reorganize ssl config ; default proxy config

2021-05-24 14:58:42 +00:00
parent ab8e4dbdbd
commit 04211ed730
7 changed files with 14 additions and 9 deletions
--- a/conf/default.conf
+++ b/conf/default.conf
@@ -1,22 +1,23 @@
 server {
    listen 80;
-    include get_auto_ssl.conf;
+    include auto_ssl.conf;
 }

 # Dieser Server ist der Zugang zur "Nginx config und wird im 2. Openresty Server genutzt"
 server {
    listen 8080;
    
-    set $host theiaconf;
-    set $port 3000;
+    set $proxy_host theiaconf;
+    set $proxy_port 3000;
    include ldap.conf;
+    #include secure.conf;
    include default_proxy.conf;
 }


 server {
    listen 443 ssl;
-    include auto_ssl.conf;
+    include ssl.conf;
    include ldap.conf;

 }
--- a/nginx.conf
+++ b/nginx.conf
@@ -114,7 +114,7 @@ ldap_server fet {
    url ldap://gagarin:389/ou=user,dc=fet,dc=htu,dc=tuwien,dc=ac,dc=at?uid?sub?(objectClass=person);
    require valid_user;
 }
-    resolver 127.0.0.11 valid=30s;    
+    resolver 127.0.0.11 valid=30s;   # use the docker resolver as a default
    include /etc/nginx/conf.d/*.conf;

    # Don't reveal OpenResty version to clients.
--- a/snippets/default_proxy.conf
+++ b/snippets/default_proxy.conf
@@ -1,5 +1,5 @@
 location / {
    include proxy.conf;
    proxy_buffering off;
-    proxy_pass http://$host:$port;
+    proxy_pass http://$proxy_host:$proxy_port;
 }
--- a/snippets/private.conf
+++ b/snippets/private.conf
@@ -1 +0,0 @@
-include ldap.conf;
--- a/snippets/proxy.conf
+++ b/snippets/proxy.conf
@@ -7,7 +7,7 @@
        proxy_set_header X-Forwarde-Proto $scheme;
        proxy_set_header X_FORWARDED_SSL on;
        proxy_set_header HTTP_X_FORWARDED_SSL on;
-        proxy_buffering off;
+        
        
        add_header Content-Security-Policy "default-src 'self' 'unsafe-inline'";
        add_header X-Content-Type-Options nosniff;
--- a/snippets/secure.conf
+++ b/snippets/secure.conf
@@ -1 +1,6 @@
-include add_auto_ssl.conf;
+include ssl.conf;
+        add_header Content-Security-Policy "default-src 'self' 'unsafe-inline'";
+        add_header X-Content-Type-Options nosniff;
+        add_header X-XSS-Protection "1; mode=block";
+        add_header Referrer-Policy "strict-origin";
+        add_header Strict-Transport-Security "max-age=31536000" always;
--- a/snippets/add_auto_ssl.conf
+++ b/snippets/add_auto_ssl.conf