qzwi/bundlewrap
2
1
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

nc_checks #5

Merged
stillbeben merged 4 commits from nc_checks into main 2022-03-05 17:35:55 +00:00
Conversation 0 Commits 4 Files changed 5 +98 -66
5 changed files with 98 additions and 66 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
bundles/letsencrypt/files/config
View file

@ -3,3 +3,4 @@ BASEDIR=/var/lib/dehydrated
WELLKNOWN="${BASEDIR}/acme-challenges"
DOMAINS_TXT="/etc/dehydrated/domains.txt"
HOOK="/etc/dehydrated/hook.sh"
KEY_ALGO=rsa

18
bundles/nginx/files/fpm.conf Normal file
View file

@ -0,0 +1,18 @@
fastcgi_split_path_info ^(.+\.php)(/.+)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTP_AUTHORIZATION $http_authorization;
fastcgi_buffers 8 16k;
fastcgi_buffer_size 32k;
client_body_buffer_size 128k;
kunsi commented 2022-03-05 17:48:53 +00:00
Review
Copy link

Warum packen wir das in ne eigene Datei und nicht in die fastcgi.conf dazu? Wird doch eh immer gemeinsam gebraucht, oder?

Warum packen wir das in ne eigene Datei und nicht in die fastcgi.conf dazu? Wird doch eh immer gemeinsam gebraucht, oder?

5
bundles/nginx/items.py
View file

@ -50,6 +50,11 @@ files = {
'svc_systemd:nginx:restart',
},
},
'/etc/nginx/fpm.conf': {
'triggers': {
'svc_systemd:nginx:restart',
},
},
'/etc/nginx/sites/stub_status': {
'triggers': {
'svc_systemd:nginx:restart',

2
bundles/php/files/8.0/php.ini
View file

@ -12,6 +12,8 @@ ignore_user_abort = Off
zend.enable_gc = On
expose_php = Off
apc.enable_cli = 1
max_execution_time = 30
max_input_time = 60
memory_limit = ${memory_limit}M

138
data/nginx/files/extras/qzwi/nextcloud
View file

@ -14,92 +14,98 @@
# always provides the desired behaviour.
index index.php index.html /index.php$request_uri;
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Make a regex exception for `/.well-known` so that clients can still
# access it despite the existence of the regex rule
# `location ~ /(\.|autotest|...)` which would otherwise handle requests
# for `/.well-known`.
location ^~ /.well-known {
# The rules in this block are an adaptation of the rules
# in `.htaccess` that concern `/.well-known`.
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
location = /.well-known/webfinger { return 301 /index.php/.well-known/webfinger; }
location = /.well-known/nodeinfo { return 301 /index.php/.well-known/nodeinfo; }
location /.well-known/pki-validation { try_files $uri $uri/ =404; }
# Let Nextcloud's API for `/.well-known` URIs handle all other
# requests by passing them to the front-end controller.
return 301 /index.php$request_uri;
location ~ ^.+\.php {
kunsi commented 2022-03-05 17:41:56 +00:00
Review
Copy link

Wenn wir das hier machen, müssen wir in der vhost-config das 'php': True rausnehmen, sonst haben wir zwei PHP-Blöcke.

Wenn wir das hier machen, müssen wir in der vhost-config das `'php': True` rausnehmen, sonst haben wir zwei PHP-Blöcke.
include fpm.conf;
fastcgi_pass unix:/var/run/php/php${php_version}-fpm.sock;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
kunsi commented 2022-03-05 17:42:18 +00:00
Review
Copy link

Kommt schon aus der normalen nginx-Config, kann also hier raus.

Kommt schon aus der normalen nginx-Config, kann also hier raus.
}
# Rules borrowed from `.htaccess` to hide certain paths from clients
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
# which handle static assets (as seen below). If this block is not declared first,
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
# to the URI, resulting in a HTTP 500 error response.
location ~ \.php(?:$|/) {
# Required for legacy support
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
location ^~ /.well-known {
# The following 6 rules are borrowed from `.htaccess`
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
# Anything else is dynamically handled by Nextcloud
location ^~ /.well-known { return 301 /index.php$uri; }
try_files $fastcgi_script_name =404;
try_files $uri $uri/ =404;
}
include fastcgi.conf;
fastcgi_pass unix:/run/php/php${php_version}-fpm.sock;
# Some headers to fix possible information leaks
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
kunsi commented 2022-03-05 17:44:46 +00:00
Review
Copy link

Referrer-Policy, X-Frame-Options, X-Content-Type-Options und X-XSS-Protection stehen in der Standard-nginx-Config schon drin. X-Powered-By wird über die PHP-Config schon unterdrückt.

Referrer-Policy, X-Frame-Options, X-Content-Type-Options und X-XSS-Protection stehen in der Standard-nginx-Config schon drin. X-Powered-By wird über die PHP-Config schon unterdrückt.
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
kunsi commented 2022-03-05 17:45:22 +00:00
Review
Copy link

Das ist die fastcgi.conf in diesem Repo.

Das ist die fastcgi.conf in diesem Repo.
include fpm.conf;
fastcgi_pass unix:/var/run/php/php${php_version}-fpm.sock;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
kunsi commented 2022-03-05 17:45:45 +00:00
Review
Copy link

Siehe weiter oben, ist default.

Siehe weiter oben, ist default.
#Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite)$ {
try_files $uri /index.php$request_uri;
expires 6M; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
location ~ \.wasm$ {
default_type application/wasm;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
location ~ \.woff2?$ {
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff|svg|gif)$ {
try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=15778463";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
kunsi commented 2022-03-05 17:46:19 +00:00
Review
Copy link

Siehe oben, einiges default.

Siehe oben, einiges default.
# Optional: Don't log access to assets
access_log off;
}
# Rule borrowed from `.htaccess`
location /remote {
return 301 /remote.php$request_uri;
}
location / {
try_files $uri $uri/ /index.php$request_uri;
location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
# Optional: Don't log access to other assets
access_log off;
kunsi commented 2022-03-05 17:47:19 +00:00
Review
Copy link

Bitte access_log aktiviert lassen. Wir speichern eh nur anonymisiertes timing-log, und da sind dann alle Requests relevant. Betrifft auch die anderen location-blöcke obendrüber.

Bitte access_log aktiviert lassen. Wir speichern eh nur anonymisiertes timing-log, und da sind dann alle Requests relevant. Betrifft auch die anderen location-blöcke obendrüber.
}