From 0af049b60c77b0daeb00dadb63b739d161922478 Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Fri, 11 Jan 2019 19:17:21 -0500 Subject: [PATCH] Reverted some things, but still using new file structure --- .../0/Resources/conf.d/collabora.conf | 4 + .../0/Resources/conf.d/nextcloud.conf | 88 +++++++++++++++---- templates/Nextcloud/0/Resources/nginx.conf | 19 ++-- 3 files changed, 88 insertions(+), 23 deletions(-) diff --git a/templates/Nextcloud/0/Resources/conf.d/collabora.conf b/templates/Nextcloud/0/Resources/conf.d/collabora.conf index 1f6b893..0b718bd 100644 --- a/templates/Nextcloud/0/Resources/conf.d/collabora.conf +++ b/templates/Nextcloud/0/Resources/conf.d/collabora.conf @@ -1,7 +1,11 @@ server { listen 81; listen [::]:81; + server_name _; + #access_log logs/collabora_access.log; + #error_log logs/collabora_error.log error; + # static files location ^~ /loleaflet { proxy_pass http://collabora:9980; diff --git a/templates/Nextcloud/0/Resources/conf.d/nextcloud.conf b/templates/Nextcloud/0/Resources/conf.d/nextcloud.conf index 50ad8e7..e2ee329 100644 --- a/templates/Nextcloud/0/Resources/conf.d/nextcloud.conf +++ b/templates/Nextcloud/0/Resources/conf.d/nextcloud.conf @@ -7,15 +7,52 @@ server { listen [::]:80; server_name _; + #---------------------------------------- + # Logging + #---------------------------------------- + + #access_log logs/nextcloud_access.log; + #error_log logs/nextcloud_error.log error; + + #---------------------------------------- + # Basic Settings + #---------------------------------------- + root /var/www/html/; # Path to the root of your installation client_max_body_size 10G; # Max upload size fastcgi_buffers 64 4K; - # Enable gzip but do not remove ETag headers - gzip off; + #---------------------------------------- + # GZip + #---------------------------------------- + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + #---------------------------------------- + # Security Headers + #---------------------------------------- + + # Add headers to serve security related headers + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy no-referrer; + + fastcgi_hide_header X-Powered-By; # Remove X-Powered-By, which is an information leak + + #---------------------------------------- + # Locations + #---------------------------------------- - index index.php error_page 403 /core/templates/403.php; error_page 404 /core/templates/404.php; @@ -33,37 +70,58 @@ server { return 301 $scheme://$host/remote.php/dav; } - - location / { rewrite ^ /index.php$request_uri; } - location ~ \.php(?:$|/) { - fastcgi_split_path_info ^(.+\.php)(/.+)$; + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { + deny all; + } + + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { + fastcgi_split_path_info ^(.+\.php)(/.*)$; + # Mitigate https://httpoxy.org/ vulnerabilities: + fastcgi_param HTTP_PROXY ""; + #fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; + #Avoid sending the security headers twice + fastcgi_param modHeadersAvailable true; + fastcgi_param front_controller_active true; fastcgi_pass php-handler; fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ ^/(?:updater|ocs-provider)(?:$|/) { + try_files $uri/ =404; + index index.php; } # Adding the cache control header for js and css files - # Make sure it is BELOW the location ~ \.php(?:$|/) { block - location ~* \.(?:css|js)$ { - add_header Cache-Control "public, max-age=7200"; - # Add headers to serve security related headers - add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + # Make sure it is BELOW the PHP block + location ~ \.(?:css|js|woff|svg|gif)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463"; add_header X-Content-Type-Options nosniff; - add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy no-referrer; + # Optional: Don't log access to assets access_log off; } - # Optional: Don't log access to other assets - location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ { + location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { + try_files $uri /index.php$request_uri; + # Optional: Don't log access to other assets access_log off; } } \ No newline at end of file diff --git a/templates/Nextcloud/0/Resources/nginx.conf b/templates/Nextcloud/0/Resources/nginx.conf index 9493b30..682ca28 100644 --- a/templates/Nextcloud/0/Resources/nginx.conf +++ b/templates/Nextcloud/0/Resources/nginx.conf @@ -1,7 +1,7 @@ user www-data; worker_processes auto; -# error_log /var/log/nginx.error_log info; # [ debug | info | notice | warn | error | crit ] +#error_log /var/log/nginx_error.log info; # [ debug | info | notice | warn | error | crit ] pid /var/run/nginx.pid; events { @@ -21,7 +21,7 @@ http { # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; - #access_log /var/log/nginx/access.log main; + #access_log /var/log/nginx/http_access.log main; # REFERENCE 2 #log_format main '$remote_addr - $host [$time_local] "$request" ' @@ -35,8 +35,8 @@ http { # 'rt=$request_time ut=$upstream_response_time ' # 'cs=$upstream_cache_status'; - #access_log /var/log/nginx/access.log main; - #error_log /var/log/nginx/error.log warn; + #access_log /var/log/nginx/http_access.log main; + #error_log /var/log/nginx/http_error.log error; #---------------------------------------- # Basic Settings @@ -45,7 +45,7 @@ http { sendfile on; tcp_nopush on; tcp_nodelay on; - keepalive_timeout 65; + keepalive_timeout 65; include /etc/nginx/mime.types; default_type application/octet-stream; @@ -60,9 +60,12 @@ http { # GZip #---------------------------------------- - - - + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 1000; + gzip_buffers 4 8k; + gzip_types text/plain; #---------------------------------------- # Cache