From 275d68ce12a3041d465db4e10daf393d1ec51fd4 Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 3 Jan 2025 06:34:57 -0700 Subject: [PATCH] Merge default server configs --- etc/nginx/conf.d/default.conf | 38 +++++++++++++++++++++++++++++ etc/nginx/conf.d/http2.conf | 3 --- etc/nginx/conf.d/server_tokens.conf | 1 - etc/nginx/conf.d/tls.conf | 31 ----------------------- setup.sh | 3 --- 5 files changed, 38 insertions(+), 38 deletions(-) delete mode 100644 etc/nginx/conf.d/http2.conf delete mode 100644 etc/nginx/conf.d/server_tokens.conf delete mode 100644 etc/nginx/conf.d/tls.conf diff --git a/etc/nginx/conf.d/default.conf b/etc/nginx/conf.d/default.conf index 259bd93..5b4050b 100644 --- a/etc/nginx/conf.d/default.conf +++ b/etc/nginx/conf.d/default.conf @@ -1,3 +1,41 @@ +# Use http2 +http2 on; + +# Shared TLS configuration + +## Use strong ciphers +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256; +ssl_prefer_server_ciphers on; +ssl_conf_command Options PrioritizeChaCha; + +## Configure ssl session cache +## Improves performance but we don't wanna keep this forever +## Session ticket creation and rotation is handled by GrapheneOS's scripts: +## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-create-session-ticket-keys +## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-rotate-session-ticket-keys + +ssl_session_cache shared:SSL:10m; # About 40000 sessions +ssl_session_timeout 1d; +ssl_session_ticket_key session-ticket-keys/4.key; +ssl_session_ticket_key session-ticket-keys/3.key; +ssl_session_ticket_key session-ticket-keys/2.key; +ssl_session_ticket_key session-ticket-keys/1.key; + +## Enable HSTS header + +proxy_hide_header Strict-Transport-Security; +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + +## The following settings need to be declared manually per vhost: +# ssl_certificate +# ssl_certificate_key +# ssl_trusted_certificate +# ssl_stapling_file + +# Disable server tokens +server_tokens off; + server { listen ipv4_1:80 default_server; listen [ipv6_1]:80 default_server; diff --git a/etc/nginx/conf.d/http2.conf b/etc/nginx/conf.d/http2.conf deleted file mode 100644 index 96587ce..0000000 --- a/etc/nginx/conf.d/http2.conf +++ /dev/null @@ -1,3 +0,0 @@ -# This is all it takes to enable http2 globally - -http2 on; \ No newline at end of file diff --git a/etc/nginx/conf.d/server_tokens.conf b/etc/nginx/conf.d/server_tokens.conf deleted file mode 100644 index b7a0bcb..0000000 --- a/etc/nginx/conf.d/server_tokens.conf +++ /dev/null @@ -1 +0,0 @@ -server_tokens off; \ No newline at end of file diff --git a/etc/nginx/conf.d/tls.conf b/etc/nginx/conf.d/tls.conf deleted file mode 100644 index 35eaf5b..0000000 --- a/etc/nginx/conf.d/tls.conf +++ /dev/null @@ -1,31 +0,0 @@ -# Shared TLS configuration - -## Use strong ciphers -ssl_protocols TLSv1.2 TLSv1.3; -ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256; -ssl_prefer_server_ciphers on; -ssl_conf_command Options PrioritizeChaCha; - -## Configure ssl session cache -## Improves performance but we don't wanna keep this forever -## Session ticket creation and rotation is handled by GrapheneOS's scripts: -## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-create-session-ticket-keys -## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-rotate-session-ticket-keys - -ssl_session_cache shared:SSL:10m; # About 40000 sessions -ssl_session_timeout 1d; -ssl_session_ticket_key session-ticket-keys/4.key; -ssl_session_ticket_key session-ticket-keys/3.key; -ssl_session_ticket_key session-ticket-keys/2.key; -ssl_session_ticket_key session-ticket-keys/1.key; - -# Enable HSTS header - -proxy_hide_header Strict-Transport-Security; -add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - -## The following settings need to be declared manually per vhost: -# ssl_certificate -# ssl_certificate_key -# ssl_trusted_certificate -# ssl_stapling_file diff --git a/setup.sh b/setup.sh index b94f6e6..06d0b55 100644 --- a/setup.sh +++ b/setup.sh @@ -122,10 +122,7 @@ sudo systemctl enable --now nginx-rotate-session-ticket-keys.timer # Download NGINX configs -unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/http2.conf | sudo tee /etc/nginx/conf.d/http2.conf > /dev/null -unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/server_tokens.conf | sudo tee /etc/nginx/conf.d/server_tokens.conf > /dev/null unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/default.conf | sudo tee /etc/nginx/conf.d/default.conf > /dev/null -unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/tls.conf | sudo tee /etc/nginx/conf.d/tls.conf > /dev/null sudo mkdir -p /etc/nginx/snippets unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/proxy.conf | sudo tee /etc/nginx/snippets/proxy.conf > /dev/null