nc_checks #5

Merged
stillbeben merged 4 commits from nc_checks into main 2022-03-05 17:35:55 +00:00
5 changed files with 98 additions and 66 deletions

View file

@ -3,3 +3,4 @@ BASEDIR=/var/lib/dehydrated
WELLKNOWN="${BASEDIR}/acme-challenges" WELLKNOWN="${BASEDIR}/acme-challenges"
DOMAINS_TXT="/etc/dehydrated/domains.txt" DOMAINS_TXT="/etc/dehydrated/domains.txt"
HOOK="/etc/dehydrated/hook.sh" HOOK="/etc/dehydrated/hook.sh"
KEY_ALGO=rsa

View file

@ -0,0 +1,18 @@
fastcgi_split_path_info ^(.+\.php)(/.+)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTP_AUTHORIZATION $http_authorization;
fastcgi_buffers 8 16k;
fastcgi_buffer_size 32k;
client_body_buffer_size 128k;
Review

Warum packen wir das in ne eigene Datei und nicht in die fastcgi.conf dazu? Wird doch eh immer gemeinsam gebraucht, oder?

Warum packen wir das in ne eigene Datei und nicht in die fastcgi.conf dazu? Wird doch eh immer gemeinsam gebraucht, oder?

View file

@ -50,6 +50,11 @@ files = {
'svc_systemd:nginx:restart', 'svc_systemd:nginx:restart',
}, },
}, },
'/etc/nginx/fpm.conf': {
'triggers': {
'svc_systemd:nginx:restart',
},
},
'/etc/nginx/sites/stub_status': { '/etc/nginx/sites/stub_status': {
'triggers': { 'triggers': {
'svc_systemd:nginx:restart', 'svc_systemd:nginx:restart',

View file

@ -12,6 +12,8 @@ ignore_user_abort = Off
zend.enable_gc = On zend.enable_gc = On
expose_php = Off expose_php = Off
apc.enable_cli = 1
max_execution_time = 30 max_execution_time = 30
max_input_time = 60 max_input_time = 60
memory_limit = ${memory_limit}M memory_limit = ${memory_limit}M

View file

@ -14,92 +14,98 @@
# always provides the desired behaviour. # always provides the desired behaviour.
index index.php index.html /index.php$request_uri; index index.php index.html /index.php$request_uri;
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}
location = /robots.txt { location = /robots.txt {
allow all; allow all;
log_not_found off; log_not_found off;
access_log off; access_log off;
} }
# Make a regex exception for `/.well-known` so that clients can still location ~ ^.+\.php {
Review

Wenn wir das hier machen, müssen wir in der vhost-config das 'php': True rausnehmen, sonst haben wir zwei PHP-Blöcke.

Wenn wir das hier machen, müssen wir in der vhost-config das `'php': True` rausnehmen, sonst haben wir zwei PHP-Blöcke.
# access it despite the existence of the regex rule include fpm.conf;
# `location ~ /(\.|autotest|...)` which would otherwise handle requests fastcgi_pass unix:/var/run/php/php${php_version}-fpm.sock;
# for `/.well-known`. add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
Review

Kommt schon aus der normalen nginx-Config, kann also hier raus.

Kommt schon aus der normalen nginx-Config, kann also hier raus.
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;
location ^~ /.well-known { location ^~ /.well-known {
# The rules in this block are an adaptation of the rules # The following 6 rules are borrowed from `.htaccess`
# in `.htaccess` that concern `/.well-known`.
location = /.well-known/carddav { return 301 /remote.php/dav/; } location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; } location = /.well-known/caldav { return 301 /remote.php/dav/; }
# Anything else is dynamically handled by Nextcloud
location ^~ /.well-known { return 301 /index.php$uri; }
location = /.well-known/webfinger { return 301 /index.php/.well-known/webfinger; } try_files $uri $uri/ =404;
location = /.well-known/nodeinfo { return 301 /index.php/.well-known/nodeinfo; }
location /.well-known/pki-validation { try_files $uri $uri/ =404; }
# Let Nextcloud's API for `/.well-known` URIs handle all other
# requests by passing them to the front-end controller.
return 301 /index.php$request_uri;
} }
# Rules borrowed from `.htaccess` to hide certain paths from clients # Some headers to fix possible information leaks
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } add_header X-Content-Type-Options nosniff;
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
Review

Referrer-Policy, X-Frame-Options, X-Content-Type-Options und X-XSS-Protection stehen in der Standard-nginx-Config schon drin. X-Powered-By wird über die PHP-Config schon unterdrückt.

Referrer-Policy, X-Frame-Options, X-Content-Type-Options und X-XSS-Protection stehen in der Standard-nginx-Config schon drin. X-Powered-By wird über die PHP-Config schon unterdrückt.
# Ensure this block, which passes PHP files to the PHP process, is above the blocks location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
# which handle static assets (as seen below). If this block is not declared first, deny all;
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` }
# to the URI, resulting in a HTTP 500 error response. location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
location ~ \.php(?:$|/) { deny all;
# Required for legacy support }
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi.conf;
fastcgi_pass unix:/run/php/php${php_version}-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
Review

Das ist die fastcgi.conf in diesem Repo.

Das ist die fastcgi.conf in diesem Repo.
include fpm.conf;
fastcgi_pass unix:/var/run/php/php${php_version}-fpm.sock;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
Review

Siehe weiter oben, ist default.

Siehe weiter oben, ist default.
#Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_intercept_errors on; fastcgi_intercept_errors on;
fastcgi_request_buffering off; fastcgi_request_buffering off;
} }
location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite)$ { location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri /index.php$request_uri; try_files $uri/ =404;
expires 6M; # Cache-Control policy borrowed from `.htaccess` index index.php;
access_log off; # Optional: Don't log access to assets
location ~ \.wasm$ {
default_type application/wasm;
}
} }
location ~ \.woff2?$ { # Adding the cache control header for js and css files
try_files $uri /index.php$request_uri; # Make sure it is BELOW the PHP block
expires 7d; # Cache-Control policy borrowed from `.htaccess` location ~ \.(?:css|js|woff|svg|gif)$ {
access_log off; # Optional: Don't log access to assets try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=15778463";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
Review

Siehe oben, einiges default.

Siehe oben, einiges default.
# Optional: Don't log access to assets
access_log off;
} }
# Rule borrowed from `.htaccess` location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
location /remote { try_files $uri /index.php$uri$is_args$args;
return 301 /remote.php$request_uri; # Optional: Don't log access to other assets
} access_log off;
Review

Bitte access_log aktiviert lassen. Wir speichern eh nur anonymisiertes timing-log, und da sind dann alle Requests relevant. Betrifft auch die anderen location-blöcke obendrüber.

Bitte access_log aktiviert lassen. Wir speichern eh nur anonymisiertes timing-log, und da sind dann alle Requests relevant. Betrifft auch die anderen location-blöcke obendrüber.
location / {
try_files $uri $uri/ /index.php$request_uri;
} }