Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Split and renew SSL configs, adjust nginx vhost config #68

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Split and renew SSL configs, adjust nginx vhost config #68

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
31b0f3f
Split and renew SSL configs, adjust nginx vhost config
etec-masterofsynapse Aug 6, 2022
97e2a01
Merge branch 'matomo-org:master' into master
etec-masterofsynapse Dec 5, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 14 additions & 5 deletions sites-available/matomo.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ server {
return 301 https://$host$request_uri;
}
}

server {
listen [::]:443 ssl http2; # remove this if you don't want Matomo to be reachable from IPv6
listen 443 ssl http2;
Expand All @@ -21,23 +22,31 @@ server {
## replace with your SSL certificate
ssl_certificate /etc/letsencrypt/live/matomo.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/matomo.example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

include ssl.conf; # if you want to support older browsers, please read through this file
# Special generated ssl configs if the LetsEncrypt provided settings (two lines above) don't suffice
#include ssl-intermediate.conf; # Intermediate SSL config generated by https://ssl-config.mozilla.org/; if you want the modern config, comment this line and uncomment the one below
#include ssl-modern.conf # Modern SSL config generated by https://ssl-config.mozilla.org/

add_header Referrer-Policy origin always; # make sure outgoing links don't show the URL to the Matomo instance
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;

root /var/www/matomo/; # replace with path to your matomo instance

index index.php;

# Necessary for Let's Encrypt Domain Name ownership validation. Place any other deny rules after this
location ~ /.well-known {
allow all;
}

## only allow accessing the following php files
location ~ ^/(index|matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs)\.php$ {
include snippets/fastcgi-php.conf; # if your Nginx setup doesn't come with a default fastcgi-php config, you can fetch it from https://github.com/nginx/nginx/blob/master/conf/fastcgi.conf
try_files $fastcgi_script_name =404; # protects against CVE-2019-11043. If this line is already included in your snippets/fastcgi-php.conf you can comment it here.
#try_files $fastcgi_script_name =404; # protects against CVE-2019-11043. If this line isn't already included in your snippets/fastcgi-php.conf you can uncomment it here.
fastcgi_param HTTP_PROXY ""; # prohibit httpoxy: https://httpoxy.org/
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock; #replace with the path to your PHP socket file
fastcgi_pass unix:/var/run/php/php8.1-fpm.sock; #replace with the path to your PHP socket file
#fastcgi_pass 127.0.0.1:9000; # uncomment if you are using PHP via TCP sockets (e.g. Docker container)
}

Expand Down Expand Up @@ -83,7 +92,7 @@ server {
}

## properly display textfiles in root directory
location ~/(.*\.md|LEGALNOTICE|LICENSE) {
location ~ /(.*\.md|LEGALNOTICE|LICENSE) {
default_type text/plain;
}
}
Expand Down
18 changes: 18 additions & 0 deletions ssl-intermediate.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# generated 2022-08-06, Mozilla Guideline v5.6, nginx 1.23.1, OpenSSL 1.1.1f, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.23.1&config=intermediate&openssl=1.1.1f&guideline=5.6

ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;

# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;

# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;

# vim: filetype=nginx
17 changes: 17 additions & 0 deletions ssl-modern.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# generated 2022-08-06, Mozilla Guideline v5.6, nginx 1.23.1, OpenSSL 1.1.1f, modern configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.23.1&config=modern&openssl=1.1.1f&guideline=5.6

ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;

# modern configuration
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;

# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;

# vim: filetype=nginx
21 changes: 0 additions & 21 deletions ssl.conf
View file
Open in desktop

This file was deleted.