diff --git a/nginx/configs/proxyheaders.conf b/nginx/configs/proxy.conf similarity index 100% rename from nginx/configs/proxyheaders.conf rename to nginx/configs/proxy.conf diff --git a/nginx/configs/securityheaders.conf b/nginx/configs/security.conf similarity index 90% rename from nginx/configs/securityheaders.conf rename to nginx/configs/security.conf index b86df20..f0ebe5f 100644 --- a/nginx/configs/securityheaders.conf +++ b/nginx/configs/security.conf @@ -1,7 +1,7 @@ # security headers add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; -add_header X-Frame-Options "sameorigin" always; +add_header X-Frame-Options "sameorigin" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; #add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always; add_header Permissions-Policy "interest-cohort=()" always; diff --git a/nginx/nginx.conf b/nginx/nginx.conf index 6cfe2a8..4db06e1 100755 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -63,31 +63,6 @@ http { # maximum time between packets nginx is allowed to pause when sending the client data send_timeout 10s; - # Connection header for WebSocket reverse proxy - map $http_upgrade $connection_upgrade { - default upgrade; - "" close; - } - - map $remote_addr $proxy_forwarded_elem { - - # IPv4 addresses can be sent as-is - ~^[0-9.]+$ "for=$remote_addr"; - - # IPv6 addresses need to be bracketed and quoted - ~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\""; - - # Unix domain socket names cannot be represented in RFC 7239 syntax - default "for=unknown"; - } - - map $http_forwarded $proxy_add_forwarded { - - # If the incoming Forwarded header is syntactically valid, append to it - "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem"; - - # Otherwise, replace it - default "$proxy_forwarded_elem"; - } + include /etc/nginx/snippets/maps.conf; } diff --git a/nginx/sites-available-archive/i.zzls.xyz.conf b/nginx/sites-available-archive/i.zzls.xyz.conf index caaa252..4a65a61 100644 --- a/nginx/sites-available-archive/i.zzls.xyz.conf +++ b/nginx/sites-available-archive/i.zzls.xyz.conf @@ -12,7 +12,7 @@ server { location / { client_max_body_size 51M; proxy_pass http://127.0.0.1:40007/; - include configs/proxyheaders.conf; + include configs/proxy.conf; proxy_intercept_errors on; error_page 404 = /error; } diff --git a/nginx/sites-available-archive/paste.zzls.xyz.conf b/nginx/sites-available-archive/paste.zzls.xyz.conf index c3dd5ff..18201fa 100755 --- a/nginx/sites-available-archive/paste.zzls.xyz.conf +++ b/nginx/sites-available-archive/paste.zzls.xyz.conf @@ -7,7 +7,7 @@ server { location / { proxy_pass http://127.0.0.1:40005/; - include configs/proxyheaders.conf; + include configs/proxy.conf; } listen 443 ssl http2; # managed by Certbot diff --git a/nginx/sites-available/logs.spanix.xyz.conf b/nginx/sites-available/logs.spanix.xyz.conf index 309215a..7622398 100755 --- a/nginx/sites-available/logs.spanix.xyz.conf +++ b/nginx/sites-available/logs.spanix.xyz.conf @@ -7,7 +7,7 @@ server { location / { proxy_pass http://127.0.0.1:40004; - include configs/proxyheaders.conf; + include configs/proxy.conf; } listen 443 ssl http2; # managed by Certbot diff --git a/nginx/sites-available/logs.zzls.xyz.conf b/nginx/sites-available/logs.zzls.xyz.conf index ec8afa3..a312769 100755 --- a/nginx/sites-available/logs.zzls.xyz.conf +++ b/nginx/sites-available/logs.zzls.xyz.conf @@ -7,7 +7,7 @@ server { location / { proxy_pass http://127.0.0.1:40003; - include configs/proxyheaders.conf; + include configs/proxy.conf; # location ~ ^/(channel/rubius|channelid/39276140)/ { # return 401 "Los logs de Rubius han sido deshabilitados"; diff --git a/nginx/sites-available/lsf.spanix.team.conf b/nginx/sites-available/lsf.spanix.team.conf index cd387d2..3ef56cc 100644 --- a/nginx/sites-available/lsf.spanix.team.conf +++ b/nginx/sites-available/lsf.spanix.team.conf @@ -7,7 +7,7 @@ server { location / { proxy_pass http://127.0.0.1:40050; - include configs/proxyheaders.conf; + include configs/proxy.conf; } diff --git a/nginx/snippets/maps.conf b/nginx/snippets/maps.conf new file mode 100644 index 0000000..6df38aa --- /dev/null +++ b/nginx/snippets/maps.conf @@ -0,0 +1,27 @@ +# Connection header for WebSocket reverse proxy + + map $http_upgrade $connection_upgrade { + default upgrade; + "" close; + } + + map $remote_addr $proxy_forwarded_elem { + + # IPv4 addresses can be sent as-is + ~^[0-9.]+$ "for=$remote_addr"; + + # IPv6 addresses need to be bracketed and quoted + ~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\""; + + # Unix domain socket names cannot be represented in RFC 7239 syntax + default "for=unknown"; + } + + map $http_forwarded $proxy_add_forwarded { + + # If the incoming Forwarded header is syntactically valid, append to it + "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem"; + + # Otherwise, replace it + default "$proxy_forwarded_elem"; + } \ No newline at end of file