Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Harden nginx https #7

Merged
merged 6 commits into from
Sep 4, 2024
Merged

Harden nginx https #7

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
2be99ba
feat: harden nginx relay configuration
jchiarulli Aug 23, 2024
1d8dd79
chore: update nginx_https.go config format
jchiarulli Aug 26, 2024
86f1211
fix: update nginx config to work with debian apt version
jchiarulli Sep 2, 2024
4e97018
fix: add dirName argument
jchiarulli Sep 2, 2024
8e5bb4d
feat: add ssl trusted certificate
jchiarulli Sep 3, 2024
f81f508
chore: format nginx https file
jchiarulli Sep 3, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
75 changes: 61 additions & 14 deletions pkg/network/nginx_https.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,12 +30,17 @@ upstream websocket {
}

server {
listen 443 ssl;
listen [::]:443 ssl;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name %s;

root /var/www/%s;

location / {
proxy_pass http://websocket;
# First attempt to serve request as file, then
# as directory, then fall back to displaying 404.
try_files $uri $uri/ =404;
proxy_pass http://websocket;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
Expand All @@ -44,24 +49,66 @@ server {
}

#### SSL Configuration ####
# Test configuration:
# https://www.ssllabs.com/ssltest/analyze.html
# https://cryptcheck.fr/
ssl_certificate /etc/letsencrypt/live/%s/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/%s/privkey.pem;
# Verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/%s/chain.pem;

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
# Only return Nginx in server header
server_tokens off;

# TODO
# Add support to generate the file in the script
#ssl_dhparam /etc/ssl/certs/dhparam.pem;

ssl_protocols TLSv1.2 TLSv1.3;

# For more information on the security of different cipher suites, you can refer to the following link:
# https://ciphersuite.info/
# Compilation of the top cipher suites 2024:
# https://ssl-config.mozilla.org/#server=nginx
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305";

# Perfect Forward Secrecy (PFS) is frequently compromised without this
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";

ssl_session_tickets off;

# Enable SSL session caching for improved performance
# Try setting ssl_session_timeout to 1d if performance is bad
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;

# By default, the buffer size is 16k, which corresponds to minimal overhead when sending big responses.
# To minimize Time To First Byte it may be beneficial to use smaller values
ssl_buffer_size 8k;

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_ecdh_curve secp384r1;

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
# Security headers
# Test configuration:
# https://securityheaders.com/
# https://observatory.mozilla.org/
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy same-origin;
add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;speaker self;vibrate none;fullscreen self;payment none;";

# Avoid MIME type sniffing
add_header X-Content-Type-Options nosniff always;

add_header Referrer-Policy "no-referrer" always;

add_header X-XSS-Protection 0 always;

add_header Permissions-Policy "geolocation=(), midi=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), fullscreen=(self), payment=()" always;

# Content-Security-Policy (CSP)
add_header Content-Security-Policy "base-uri 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests;" always;
}

server {
Expand All @@ -78,7 +125,7 @@ server {
return 301 https://%s$request_uri;
}
}
`, domainName, domainName, domainName, domainName, dirName, domainName)
`, domainName, dirName, domainName, domainName, domainName, domainName, dirName, domainName)

err = os.WriteFile("/etc/nginx/conf.d/nostr_relay.conf", []byte(configContent), 0644)
if err != nil {
Expand Down
Loading