nc_checks #5

Merged
stillbeben merged 4 commits from nc_checks into main 2022-03-05 17:35:55 +00:00
5 changed files with 98 additions and 66 deletions

View file

@ -3,3 +3,4 @@ BASEDIR=/var/lib/dehydrated
WELLKNOWN="${BASEDIR}/acme-challenges"
DOMAINS_TXT="/etc/dehydrated/domains.txt"
HOOK="/etc/dehydrated/hook.sh"
KEY_ALGO=rsa

View file

@ -0,0 +1,18 @@
fastcgi_split_path_info ^(.+\.php)(/.+)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTP_AUTHORIZATION $http_authorization;
fastcgi_buffers 8 16k;
fastcgi_buffer_size 32k;
client_body_buffer_size 128k;
Review

Warum packen wir das in ne eigene Datei und nicht in die fastcgi.conf dazu? Wird doch eh immer gemeinsam gebraucht, oder?

Warum packen wir das in ne eigene Datei und nicht in die fastcgi.conf dazu? Wird doch eh immer gemeinsam gebraucht, oder?

View file

@ -50,6 +50,11 @@ files = {
'svc_systemd:nginx:restart',
},
},
'/etc/nginx/fpm.conf': {
'triggers': {
'svc_systemd:nginx:restart',
},
},
'/etc/nginx/sites/stub_status': {
'triggers': {
'svc_systemd:nginx:restart',

View file

@ -12,6 +12,8 @@ ignore_user_abort = Off
zend.enable_gc = On
expose_php = Off
apc.enable_cli = 1
max_execution_time = 30
max_input_time = 60
memory_limit = ${memory_limit}M

View file

@ -14,92 +14,98 @@
# always provides the desired behaviour.
index index.php index.html /index.php$request_uri;
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Make a regex exception for `/.well-known` so that clients can still
# access it despite the existence of the regex rule
# `location ~ /(\.|autotest|...)` which would otherwise handle requests
# for `/.well-known`.
location ~ ^.+\.php {
Review

Wenn wir das hier machen, müssen wir in der vhost-config das 'php': True rausnehmen, sonst haben wir zwei PHP-Blöcke.

Wenn wir das hier machen, müssen wir in der vhost-config das `'php': True` rausnehmen, sonst haben wir zwei PHP-Blöcke.
include fpm.conf;
fastcgi_pass unix:/var/run/php/php${php_version}-fpm.sock;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
Review

Kommt schon aus der normalen nginx-Config, kann also hier raus.

Kommt schon aus der normalen nginx-Config, kann also hier raus.
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;
location ^~ /.well-known {
# The rules in this block are an adaptation of the rules
# in `.htaccess` that concern `/.well-known`.
# The following 6 rules are borrowed from `.htaccess`
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
# Anything else is dynamically handled by Nextcloud
location ^~ /.well-known { return 301 /index.php$uri; }
location = /.well-known/webfinger { return 301 /index.php/.well-known/webfinger; }
location = /.well-known/nodeinfo { return 301 /index.php/.well-known/nodeinfo; }
location /.well-known/pki-validation { try_files $uri $uri/ =404; }
# Let Nextcloud's API for `/.well-known` URIs handle all other
# requests by passing them to the front-end controller.
return 301 /index.php$request_uri;
try_files $uri $uri/ =404;
}
# Rules borrowed from `.htaccess` to hide certain paths from clients
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
# Some headers to fix possible information leaks
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
Review

Referrer-Policy, X-Frame-Options, X-Content-Type-Options und X-XSS-Protection stehen in der Standard-nginx-Config schon drin. X-Powered-By wird über die PHP-Config schon unterdrückt.

Referrer-Policy, X-Frame-Options, X-Content-Type-Options und X-XSS-Protection stehen in der Standard-nginx-Config schon drin. X-Powered-By wird über die PHP-Config schon unterdrückt.
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
# which handle static assets (as seen below). If this block is not declared first,
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
# to the URI, resulting in a HTTP 500 error response.
location ~ \.php(?:$|/) {
# Required for legacy support
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi.conf;
fastcgi_pass unix:/run/php/php${php_version}-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
Review

Das ist die fastcgi.conf in diesem Repo.

Das ist die fastcgi.conf in diesem Repo.
include fpm.conf;
fastcgi_pass unix:/var/run/php/php${php_version}-fpm.sock;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
Review

Siehe weiter oben, ist default.

Siehe weiter oben, ist default.
#Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite)$ {
try_files $uri /index.php$request_uri;
expires 6M; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
location ~ \.wasm$ {
default_type application/wasm;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
location ~ \.woff2?$ {
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff|svg|gif)$ {
try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=15778463";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
Review

Siehe oben, einiges default.

Siehe oben, einiges default.
# Optional: Don't log access to assets
access_log off;
}
# Rule borrowed from `.htaccess`
location /remote {
return 301 /remote.php$request_uri;
}
location / {
try_files $uri $uri/ /index.php$request_uri;
location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
# Optional: Don't log access to other assets
access_log off;
Review

Bitte access_log aktiviert lassen. Wir speichern eh nur anonymisiertes timing-log, und da sind dann alle Requests relevant. Betrifft auch die anderen location-blöcke obendrüber.

Bitte access_log aktiviert lassen. Wir speichern eh nur anonymisiertes timing-log, und da sind dann alle Requests relevant. Betrifft auch die anderen location-blöcke obendrüber.
}