From e9fa00522bc5591a3c2cdfba94d5451ae4e275b5 Mon Sep 17 00:00:00 2001 From: croax Date: Mon, 15 Aug 2022 12:51:00 +0200 Subject: [PATCH] #86 SSL Stapling + HTTP/2 --- config/nginx/autoconfig.a-lec.org | 34 +++++++++++++++---------------- config/nginx/mail.a-lec.org | 19 +++++++++-------- 2 files changed, 28 insertions(+), 25 deletions(-) diff --git a/config/nginx/autoconfig.a-lec.org b/config/nginx/autoconfig.a-lec.org index 6564ed7..3d116a1 100644 --- a/config/nginx/autoconfig.a-lec.org +++ b/config/nginx/autoconfig.a-lec.org @@ -1,40 +1,40 @@ -# Configuration autoconfig.a-lec.org - server { + server_name autoconfig.a-lec.org; + + listen 444 ssl http2 proxy_protocol; + listen [::]:443 ssl http2; + listen 80; + listen [::]:80; + set_real_ip_from 192.169.0.1; real_ip_header proxy_protocol; ssi on; ssi_last_modified on; - listen 444 ssl proxy_protocol; - listen [::]:443 ssl; - listen 80; - listen [::]:80; - - # Important : PAS de HSTS ni redirection HTTPS + # IMPORTANT : PAS de redirection vers HTTPS # Thunderbird fait une requête en clair (HTTP) - ssl_certificate /etc/letsencrypt/live/mail.a-lec.org/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/mail.a-lec.org/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + ssl_stapling on; + ssl_stapling_verify on; - # Add index.php to the list if you are using PHP root /var/www/html/autoconfig; - server_name autoconfig.a-lec.org; + # On indique HSTS si ca pouvait pousser quelques êtres à utiliser HTTPS... + # car on sert du HTTPS aussi add_header Strict-Transport-Security "max-age=31536000" always; - # Section dédiée mail, si un jour on souhaite délocaliser de cette VM - # le sous-domaine autoconfig et garder uniquement /mail + # Section dédiée mail, si un jour on souhaite partager autoconfig avec + # d'autres VM et garder uniquement le path /mail location /mail/ { alias /var/www/html/autoconfig/mail/; - location ~* ^/mail/config-v1\.1\.xml(\?.*)$ { - try_files /var/www/html/autoconfig/mail/config-v1.1.xml =404; - } +# location ~* ^/mail/([a-zA-Z\-\.]+\.xml)(\?.*)?$ { +# try_files /var/www/html/autoconfig/mail/\1 =404; +# } } } diff --git a/config/nginx/mail.a-lec.org b/config/nginx/mail.a-lec.org index e37d1fe..b993877 100644 --- a/config/nginx/mail.a-lec.org +++ b/config/nginx/mail.a-lec.org @@ -1,8 +1,9 @@ server { server_name mail.a-lec.org; - listen 444 ssl proxy_protocol; - listen [::]:443 ssl; + listen 444 ssl http2 proxy_protocol; + listen [::]:443 ssl http2; + set_real_ip_from 192.168.0.1; real_ip_header proxy_protocol; @@ -10,12 +11,13 @@ server { ssl_certificate_key /etc/letsencrypt/live/mail.a-lec.org/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - - - client_max_body_size 100M; + ssl_stapling on; + ssl_stapling_verify on; root /var/www/html/roundcube; + client_max_body_size 100M; + add_header Strict-Transport-Security "max-age=31536000" always; index index.html index.htm index.php; @@ -24,7 +26,7 @@ server { try_files $uri $uri/ /index.php?q=$uri&$args; } - # pass PHP scripts to FastCGI server + # pass PHP scripts to FastCGI server location ~ \.php$ { include snippets/fastcgi-php.conf; # # With php-fpm (or other unix sockets): @@ -43,11 +45,12 @@ server { server { server_name mail.a-lec.org; - listen 80 proxy_protocol; + listen 80 ; listen [::]:80; set_real_ip_from 192.168.0.1; - real_ip_header proxy_protocol; + + root /var/www/html/roundcube; return 302 https://mail.a-lec.org$request_uri; }