From 2d37d26e284dd6dafabe512ac1ec0672c43decf2 Mon Sep 17 00:00:00 2001 From: Kevin MacMartin Date: Tue, 23 Jul 2024 13:09:39 -0400 Subject: [PATCH] Remove the mail and stats templates as they're out of date by now, and add http2 to the main REPLACEME.TLD.conf --- nginx/sites-available/REPLACEME.TLD.conf | 1 + nginx/sites-available/mail.REPLACEME.TLD.conf | 93 ------------------ .../sites-available/stats.REPLACEME.TLD.conf | 95 ------------------- 3 files changed, 1 insertion(+), 188 deletions(-) delete mode 100644 nginx/sites-available/mail.REPLACEME.TLD.conf delete mode 100644 nginx/sites-available/stats.REPLACEME.TLD.conf diff --git a/nginx/sites-available/REPLACEME.TLD.conf b/nginx/sites-available/REPLACEME.TLD.conf index ff4e7e8..f43921a 100644 --- a/nginx/sites-available/REPLACEME.TLD.conf +++ b/nginx/sites-available/REPLACEME.TLD.conf @@ -19,6 +19,7 @@ server { listen 443 ssl; server_name REPLACEME.TLD; root /srv/http/REPLACEME.TLD/public; + http2 on; ssl_certificate /etc/letsencrypt/live/REPLACEME.TLD/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/REPLACEME.TLD/privkey.pem; diff --git a/nginx/sites-available/mail.REPLACEME.TLD.conf b/nginx/sites-available/mail.REPLACEME.TLD.conf deleted file mode 100644 index bb40f56..0000000 --- a/nginx/sites-available/mail.REPLACEME.TLD.conf +++ /dev/null @@ -1,93 +0,0 @@ -# ROUNDCUBE CONFIGURATION - -server { - listen 80; - server_name mail.REPLACEME.TLD; - return 301 https://mail.REPLACEME.TLD$request_uri; -} - -server { - listen 443 ssl; - server_name mail.REPLACEME.TLD; - root /usr/share/webapps/roundcubemail; - - ssl_certificate /etc/letsencrypt/live/REPLACEME.TLD/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/REPLACEME.TLD/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/REPLACEME.TLD/fullchain.pem; - - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:50m; - - # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits - # Generate with: openssl dhparam -out /etc/nginx/dhparam.pem 4096 - ssl_dhparam /etc/nginx/dhparam.pem; - - # Mozilla "Intermediate configuration" copied from https://mozilla.github.io/server-side-tls/ssl-config-generator/ - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; - ssl_prefer_server_ciphers on; - - # OCSP Stapling: fetch OCSP records from URL in ssl_certificate and cache them - ssl_stapling on; - ssl_stapling_verify on; - - # Protect against XSS and clickjacking - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-XSS-Protection "1; mode=block"; - - # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) - add_header Strict-Transport-Security max-age=15768000; - - index index.php; - charset utf-8; - - include /etc/nginx/h5bp/basic.conf; - - location / { try_files $uri $uri/ /index.php?$query_string; } - - location ~ ^/webmail/favicon.ico$ { - root /usr/share/webapps/roundcubemail/skins/classic/images; - log_not_found off; - access_log off; - expires max; - } - - location ~ ^/webmail/robots.txt { - allow all; - log_not_found off; - access_log off; - } - - location ~ ^/webmail/(config|temp|logs)/ { - deny all; - } - - location ~ ^/webmail/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ { - deny all; - } - - location ~ ^/webmail/(bin|SQL)/ { - deny all; - } - - location ~ ^/webmail/(.+\.md)$ { - deny all; - } - - location ~ ^/webmail/\. { - deny all; - access_log off; - log_not_found off; - } - - location ~ \.php$ { - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:/run/php-fpm/php-fpm.sock; - fastcgi_index index.php; - include fastcgi.conf; - } - - location = /favicon.ico { access_log off; log_not_found off; } - location = /robots.txt { access_log off; log_not_found off; } - location ~ /\.ht { deny all; } -} diff --git a/nginx/sites-available/stats.REPLACEME.TLD.conf b/nginx/sites-available/stats.REPLACEME.TLD.conf deleted file mode 100644 index 7860652..0000000 --- a/nginx/sites-available/stats.REPLACEME.TLD.conf +++ /dev/null @@ -1,95 +0,0 @@ -# MATOMO CONFIGURATION - -server { - listen [::]:80; - listen 80; - server_name stats.REPLACEME.TLD; - return 301 https://$host$request_uri; -} - -server { - listen [::]:443 ssl; - listen 443 ssl; - http2 on; - server_name stats.REPLACEME.TLD; - root /srv/http/stats.REPLACEME.TLD; - - access_log /var/log/nginx/matomo.access.log; - error_log /var/log/nginx/matomo.error.log; - - ssl_certificate /etc/letsencrypt/live/REPLACEME.TLD/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/REPLACEME.TLD/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/REPLACEME.TLD/fullchain.pem; - - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:50m; - - # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits - # Generate with: openssl dhparam -out /etc/nginx/dhparam.pem 4096 - ssl_dhparam /etc/nginx/dhparam.pem; - - # Mozilla "Intermediate configuration" copied from https://mozilla.github.io/server-side-tls/ssl-config-generator/ - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; - ssl_prefer_server_ciphers on; - - # OCSP Stapling: fetch OCSP records from URL in ssl_certificate and cache them - ssl_stapling on; - ssl_stapling_verify on; - - add_header Referrer-Policy origin always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-XSS-Protection "1; mode=block" always; - - # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) - add_header Strict-Transport-Security max-age=15768000; - - index index.php; - charset utf-8; - - location ~ ^/(index|matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs)\.php { - include fastcgi.conf; - fastcgi_param HTTP_PROXY ""; - fastcgi_pass unix:/run/php-fpm/php-fpm.sock; - } - - location ~* ^.+\.php$ { - deny all; - return 403; - } - - location / { - try_files $uri $uri/ =404; - } - - location ~ /(config|tmp|core|lang) { - deny all; - return 404; - } - - location ~ /\.ht { - deny all; - return 403; - } - - location ~ js/container_.*_preview\.js$ { - expires off; - add_header Cache-Control 'private, no-cache, no-store'; - } - - location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ { - allow all; - expires 1h; - add_header Pragma public; - add_header Cache-Control "public"; - } - - location ~ /(libs|vendor|plugins|misc/user) { - deny all; - return 403; - } - - location ~/(.*\.md|LEGALNOTICE|LICENSE) { - default_type text/plain; - } -}