From 78d542ea29a6324bd7b58e745b2d2f804308932b Mon Sep 17 00:00:00 2001 From: Mathieu Strypsteen Date: Wed, 11 Sep 2024 20:39:15 +0200 Subject: [PATCH] Fix nginx security --- common/etc/ssh/ssh_config | 2 +- container-config/nginx-home/code | 3 +-- container-config/nginx-home/llm | 3 +-- container-config/nginx-home/monitoring | 3 +-- container-config/nginx-home/network | 3 +-- container-config/nginx-home/remote-desktop | 3 +-- container-config/nginx/snippets/local-only.conf | 4 ++++ .../systemd/certbot.container.d/override.conf | 3 --- home/etc/containers/systemd/forgejo.container | 2 +- home/etc/containers/systemd/nginx.container | 15 --------------- 10 files changed, 11 insertions(+), 30 deletions(-) create mode 100644 container-config/nginx/snippets/local-only.conf delete mode 100644 home/etc/containers/systemd/certbot.container.d/override.conf delete mode 100644 home/etc/containers/systemd/nginx.container diff --git a/common/etc/ssh/ssh_config b/common/etc/ssh/ssh_config index 573a61b..6e2c515 100644 --- a/common/etc/ssh/ssh_config +++ b/common/etc/ssh/ssh_config @@ -7,7 +7,7 @@ AddKeysToAgent yes ExitOnForwardFailure yes Host pve HostName pve.strypsteen.com -Host +Host infra HostName infra.server.home.arpa Host home HostName home.server.home.arpa diff --git a/container-config/nginx-home/code b/container-config/nginx-home/code index 8824f47..3eb29c2 100644 --- a/container-config/nginx-home/code +++ b/container-config/nginx-home/code @@ -3,9 +3,8 @@ server { server_name *.code-proxy.strypsteen.com; listen 443 ssl; listen [::]:443 ssl; - deny 10.0.0.1; - deny fd00::1; include snippets/headers.conf; + include snippets/local-only.conf; location / { set $upstream sandbox.server.home.arpa; proxy_pass http://$upstream:8080; diff --git a/container-config/nginx-home/llm b/container-config/nginx-home/llm index 1884aa2..a4200a6 100644 --- a/container-config/nginx-home/llm +++ b/container-config/nginx-home/llm @@ -2,9 +2,8 @@ server { server_name llm.strypsteen.com; listen 443 ssl; listen [::]:443 ssl; - deny 10.0.0.1; - deny fd00::1; include snippets/headers.conf; + include snippets/local-only.conf; location / { set $upstream home.server.home.arpa; proxy_pass http://$upstream:8004; diff --git a/container-config/nginx-home/monitoring b/container-config/nginx-home/monitoring index fd32de8..a047ef7 100644 --- a/container-config/nginx-home/monitoring +++ b/container-config/nginx-home/monitoring @@ -2,9 +2,8 @@ server { server_name monitoring.strypsteen.com; listen 443 ssl; listen [::]:443 ssl; - deny 10.0.0.1; - deny fd00::1; include snippets/headers.conf; + include snippets/local-only.conf; location / { set $upstream home.server.home.arpa; proxy_pass http://$upstream:8008; diff --git a/container-config/nginx-home/network b/container-config/nginx-home/network index 92b476f..035f114 100644 --- a/container-config/nginx-home/network +++ b/container-config/nginx-home/network @@ -2,9 +2,8 @@ server { server_name network.strypsteen.com; listen 443 ssl; listen [::]:443 ssl; - deny 10.0.0.1; - deny fd00::1; include snippets/headers.conf; + include snippets/local-only.conf; add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'" always; location / { set $upstream home.server.home.arpa; diff --git a/container-config/nginx-home/remote-desktop b/container-config/nginx-home/remote-desktop index b27b38a..2dc3fba 100644 --- a/container-config/nginx-home/remote-desktop +++ b/container-config/nginx-home/remote-desktop @@ -2,9 +2,8 @@ server { server_name remote-desktop.strypsteen.com; listen 443 ssl; listen [::]:443 ssl; - deny 10.0.0.1; - deny fd00::1; include snippets/headers.conf; + include snippets/local-only.conf; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'" always; location / { set $upstream gaming-vm.server.home.arpa; diff --git a/container-config/nginx/snippets/local-only.conf b/container-config/nginx/snippets/local-only.conf new file mode 100644 index 0000000..effc582 --- /dev/null +++ b/container-config/nginx/snippets/local-only.conf @@ -0,0 +1,4 @@ +allow 192.168.0.0/16; +allow fe80::/10; +allow fc00::/7; +deny all; diff --git a/home/etc/containers/systemd/certbot.container.d/override.conf b/home/etc/containers/systemd/certbot.container.d/override.conf deleted file mode 100644 index f968e0e..0000000 --- a/home/etc/containers/systemd/certbot.container.d/override.conf +++ /dev/null @@ -1,3 +0,0 @@ -[Container] -Environment=CERTBOT_TYPE=home -Secret=cloudflare diff --git a/home/etc/containers/systemd/forgejo.container b/home/etc/containers/systemd/forgejo.container index 16212dd..e2861b3 100644 --- a/home/etc/containers/systemd/forgejo.container +++ b/home/etc/containers/systemd/forgejo.container @@ -7,7 +7,7 @@ Secret=forgejo-token Secret=forgejo-jwt-secret Environment=GITEA_APP_INI=/etc/gitea/app.ini PublishPort=2222:2222 -PublishPort=8003:80 +PublishPort=8003:3000 AutoUpdate=registry [Install] WantedBy=multi-user.target diff --git a/home/etc/containers/systemd/nginx.container b/home/etc/containers/systemd/nginx.container deleted file mode 100644 index 5f1efa1..0000000 --- a/home/etc/containers/systemd/nginx.container +++ /dev/null @@ -1,15 +0,0 @@ -[Container] -Image=cgr.dev/chainguard/nginx -Network=nginx.network -Volume=/var/lib/system-config/container-config/nginx:/etc/nginx:z,ro -Volume=/var/lib/system-config/container-config/nginx-home:/etc/nginx-sites:z,ro -Volume=/var/lib/system-config/container-config/site:/var/www:z,ro -Volume=/etc/certificates:/etc/certificates:z,ro -Tmpfs=/var/lib/nginx/tmp -Tmpfs=/var/lib/nginx/logs -PublishPort=80:80 -PublishPort=443:443 -Sysctl=net.ipv4.ip_unprivileged_port_start=80 -AutoUpdate=registry -[Install] -WantedBy=multi-user.target