised without this
     ssl_prefer_server_ciphers on;
-    ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
+
+    ssl_session_tickets off;
+
+    # Enable SSL session caching for improved performance
+    # Try setting ssl_session_timeout to 1d if performance is bad
+    ssl_session_timeout 10m;
+    ssl_session_cache shared:SSL:10m;
+
+    # By default, the buffer size is 16k, which corresponds to minimal overhead when sending big responses.
+    # To minimize Time To First Byte it may be beneficial to use smaller values
+    ssl_buffer_size 8k;
+
+    # OCSP stapling
     ssl_stapling on;
     ssl_stapling_verify on;
-    ssl_ecdh_curve secp384r1;
 
-    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
+    # Security headers
+    # Test configuration:
+    # https://securityheaders.com/
+    # https://observatory.mozilla.org/
+    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
+
     add_header X-Frame-Options DENY;
-    add_header X-Content-Type-Options nosniff;
-    add_header X-XSS-Protection "1; mode=block";
-    add_header Referrer-Policy same-origin;
-    add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;speaker self;vibrate none;fullscreen self;payment none;";
+
+    # Avoid MIME type sniffing
+    add_header X-Content-Type-Options nosniff always;
+
+    add_header Referrer-Policy "no-referrer" always;
+
+    add_header X-XSS-Protection 0 always;
+
+    add_header Permissions-Policy "geolocation=(), midi=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), fullscreen=(self), payment=()" always;
+
+    # Content-Security-Policy (CSP)
+    add_header Content-Security-Policy "base-uri 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests;" always;
 }
 
 server {
@@ -78,7 +125,7 @@ server {
         return 301 https://%s$request_uri;
     }
 }
-`, domainName, domainName, domainName, domainName, dirName, domainName)
+`, domainName, dirName, domainName, domainName, domainName, domainName, dirName, domainName)
 
 	err = os.WriteFile("/etc/nginx/conf.d/nostr_relay.conf", []byte(configContent), 0644)
 	if err != nil {
