From 7673c9ae071b42d53c16e80268c2897cc35fd066 Mon Sep 17 00:00:00 2001 From: Julien-Broyard Date: Tue, 18 Jun 2019 01:19:05 +0200 Subject: [PATCH 1/3] Add headers to nginx --- docker/nginx/config/sites-available/ideka-api.new-talents.fr | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docker/nginx/config/sites-available/ideka-api.new-talents.fr b/docker/nginx/config/sites-available/ideka-api.new-talents.fr index b8b55ba..4d4a52e 100644 --- a/docker/nginx/config/sites-available/ideka-api.new-talents.fr +++ b/docker/nginx/config/sites-available/ideka-api.new-talents.fr @@ -29,6 +29,11 @@ server { } location ~ ^/index\.php(/|$) { + add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self'; object-src 'self'; frame-src 'self'; frame-ancestors 'none'; upgrade-insecure-requests; reflected-xss block; referrer no-referrer"; + add_header X-Content-Type-Options "nosniff"; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header Strict-Transport-Security "max-age=63072000"; fastcgi_pass ideka_api:9000; fastcgi_split_path_info ^(.+\.php)(/.*)$; include fastcgi_params; From e45199e937011c7f7dda9747a0828661c90b8fad Mon Sep 17 00:00:00 2001 From: Julien-Broyard Date: Tue, 18 Jun 2019 01:44:54 +0200 Subject: [PATCH 2/3] Refactor and add more security headers --- docker/nginx/Dockerfile | 1 + docker/nginx/config/nginx.conf | 1 + docker/nginx/config/security.conf | 10 ++++++++++ .../config/sites-available/ideka-api.new-talents.fr | 5 ----- ideka.dist.env | 6 ------ 5 files changed, 12 insertions(+), 11 deletions(-) create mode 100644 docker/nginx/config/security.conf delete mode 100644 ideka.dist.env diff --git a/docker/nginx/Dockerfile b/docker/nginx/Dockerfile index 93012cd..9f5f8f1 100644 --- a/docker/nginx/Dockerfile +++ b/docker/nginx/Dockerfile @@ -1,5 +1,6 @@ FROM nginx:latest +COPY config/security.conf /etc/nginx/security.conf COPY config/nginx.conf /etc/nginx/nginx.conf COPY config/sites-available/* /etc/nginx/sites-available/ COPY docker-entrypoint.sh /entrypoint.sh diff --git a/docker/nginx/config/nginx.conf b/docker/nginx/config/nginx.conf index 0210f18..a35dfba 100644 --- a/docker/nginx/config/nginx.conf +++ b/docker/nginx/config/nginx.conf @@ -36,6 +36,7 @@ http { client_max_body_size 2M; + include /etc/nginx/security.conf; include /etc/nginx/conf.d/*conf; include /etc/nginx/sites-enabled/*; } \ No newline at end of file diff --git a/docker/nginx/config/security.conf b/docker/nginx/config/security.conf new file mode 100644 index 0000000..7ea52c6 --- /dev/null +++ b/docker/nginx/config/security.conf @@ -0,0 +1,10 @@ +add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self'; object-src 'self'; frame-src 'self'; frame-ancestors 'none'; upgrade-insecure-requests; reflected-xss block; referrer no-referrer" always; +add_header Referrer-Policy "no-referrer" always; +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; +add_header X-Content-Type-Options "nosniff" always; +add_header X-Frame-Options "SAMEORIGIN" always; +add_header X-XSS-Protection "1; mode=block" always; + +location ~ /\.(?!well-known) { + deny all; +} \ No newline at end of file diff --git a/docker/nginx/config/sites-available/ideka-api.new-talents.fr b/docker/nginx/config/sites-available/ideka-api.new-talents.fr index 4d4a52e..b8b55ba 100644 --- a/docker/nginx/config/sites-available/ideka-api.new-talents.fr +++ b/docker/nginx/config/sites-available/ideka-api.new-talents.fr @@ -29,11 +29,6 @@ server { } location ~ ^/index\.php(/|$) { - add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self'; object-src 'self'; frame-src 'self'; frame-ancestors 'none'; upgrade-insecure-requests; reflected-xss block; referrer no-referrer"; - add_header X-Content-Type-Options "nosniff"; - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-XSS-Protection "1; mode=block"; - add_header Strict-Transport-Security "max-age=63072000"; fastcgi_pass ideka_api:9000; fastcgi_split_path_info ^(.+\.php)(/.*)$; include fastcgi_params; diff --git a/ideka.dist.env b/ideka.dist.env deleted file mode 100644 index 0bcda17..0000000 --- a/ideka.dist.env +++ /dev/null @@ -1,6 +0,0 @@ -MYSQL_ROOT_PASSWORD=ideka -MYSQL_USER=ideka -MYSQL_PASSWORD=ideka -MYSQL_DATABASE=ideka_api - -NGINX_ENABLED_VHOST=local.api.ideka.fr \ No newline at end of file From d3652b60e583c14c7c4a3ac377c9a5af75c4ac98 Mon Sep 17 00:00:00 2001 From: Julien-Broyard Date: Tue, 18 Jun 2019 01:56:13 +0200 Subject: [PATCH 3/3] Add more headers --- docker/nginx/config/nginx.conf | 21 ++++++++++++++++++- docker/nginx/config/security.conf | 4 ---- .../config/sites-available/local.api.ideka.fr | 2 ++ 3 files changed, 22 insertions(+), 5 deletions(-) diff --git a/docker/nginx/config/nginx.conf b/docker/nginx/config/nginx.conf index a35dfba..a73bafd 100644 --- a/docker/nginx/config/nginx.conf +++ b/docker/nginx/config/nginx.conf @@ -5,10 +5,28 @@ error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { - worker_connections 1024; + multi_accept on; + worker_connections 1024; } http { + log_not_found off; + server_tokens off; + tcp_nodelay on; + charset utf-8; + tcp_nopush on; + + resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s; + resolver_timeout 2s; + + ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + ssl_stapling_verify on; + ssl_protocols TLSv1.3; + ssl_session_timeout 1d; + ssl_stapling on; + include /etc/nginx/mime.types; default_type application/octet-stream; @@ -35,6 +53,7 @@ http { gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; client_max_body_size 2M; + types_hash_max_size 2048; include /etc/nginx/security.conf; include /etc/nginx/conf.d/*conf; diff --git a/docker/nginx/config/security.conf b/docker/nginx/config/security.conf index 7ea52c6..4660da7 100644 --- a/docker/nginx/config/security.conf +++ b/docker/nginx/config/security.conf @@ -4,7 +4,3 @@ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; prelo add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; - -location ~ /\.(?!well-known) { - deny all; -} \ No newline at end of file diff --git a/docker/nginx/config/sites-available/local.api.ideka.fr b/docker/nginx/config/sites-available/local.api.ideka.fr index efe33d6..5c1ecb7 100644 --- a/docker/nginx/config/sites-available/local.api.ideka.fr +++ b/docker/nginx/config/sites-available/local.api.ideka.fr @@ -21,6 +21,8 @@ server { include fastcgi_params; fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT $realpath_root; + fastcgi_buffers 8 16k; + fastcgi_buffer_size 32k; } # return 404 for all other php files not matching the front controller