From 31b0f3f3fbba661cde4b79dcbb8f3e170b3055ba Mon Sep 17 00:00:00 2001 From: etec-masterofsynapse Date: Sun, 7 Aug 2022 00:27:23 +0200 Subject: [PATCH] Split and renew SSL configs, adjust nginx vhost config --- sites-available/matomo.conf | 19 ++++++++++++++----- ssl-intermediate.conf | 18 ++++++++++++++++++ ssl-modern.conf | 17 +++++++++++++++++ ssl.conf | 21 --------------------- 4 files changed, 49 insertions(+), 26 deletions(-) create mode 100644 ssl-intermediate.conf create mode 100644 ssl-modern.conf delete mode 100644 ssl.conf diff --git a/sites-available/matomo.conf b/sites-available/matomo.conf index 86b5313..7d7a24a 100644 --- a/sites-available/matomo.conf +++ b/sites-available/matomo.conf @@ -7,6 +7,7 @@ server { return 301 https://$host$request_uri; } } + server { listen [::]:443 ssl http2; # remove this if you don't want Matomo to be reachable from IPv6 listen 443 ssl http2; @@ -21,10 +22,13 @@ server { ## replace with your SSL certificate ssl_certificate /etc/letsencrypt/live/matomo.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/matomo.example.com/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - include ssl.conf; # if you want to support older browsers, please read through this file + # Special generated ssl configs if the LetsEncrypt provided settings (two lines above) don't suffice + #include ssl-intermediate.conf; # Intermediate SSL config generated by https://ssl-config.mozilla.org/; if you want the modern config, comment this line and uncomment the one below + #include ssl-modern.conf # Modern SSL config generated by https://ssl-config.mozilla.org/ - add_header Referrer-Policy origin always; # make sure outgoing links don't show the URL to the Matomo instance add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; @@ -32,12 +36,17 @@ server { index index.php; + # Necessary for Let's Encrypt Domain Name ownership validation. Place any other deny rules after this + location ~ /.well-known { + allow all; + } + ## only allow accessing the following php files location ~ ^/(index|matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs)\.php$ { include snippets/fastcgi-php.conf; # if your Nginx setup doesn't come with a default fastcgi-php config, you can fetch it from https://github.com/nginx/nginx/blob/master/conf/fastcgi.conf - try_files $fastcgi_script_name =404; # protects against CVE-2019-11043. If this line is already included in your snippets/fastcgi-php.conf you can comment it here. + #try_files $fastcgi_script_name =404; # protects against CVE-2019-11043. If this line isn't already included in your snippets/fastcgi-php.conf you can uncomment it here. fastcgi_param HTTP_PROXY ""; # prohibit httpoxy: https://httpoxy.org/ - fastcgi_pass unix:/var/run/php/php7.2-fpm.sock; #replace with the path to your PHP socket file + fastcgi_pass unix:/var/run/php/php8.1-fpm.sock; #replace with the path to your PHP socket file #fastcgi_pass 127.0.0.1:9000; # uncomment if you are using PHP via TCP sockets (e.g. Docker container) } @@ -83,7 +92,7 @@ server { } ## properly display textfiles in root directory - location ~/(.*\.md|LEGALNOTICE|LICENSE) { + location ~ /(.*\.md|LEGALNOTICE|LICENSE) { default_type text/plain; } } diff --git a/ssl-intermediate.conf b/ssl-intermediate.conf new file mode 100644 index 0000000..b5fc45e --- /dev/null +++ b/ssl-intermediate.conf @@ -0,0 +1,18 @@ +# generated 2022-08-06, Mozilla Guideline v5.6, nginx 1.23.1, OpenSSL 1.1.1f, intermediate configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.23.1&config=intermediate&openssl=1.1.1f&guideline=5.6 + +ssl_session_timeout 1d; +ssl_session_cache shared:MozSSL:10m; # about 40000 sessions +ssl_session_tickets off; + +# intermediate configuration +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; +ssl_prefer_server_ciphers off; + +# OCSP Stapling --- +# fetch OCSP records from URL in ssl_certificate and cache them +ssl_stapling on; +ssl_stapling_verify on; + +# vim: filetype=nginx diff --git a/ssl-modern.conf b/ssl-modern.conf new file mode 100644 index 0000000..ed3def6 --- /dev/null +++ b/ssl-modern.conf @@ -0,0 +1,17 @@ +# generated 2022-08-06, Mozilla Guideline v5.6, nginx 1.23.1, OpenSSL 1.1.1f, modern configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.23.1&config=modern&openssl=1.1.1f&guideline=5.6 + +ssl_session_timeout 1d; +ssl_session_cache shared:MozSSL:10m; # about 40000 sessions +ssl_session_tickets off; + +# modern configuration +ssl_protocols TLSv1.3; +ssl_prefer_server_ciphers off; + +# OCSP Stapling --- +# fetch OCSP records from URL in ssl_certificate and cache them +ssl_stapling on; +ssl_stapling_verify on; + +# vim: filetype=nginx diff --git a/ssl.conf b/ssl.conf deleted file mode 100644 index 37e2b47..0000000 --- a/ssl.conf +++ /dev/null @@ -1,21 +0,0 @@ -## -## Modern profile created with the Mozilla SSL Configuration Generator -## Oldest compatible clients: Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8 -## If you need to support older clients, create your own config here -## https://mozilla.github.io/server-side-tls/ssl-config-generator/ - -ssl_session_timeout 1d; -ssl_session_cache shared:SSL:50m; -ssl_session_tickets off; - -# modern configuration. tweak to your needs. -ssl_protocols TLSv1.2; -ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; -ssl_prefer_server_ciphers on; - -# OCSP Stapling --- -# fetch OCSP records from URL in ssl_certificate and cache them -ssl_stapling on; -ssl_stapling_verify on; - -# vim: filetype=nginx