diff --git a/.examples/nginx-proxy-self-signed-ssl/docker-compose.yml b/.examples/nginx-proxy-self-signed-ssl/docker-compose.yml index aff4e03..429c659 100644 --- a/.examples/nginx-proxy-self-signed-ssl/docker-compose.yml +++ b/.examples/nginx-proxy-self-signed-ssl/docker-compose.yml @@ -115,13 +115,9 @@ services: volumes: data: - name: data www: - name: www db: - name: db certs: - name: certs networks: proxy-tier: diff --git a/.examples/nginx-proxy-self-signed-ssl/web/nginx.conf b/.examples/nginx-proxy-self-signed-ssl/web/nginx.conf index ec345ed..e6378d7 100644 --- a/.examples/nginx-proxy-self-signed-ssl/web/nginx.conf +++ b/.examples/nginx-proxy-self-signed-ssl/web/nginx.conf @@ -3,12 +3,10 @@ worker_processes 1; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; - events { worker_connections 1024; } - http { include /etc/nginx/mime.types; default_type application/octet-stream; @@ -29,8 +27,7 @@ http { set_real_ip_from 192.168.0.0/16; real_ip_header X-Real-IP; - #gzip on; - + # Connect to app service upstream php-handler { server app:9000; } @@ -40,13 +37,24 @@ http { server_name monica; - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - add_header Referrer-Policy no-referrer; + ## HSTS ## + # Add the 'Strict-Transport-Security' headers to enable HSTS protocol. + # WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/. + # This form will add the domain to a hardcoded list that is shipped in all major browsers and getting + # removed from this list could take several months. + # + #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always; + + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; root /var/www/html/public; @@ -66,7 +74,7 @@ http { error_page 404 500 502 503 504 /index.php; - location = /.well-known/(?:carddav|caldav) { + location ~ /\.well-known/(?:carddav|caldav) { return 301 $scheme://$host/dav; } location = /.well-known/security.txt { @@ -117,6 +125,23 @@ http { try_files $uri /index.php$request_uri; add_header Cache-Control "public, max-age=15778463"; + ## HSTS ## + # Add the 'Strict-Transport-Security' headers to enable HSTS protocol. + # Note it is intended to have those duplicated to the ones above. + # WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/. + # This form will add the domain to a hardcoded list that is shipped in all major browsers and getting + # removed from this list could take several months. + # + #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always; + + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + # Optional: Don't log access to assets access_log off; } @@ -127,5 +152,10 @@ http { # Optional: Don't log access to assets access_log off; } + + # deny access to .htaccess files + location ~ /\.ht { + deny all; + } } } diff --git a/.examples/nginx-proxy/docker-compose.yml b/.examples/nginx-proxy/docker-compose.yml index aeed69e..445ccfa 100644 --- a/.examples/nginx-proxy/docker-compose.yml +++ b/.examples/nginx-proxy/docker-compose.yml @@ -117,17 +117,11 @@ services: volumes: data: - name: data www: - name: www mysql: - name: mysql certs: - name: certs vhost.d: - name: vhost.d html: - name: html networks: proxy-tier: diff --git a/.examples/nginx-proxy/web/nginx.conf b/.examples/nginx-proxy/web/nginx.conf index ec345ed..e6378d7 100644 --- a/.examples/nginx-proxy/web/nginx.conf +++ b/.examples/nginx-proxy/web/nginx.conf @@ -3,12 +3,10 @@ worker_processes 1; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; - events { worker_connections 1024; } - http { include /etc/nginx/mime.types; default_type application/octet-stream; @@ -29,8 +27,7 @@ http { set_real_ip_from 192.168.0.0/16; real_ip_header X-Real-IP; - #gzip on; - + # Connect to app service upstream php-handler { server app:9000; } @@ -40,13 +37,24 @@ http { server_name monica; - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - add_header Referrer-Policy no-referrer; + ## HSTS ## + # Add the 'Strict-Transport-Security' headers to enable HSTS protocol. + # WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/. + # This form will add the domain to a hardcoded list that is shipped in all major browsers and getting + # removed from this list could take several months. + # + #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always; + + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; root /var/www/html/public; @@ -66,7 +74,7 @@ http { error_page 404 500 502 503 504 /index.php; - location = /.well-known/(?:carddav|caldav) { + location ~ /\.well-known/(?:carddav|caldav) { return 301 $scheme://$host/dav; } location = /.well-known/security.txt { @@ -117,6 +125,23 @@ http { try_files $uri /index.php$request_uri; add_header Cache-Control "public, max-age=15778463"; + ## HSTS ## + # Add the 'Strict-Transport-Security' headers to enable HSTS protocol. + # Note it is intended to have those duplicated to the ones above. + # WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/. + # This form will add the domain to a hardcoded list that is shipped in all major browsers and getting + # removed from this list could take several months. + # + #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always; + + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + # Optional: Don't log access to assets access_log off; } @@ -127,5 +152,10 @@ http { # Optional: Don't log access to assets access_log off; } + + # deny access to .htaccess files + location ~ /\.ht { + deny all; + } } } diff --git a/.examples/supervisor/apache/docker-compose.yml b/.examples/supervisor/apache/docker-compose.yml index 7025dcb..5834b43 100644 --- a/.examples/supervisor/apache/docker-compose.yml +++ b/.examples/supervisor/apache/docker-compose.yml @@ -26,8 +26,5 @@ services: volumes: data: - name: data www: - name: www mysql: - name: mysql diff --git a/.examples/supervisor/fpm-alpine/docker-compose.yml b/.examples/supervisor/fpm-alpine/docker-compose.yml index 7da8059..03d1deb 100644 --- a/.examples/supervisor/fpm-alpine/docker-compose.yml +++ b/.examples/supervisor/fpm-alpine/docker-compose.yml @@ -35,8 +35,5 @@ services: volumes: data: - name: data www: - name: www mysql: - name: mysql diff --git a/.examples/supervisor/fpm-alpine/web/nginx.conf b/.examples/supervisor/fpm-alpine/web/nginx.conf index ebe0675..e6378d7 100644 --- a/.examples/supervisor/fpm-alpine/web/nginx.conf +++ b/.examples/supervisor/fpm-alpine/web/nginx.conf @@ -3,12 +3,10 @@ worker_processes 1; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; - events { worker_connections 1024; } - http { include /etc/nginx/mime.types; default_type application/octet-stream; @@ -24,8 +22,12 @@ http { keepalive_timeout 65; - #gzip on; + set_real_ip_from 10.0.0.0/8; + set_real_ip_from 172.16.0.0/12; + set_real_ip_from 192.168.0.0/16; + real_ip_header X-Real-IP; + # Connect to app service upstream php-handler { server app:9000; } @@ -35,13 +37,24 @@ http { server_name monica; - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - add_header Referrer-Policy no-referrer; + ## HSTS ## + # Add the 'Strict-Transport-Security' headers to enable HSTS protocol. + # WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/. + # This form will add the domain to a hardcoded list that is shipped in all major browsers and getting + # removed from this list could take several months. + # + #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always; + + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; root /var/www/html/public; @@ -61,7 +74,7 @@ http { error_page 404 500 502 503 504 /index.php; - location = /.well-known/(?:carddav|caldav) { + location ~ /\.well-known/(?:carddav|caldav) { return 301 $scheme://$host/dav; } location = /.well-known/security.txt { @@ -112,6 +125,23 @@ http { try_files $uri /index.php$request_uri; add_header Cache-Control "public, max-age=15778463"; + ## HSTS ## + # Add the 'Strict-Transport-Security' headers to enable HSTS protocol. + # Note it is intended to have those duplicated to the ones above. + # WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/. + # This form will add the domain to a hardcoded list that is shipped in all major browsers and getting + # removed from this list could take several months. + # + #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always; + + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + # Optional: Don't log access to assets access_log off; } @@ -122,5 +152,10 @@ http { # Optional: Don't log access to assets access_log off; } + + # deny access to .htaccess files + location ~ /\.ht { + deny all; + } } } diff --git a/.examples/supervisor/fpm/docker-compose.yml b/.examples/supervisor/fpm/docker-compose.yml index 7da8059..03d1deb 100644 --- a/.examples/supervisor/fpm/docker-compose.yml +++ b/.examples/supervisor/fpm/docker-compose.yml @@ -35,8 +35,5 @@ services: volumes: data: - name: data www: - name: www mysql: - name: mysql diff --git a/.examples/supervisor/fpm/web/nginx.conf b/.examples/supervisor/fpm/web/nginx.conf index ebe0675..e6378d7 100644 --- a/.examples/supervisor/fpm/web/nginx.conf +++ b/.examples/supervisor/fpm/web/nginx.conf @@ -3,12 +3,10 @@ worker_processes 1; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; - events { worker_connections 1024; } - http { include /etc/nginx/mime.types; default_type application/octet-stream; @@ -24,8 +22,12 @@ http { keepalive_timeout 65; - #gzip on; + set_real_ip_from 10.0.0.0/8; + set_real_ip_from 172.16.0.0/12; + set_real_ip_from 192.168.0.0/16; + real_ip_header X-Real-IP; + # Connect to app service upstream php-handler { server app:9000; } @@ -35,13 +37,24 @@ http { server_name monica; - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - add_header Referrer-Policy no-referrer; + ## HSTS ## + # Add the 'Strict-Transport-Security' headers to enable HSTS protocol. + # WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/. + # This form will add the domain to a hardcoded list that is shipped in all major browsers and getting + # removed from this list could take several months. + # + #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always; + + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; root /var/www/html/public; @@ -61,7 +74,7 @@ http { error_page 404 500 502 503 504 /index.php; - location = /.well-known/(?:carddav|caldav) { + location ~ /\.well-known/(?:carddav|caldav) { return 301 $scheme://$host/dav; } location = /.well-known/security.txt { @@ -112,6 +125,23 @@ http { try_files $uri /index.php$request_uri; add_header Cache-Control "public, max-age=15778463"; + ## HSTS ## + # Add the 'Strict-Transport-Security' headers to enable HSTS protocol. + # Note it is intended to have those duplicated to the ones above. + # WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/. + # This form will add the domain to a hardcoded list that is shipped in all major browsers and getting + # removed from this list could take several months. + # + #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always; + + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + # Optional: Don't log access to assets access_log off; } @@ -122,5 +152,10 @@ http { # Optional: Don't log access to assets access_log off; } + + # deny access to .htaccess files + location ~ /\.ht { + deny all; + } } }