diff --git a/roots/etc/nginx/conf.d/headers.conf b/roots/etc/nginx/conf.d/headers.conf new file mode 100644 index 0000000..24c55d0 --- /dev/null +++ b/roots/etc/nginx/conf.d/headers.conf @@ -0,0 +1,2 @@ +add_header X-Content-Type-Options nosniff; +add_header X-XSS-Protection "1; mode=block"; diff --git a/roots/etc/nginx/conf.d/hsts.conf b/roots/etc/nginx/conf.d/hsts.conf new file mode 100644 index 0000000..9c5c9f8 --- /dev/null +++ b/roots/etc/nginx/conf.d/hsts.conf @@ -0,0 +1 @@ +add_header Strict-Transport-Security "max-age=31536000"; diff --git a/roots/etc/nginx/conf.d/ocsp.conf b/roots/etc/nginx/conf.d/ocsp.conf new file mode 100644 index 0000000..34b644e --- /dev/null +++ b/roots/etc/nginx/conf.d/ocsp.conf @@ -0,0 +1,4 @@ +ssl_stapling on; +ssl_stapling_verify on; +resolver 9.9.9.9 51.254.25.115 valid=300s; +resolver_timeout 5s; diff --git a/roots/etc/nginx/conf.d/proxy.conf b/roots/etc/nginx/conf.d/proxy.conf new file mode 100644 index 0000000..3cc8fc2 --- /dev/null +++ b/roots/etc/nginx/conf.d/proxy.conf @@ -0,0 +1,11 @@ +proxy_http_version 1.1; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection "upgrade"; +proxy_set_header Host $host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Remote-Port $remote_port; +proxy_set_header Proxy ""; +proxy_pass_header Server; +proxy_redirect off; diff --git a/roots/etc/nginx/conf.d/ssl.conf b/roots/etc/nginx/conf.d/ssl.conf new file mode 100644 index 0000000..5daf413 --- /dev/null +++ b/roots/etc/nginx/conf.d/ssl.conf @@ -0,0 +1,14 @@ +ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem; +ssl_dhparam /etc/nginx/ssl/dhparam.pem; + +ssl_protocols TLSv1.1 TLSv1.2; +ssl_ecdh_curve X25519:P-521:P-384:P-256; +ssl_ciphers "EECDH+CHACHA20:EECDH+AESGCM"; +ssl_prefer_server_ciphers on; + +#ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; + +ssl_session_cache shared:SSL:20m; +ssl_session_timeout 15m; +ssl_session_tickets off; + diff --git a/roots/etc/nginx/nginx.conf b/roots/etc/nginx/nginx.conf new file mode 100644 index 0000000..7ee7dda --- /dev/null +++ b/roots/etc/nginx/nginx.conf @@ -0,0 +1,120 @@ +user www-data; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 1024; + # multi_accept on; +} + +http { + + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_disable msie6; + keepalive_requests 100; + keepalive_timeout 65; + types_hash_max_size 2048; + server_tokens off; + + proxy_max_temp_file_size 20480m; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # Logging Settings + ## + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + #more_set_headers 'Server: secret'; + + aio threads; + aio_write on; + + limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m; + limit_conn limit_per_ip 128; + limit_req_zone $binary_remote_addr zone=allips:10m rate=150r/s; + limit_req zone=allips burst=150 nodelay; + + gzip on; + gzip_comp_level 5; + gzip_min_length 512; + gzip_buffers 4 8k; + gzip_proxied any; + gzip_vary on; + gzip_disable "msie6"; + gzip_types + text/css + text/javascript + text/xml + text/plain + text/x-component + application/javascript + application/x-javascript + application/json + application/xml + application/rss+xml + application/vnd.ms-fontobject + font/truetype + font/opentype + image/svg+xml; + + #brotli on; + #brotli_static on; + #brotli_buffers 16 8k; + #brotli_comp_level 6; + #brotli_types + # text/css + # text/javascript + # text/xml + # text/plain + # text/x-component + # application/javascript + # application/x-javascript + # application/json + # application/xml + # application/rss+xml + # application/vnd.ms-fontobject + # font/truetype + # font/opentype + # image/svg+xml; + + ## + # Virtual Host Configs + ## + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} + +#mail { +# # See sample authentication script at: +# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript +# +# # auth_http localhost/auth.php; +# # pop3_capabilities "TOP" "USER"; +# # imap_capabilities "IMAP4rev1" "UIDPLUS"; +# +# server { +# listen localhost:110; +# protocol pop3; +# proxy on; +# } +# +# server { +# listen localhost:143; +# protocol imap; +# proxy on; +# } +#} diff --git a/roots/etc/nginx/sites-available/beta.img.drycat.fr b/roots/etc/nginx/sites-available/beta.img.drycat.fr new file mode 100644 index 0000000..eee023b --- /dev/null +++ b/roots/etc/nginx/sites-available/beta.img.drycat.fr @@ -0,0 +1,89 @@ +server { + listen 80; + server_name beta.img.drycat.fr; + + location /.well-known/acme-challenge { + proxy_pass http://127.0.0.1:81; + proxy_set_header Host $host; + } + + location / { + return 301 https://beta.paste.drycat.fr$request_uri; + } + + +} + + + +server { + listen 443 ssl http2; + server_name beta.img.drycat.fr; + index index.html index.php index.htm; + + + ssl_certificate /etc/nginx/ssl/certificates/beta.img.drycat.fr.crt; + ssl_certificate_key /etc/nginx/ssl/certificates/beta.img.drycat.fr.key; + ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem; + ssl_dhparam /etc/nginx/ssl/dhparam.pem; + + + + + #include /nginx/conf.d/ssl.conf; + + ssl_protocols TLSv1.1 TLSv1.2; + ssl_ecdh_curve X25519:P-521:P-384:P-256; + ssl_ciphers "EECDH+CHACHA20:EECDH+AESGCM"; + ssl_prefer_server_ciphers on; + + #ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; + + ssl_session_cache shared:SSL:20m; + ssl_session_timeout 15m; + ssl_session_tickets off; + + + #include /nginx/conf.d/headers.conf; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + + #include /nginx/conf.d/hsts.conf; + add_header Strict-Transport-Security "max-age=31536000"; + + + + #include /nginx/conf.d/ocsp.conf; + ssl_stapling on; + ssl_stapling_verify on; + resolver 9.9.9.9 51.254.25.115 valid=300s; + resolver_timeout 5s; + + location / { + #include /nginx/conf.d/proxy.conf; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Remote-Port $remote_port; + proxy_set_header Proxy ""; + proxy_pass_header Server; + proxy_redirect off; + + + client_max_body_size 50M; + proxy_pass http://127.0.0.1:9000; + } + + location ~ /\.well-known/acme-challenge { + default_type "text/plain"; + root /etc/ssl/private/acme-challenge/; + allow all; + } +} + + + diff --git a/roots/etc/nginx/sites-available/beta.paste.drycat.fr b/roots/etc/nginx/sites-available/beta.paste.drycat.fr new file mode 100644 index 0000000..9e83710 --- /dev/null +++ b/roots/etc/nginx/sites-available/beta.paste.drycat.fr @@ -0,0 +1,88 @@ +server { + listen 80; + server_name beta.paste.drycat.fr; + + location /.well-known/acme-challenge { + proxy_pass http://127.0.0.1:81; + proxy_set_header Host $host; + } + + location / { + return 301 https://beta.paste.drycat.fr$request_uri; + } + +} + + + +server { + listen 443 ssl http2; + server_name beta.paste.drycat.fr; + index index.html index.php index.htm; + + + ssl_certificate /etc/nginx/ssl/certificates/beta.paste.drycat.fr.crt; + ssl_certificate_key /etc/nginx/ssl/certificates/beta.paste.drycat.fr.key; + ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem; + ssl_dhparam /etc/nginx/ssl/dhparam.pem; + + + + + #include /nginx/conf.d/ssl.conf; + + ssl_protocols TLSv1.1 TLSv1.2; + ssl_ecdh_curve X25519:P-521:P-384:P-256; + ssl_ciphers "EECDH+CHACHA20:EECDH+AESGCM"; + ssl_prefer_server_ciphers on; + + #ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; + + ssl_session_cache shared:SSL:20m; + ssl_session_timeout 15m; + ssl_session_tickets off; + + + #include /nginx/conf.d/headers.conf; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + + #include /nginx/conf.d/hsts.conf; + add_header Strict-Transport-Security "max-age=31536000"; + + + + #include /nginx/conf.d/ocsp.conf; + ssl_stapling on; + ssl_stapling_verify on; + resolver 9.9.9.9 51.254.25.115 valid=300s; + resolver_timeout 5s; + + location / { + #include /nginx/conf.d/proxy.conf; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Remote-Port $remote_port; + proxy_set_header Proxy ""; + proxy_pass_header Server; + proxy_redirect off; + + + client_max_body_size 50M; + proxy_pass http://127.0.0.1:9000; + } + + location ~ /\.well-known/acme-challenge { + default_type "text/plain"; + root /etc/ssl/private/acme-challenge/; + allow all; + } +} + + + diff --git a/roots/etc/nginx/sites-available/default b/roots/etc/nginx/sites-available/default new file mode 100644 index 0000000..8c57542 --- /dev/null +++ b/roots/etc/nginx/sites-available/default @@ -0,0 +1,23 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + + root /var/www/html; + server_name _ default; + + #location ~ /\.well-known/acme-challenge { + # include /etc/nginx/conf.d/proxy.conf; + # proxy_pass http://127.0.0.1:81; + #} + + location ~ /\.well-known/acme-challenge { + root /var/www/letsencrypt/paste.drycat.fr; + allow all; + } + + #location ~ "^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$" { + # default_type text/plain; + # return 200 "$1.r_nPj5_YcCSwTNQOUfesQKbMeeTR7yQP_YfohDlF6EA"; + #} + +} diff --git a/roots/etc/nginx/sites-available/default-exemple b/roots/etc/nginx/sites-available/default-exemple new file mode 100644 index 0000000..cd9e7fb --- /dev/null +++ b/roots/etc/nginx/sites-available/default-exemple @@ -0,0 +1,49 @@ +server { + listen 80; + listen [::]:80; + server_name ; + + location /.well-known/acme-challenge { + proxy_pass http://127.0.0.1:81; + proxy_set_header Host $host; + } + + location / { + return 301 https://$host$request_uri; + } + + +} + + + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name ; + index index.html index.php index.htm; + + + ssl_certificate /etc/nginx/ssl/certificates/.crt; + ssl_certificate_key /etc/nginx/ssl/certificates/.key; + + include /etc/nginx/conf.d/ssl.conf; + include /etc/nginx/conf.d/headers.conf; + include /etc/nginx/conf.d/hsts.conf; + include /etc/nginx/conf.d/ocsp.conf; + + location / { + include /etc/nginx/conf.d/proxy.conf; + + client_max_body_size 50M; + proxy_pass http://127.0.0.1:9000; + } + + location /.well-known/acme-challenge { + proxy_pass http://127.0.0.1:81; + proxy_set_header Host $host; + } +} + + + diff --git a/roots/etc/nginx/sites-available/img.drycat.fr.conf b/roots/etc/nginx/sites-available/img.drycat.fr.conf new file mode 100644 index 0000000..6664383 --- /dev/null +++ b/roots/etc/nginx/sites-available/img.drycat.fr.conf @@ -0,0 +1,49 @@ +server { + listen 80; + listen [::]:80; + server_name beta.img.drycat.fr; + + location /.well-known/acme-challenge { + proxy_pass http://127.0.0.1:81; + proxy_set_header Host $host; + } + + location / { + return 301 https://$host$request_uri; + } + + +} + + + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name beta.img.drycat.fr; + index index.html index.php index.htm; + + + ssl_certificate /etc/nginx/ssl/certificates/beta.img.drycat.fr.cert.pem; + ssl_certificate_key /etc/nginx/ssl/certificates/beta.img.drycat.fr.key.pem; + + include /etc/nginx/conf.d/ssl.conf; + include /etc/nginx/conf.d/headers.conf; + include /etc/nginx/conf.d/hsts.conf; + include /etc/nginx/conf.d/ocsp.conf; + + location / { + include /etc/nginx/conf.d/proxy.conf; + + client_max_body_size 50M; + proxy_pass http://127.0.0.1:9000; + } + + location /.well-known/acme-challenge { + proxy_pass http://127.0.0.1:8443; + proxy_set_header Host $host; + } +} + + + diff --git a/roots/etc/nginx/sites-available/rss.drycat.fr.conf b/roots/etc/nginx/sites-available/rss.drycat.fr.conf new file mode 100644 index 0000000..e69de29 diff --git a/scripts/nginx_compile.sh b/scripts/nginx_compile.sh new file mode 100755 index 0000000..5920b44 --- /dev/null +++ b/scripts/nginx_compile.sh @@ -0,0 +1,86 @@ +#!/bin/sh + +apt-get -y install build-essential zlib1g-dev libpcre3 libpcre3-dev libbz2-dev libssl-dev tar unzip + +NGINX_VER=1.13.8 +OPENSSL_VER=1.1.0g +NGINX_GPG="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 \ + A09CD539B8BB8CBE96E82BDFABD4D3B3F5806B4D \ + 4C2C85E705DC730833990C38A9376139A524C53E \ + 65506C02EFC250F1B7A3D694ECF0E90B2C172083 \ + B0F4253373F8F6F510D42178520A9993A1C052F8 \ + 7338973069ED3F443F4D37DFA64FD5B17ADB39A8" + +echo "**** download package ****" +git clone https://github.com/openresty/headers-more-nginx-module --depth=1 /tmp/headers-more-nginx-module +git clone https://github.com/bagder/libbrotli --depth=1 /tmp/libbrotli +git clone https://github.com/google/ngx_brotli --depth=1 /tmp/ngx_brotli +wget -q http://nginx.org/download/nginx-${NGINX_VER}.tar.gz -O /tmp/nginx-${NGINX_VER}.tar.gz +wget -q http://nginx.org/download/nginx-${NGINX_VER}.tar.gz.asc -O /tmp/nginx-${NGINX_VER}.tar.gz.asc +wget -q https://www.openssl.org/source/openssl-${OPENSSL_VER}.tar.gz -O /tmp/openssl-${OPENSSL_VER}.tar.gz +git clone https://github.com/grahamedgecombe/nginx-ct --depth=1 /tmp/nginx-ct + +echo "**** compile brotli ****" +cd /tmp/libbrotli +./autogen.sh +./configure +mkdir brotli/c/tools/.deps +touch brotli/c/tools/.deps/brotli-brotli.Po +make -j 1 +make install +cd /tmp/ngx_brotli +git submodule update --init + +echo "**** untar openssl ****" +cd /tmp +tar xzf openssl-${OPENSSL_VER}.tar.gz + +echo "**** compile nginx ****" +cd /tmp +for server in ha.pool.sks-keyservers.net hkp://keyserver.ubuntu.com:80 hkp://p80.pool.sks-keyservers.net:80 pgp.mit.edu; + do + echo "Fetching GPG key $NGINX_GPGKEY from $server"; + gpg --keyserver "$server" --keyserver-options timeout=10 --recv-keys $NGINX_GPG && found=yes && break; +done +gpg --batch --verify nginx-${NGINX_VER}.tar.gz.asc nginx-${NGINX_VER}.tar.gz +tar xzf nginx-${NGINX_VER}.tar.gz +cd /tmp/nginx-${NGINX_VER} +wget -q https://raw.githubusercontent.com/cujanovic/nginx-dynamic-tls-records-patch/master/nginx__dynamic_tls_records_1.13.0%2B.patch -O dynamic_records.patch +patch -p1 < dynamic_records.patch +./configure --prefix=/etc/nginx \ + --sbin-path=/usr/sbin/nginx \ + --http-log-path=/var/log/nginx/logs/nginx_access.log \ + --error-log-path=/var/log/nginx/logs/nginx_error.log \ + --pid-path=/run/nginx.pid \ + --lock-path=/run/nginx.lock \ + --user=www-data --group=www-data \ + --with-http_ssl_module \ + --with-http_realip_module \ + --with-http_addition_module \ + --with-http_sub_module \ + --with-http_dav_module \ + --with-http_flv_module \ + --with-http_mp4_module \ + --with-http_gunzip_module \ + --with-http_gzip_static_module \ + --with-http_random_index_module \ + --with-http_secure_link_module \ + --with-http_stub_status_module \ + --with-threads \ + --with-stream \ + --with-stream_ssl_module \ + --with-http_slice_module \ + --with-mail \ + --with-pcre-jit \ + --with-mail_ssl_module \ + --with-http_v2_module \ + --with-file-aio \ + --with-ipv6 \ + --add-module=/tmp/headers-more-nginx-module \ + --add-module=/tmp/nginx-ct \ + --add-module=/tmp/ngx_brotli \ + --with-cc-opt="-O3 -fPIE -fstack-protector-strong -D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -Wno-deprecated-declarations" \ + --with-openssl-opt='no-async enable-ec_nistp_64_gcc_128 no-shared no-ssl2 no-ssl3 no-comp no-idea no-weak-ssl-ciphers -DOPENSSL_NO_HEARTBEATS -O3 -fPIE -fstack-protector-strong -D_FORTIFY_SOURCE=2' \ + --with-openssl=/tmp/openssl-${OPENSSL_VER} +make -j 1 +make install