mathieu/system-config
1
0
Fork 0
Code Issues Packages Activity Actions

Fix nginx security

Browse source
This commit is contained in:
Mathieu Strypsteen 2024-09-11 20:39:15 +02:00
parent daa0f58784
commit 78d542ea29
Signed by: mathieu
GPG key ID: 782A42E461BC6824
10 changed files with 11 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
common/etc/ssh/ssh_config
View file

@ -7,7 +7,7 @@ AddKeysToAgent yes
ExitOnForwardFailure yes
Host pve
HostName pve.strypsteen.com
Host
Host infra
HostName infra.server.home.arpa
Host home
HostName home.server.home.arpa

3
container-config/nginx-home/code
View file

@ -3,9 +3,8 @@ server {
server_name *.code-proxy.strypsteen.com;
listen 443 ssl;
listen [::]:443 ssl;
deny 10.0.0.1;
deny fd00::1;
include snippets/headers.conf;
include snippets/local-only.conf;
location / {
set $upstream sandbox.server.home.arpa;
proxy_pass http://$upstream:8080;

3
container-config/nginx-home/llm
View file

@ -2,9 +2,8 @@ server {
server_name llm.strypsteen.com;
listen 443 ssl;
listen [::]:443 ssl;
deny 10.0.0.1;
deny fd00::1;
include snippets/headers.conf;
include snippets/local-only.conf;
location / {
set $upstream home.server.home.arpa;
proxy_pass http://$upstream:8004;

3
container-config/nginx-home/monitoring
View file

@ -2,9 +2,8 @@ server {
server_name monitoring.strypsteen.com;
listen 443 ssl;
listen [::]:443 ssl;
deny 10.0.0.1;
deny fd00::1;
include snippets/headers.conf;
include snippets/local-only.conf;
location / {
set $upstream home.server.home.arpa;
proxy_pass http://$upstream:8008;

3
container-config/nginx-home/network
View file

@ -2,9 +2,8 @@ server {
server_name network.strypsteen.com;
listen 443 ssl;
listen [::]:443 ssl;
deny 10.0.0.1;
deny fd00::1;
include snippets/headers.conf;
include snippets/local-only.conf;
add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'" always;
location / {
set $upstream home.server.home.arpa;

3
container-config/nginx-home/remote-desktop
View file

@ -2,9 +2,8 @@ server {
server_name remote-desktop.strypsteen.com;
listen 443 ssl;
listen [::]:443 ssl;
deny 10.0.0.1;
deny fd00::1;
include snippets/headers.conf;
include snippets/local-only.conf;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'" always;
location / {
set $upstream gaming-vm.server.home.arpa;

4
container-config/nginx/snippets/local-only.conf Normal file
View file

@ -0,0 +1,4 @@
allow 192.168.0.0/16;
allow fe80::/10;
allow fc00::/7;
deny all;

3
home/etc/containers/systemd/certbot.container.d/override.conf
View file

@ -1,3 +0,0 @@
[Container]
Environment=CERTBOT_TYPE=home
Secret=cloudflare

2
home/etc/containers/systemd/forgejo.container
View file

@ -7,7 +7,7 @@ Secret=forgejo-token
Secret=forgejo-jwt-secret
Environment=GITEA_APP_INI=/etc/gitea/app.ini
PublishPort=2222:2222
PublishPort=8003:80
PublishPort=8003:3000
AutoUpdate=registry
[Install]
WantedBy=multi-user.target

15
home/etc/containers/systemd/nginx.container
View file

@ -1,15 +0,0 @@
[Container]
Image=cgr.dev/chainguard/nginx
Network=nginx.network
Volume=/var/lib/system-config/container-config/nginx:/etc/nginx:z,ro
Volume=/var/lib/system-config/container-config/nginx-home:/etc/nginx-sites:z,ro
Volume=/var/lib/system-config/container-config/site:/var/www:z,ro
Volume=/etc/certificates:/etc/certificates:z,ro
Tmpfs=/var/lib/nginx/tmp
Tmpfs=/var/lib/nginx/logs
PublishPort=80:80
PublishPort=443:443
Sysctl=net.ipv4.ip_unprivileged_port_start=80
AutoUpdate=registry
[Install]
WantedBy=multi-user.target