From 32e65bc0f9871e559da8f70c28b4699ae86c0f6b Mon Sep 17 00:00:00 2001 From: croax Date: Sun, 14 Aug 2022 15:32:46 +0200 Subject: [PATCH] #84 HSTS --- config/nginx/autoconfig.a-lec.org | 2 + config/nginx/mail.a-lec.org | 73 ++++++++++--------------------- 2 files changed, 26 insertions(+), 49 deletions(-) diff --git a/config/nginx/autoconfig.a-lec.org b/config/nginx/autoconfig.a-lec.org index d122b95..6564ed7 100644 --- a/config/nginx/autoconfig.a-lec.org +++ b/config/nginx/autoconfig.a-lec.org @@ -25,6 +25,8 @@ server { root /var/www/html/autoconfig; server_name autoconfig.a-lec.org; + add_header Strict-Transport-Security "max-age=31536000" always; + # Section dédiée mail, si un jour on souhaite délocaliser de cette VM # le sous-domaine autoconfig et garder uniquement /mail location /mail/ { diff --git a/config/nginx/mail.a-lec.org b/config/nginx/mail.a-lec.org index 9e4b4b1..e37d1fe 100644 --- a/config/nginx/mail.a-lec.org +++ b/config/nginx/mail.a-lec.org @@ -1,56 +1,32 @@ -## -# You should look at the following URL's in order to grasp a solid understanding -# of Nginx configuration files in order to fully unleash the power of Nginx. -# https://www.nginx.com/resources/wiki/start/ -# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ -# https://wiki.debian.org/Nginx/DirectoryStructure -# -# In most cases, administrators will remove this file from sites-enabled/ and -# leave it as reference inside of sites-available where it will continue to be -# updated by the nginx packaging team. -# -# This file will automatically load configuration files provided by other -# applications, such as Drupal or Wordpress. These applications will be made -# available underneath a path with that package name, such as /drupal8. -# -# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. -## - -# Default server configuration -# server { + server_name mail.a-lec.org; + + listen 444 ssl proxy_protocol; + listen [::]:443 ssl; set_real_ip_from 192.168.0.1; real_ip_header proxy_protocol; - listen 444 ssl proxy_protocol; - listen [::]:443 ssl; - - ssl_certificate /etc/letsencrypt/live/mail.a-lec.org/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/mail.a-lec.org/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - - # Add index.php to the list if you are using PHP - root /var/www/html/roundcube; - - server_name mail.a-lec.org; - - client_max_body_size 100M; - - # Add index.php to the list if you are using PHP - index index.html index.htm index.php; + ssl_certificate /etc/letsencrypt/live/mail.a-lec.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/mail.a-lec.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - location / { - # First attempt to serve request as file, then - # as directory, then fall back to displaying a 404. + client_max_body_size 100M; + + root /var/www/html/roundcube; + + add_header Strict-Transport-Security "max-age=31536000" always; + + index index.html index.htm index.php; + + location / { try_files $uri $uri/ /index.php?q=$uri&$args; } # pass PHP scripts to FastCGI server - # - location ~ \.php$ { - include snippets/fastcgi-php.conf; + location ~ \.php$ { + include snippets/fastcgi-php.conf; # # With php-fpm (or other unix sockets): fastcgi_pass unix:/run/php/php7.4-fpm.sock; # # With php-cgi (or other tcp sockets): @@ -59,20 +35,19 @@ server { include fastcgi_params; } - location ^~ /data { - deny all; - } - + location ^~ /data { + deny all; + } } server { + server_name mail.a-lec.org; + listen 80 proxy_protocol; listen [::]:80; set_real_ip_from 192.168.0.1; real_ip_header proxy_protocol; - server_name mail.a-lec.org; - return 302 https://mail.a-lec.org$request_uri; }