From a56e150e08b2cfef8f2eabb9f5a5839f3e144a24 Mon Sep 17 00:00:00 2001 From: Faustin Lammler Date: Wed, 16 Oct 2024 11:51:33 +0200 Subject: [PATCH] Simplify cert renewall and nginx confs Also, use configuration from https://ssl-config.mozilla.org/ --- docker-compose/docker-compose.yaml | 12 +----- docker-compose/generate-config.py | 12 +----- docker-compose/nginx/nginx.conf | 34 +++++++++++++++ .../nginx/templates/bb.conf.template | 29 ++----------- .../nginx/templates/ci.conf.template | 42 ++++++------------- 5 files changed, 52 insertions(+), 77 deletions(-) diff --git a/docker-compose/docker-compose.yaml b/docker-compose/docker-compose.yaml index b4394e7e..8a05221d 100644 --- a/docker-compose/docker-compose.yaml +++ b/docker-compose/docker-compose.yaml @@ -48,7 +48,7 @@ services: - /srv/buildbot/helper_files:/srv/buildbot/helper_files:ro - ./logs/nginx:/var/log/nginx - ./certbot/www/:/var/www/certbot/:ro - - ./certbot/conf/:/etc/nginx/ssl/:ro + - ./certbot/ssl/:/etc/nginx/ssl/:ro environment: - NGINX_ARTIFACTS_VHOST - NGINX_BUILDBOT_VHOST @@ -58,16 +58,6 @@ services: options: tag: "bb-nginx" - certbot: - image: certbot/certbot:latest - restart: "no" - container_name: certbot - hostname: certbot - volumes: - - ./certbot/www/:/var/www/certbot/:rw - - ./certbot/conf/:/etc/letsencrypt/:rw - network_mode: host - master-web: image: quay.io/mariadb-foundation/bb-master:master-web restart: unless-stopped diff --git a/docker-compose/generate-config.py b/docker-compose/generate-config.py index faff553a..f31f284e 100755 --- a/docker-compose/generate-config.py +++ b/docker-compose/generate-config.py @@ -74,7 +74,7 @@ - /srv/buildbot/helper_files:/srv/buildbot/helper_files:ro - ./logs/nginx:/var/log/nginx - ./certbot/www/:/var/www/certbot/:ro - - ./certbot/conf/:/etc/nginx/ssl/:ro + - ./certbot/ssl/:/etc/nginx/ssl/:ro environment: - NGINX_ARTIFACTS_VHOST - NGINX_BUILDBOT_VHOST @@ -84,16 +84,6 @@ options: tag: "bb-nginx" - certbot: - image: certbot/certbot:latest - restart: "no" - container_name: certbot - hostname: certbot - volumes: - - ./certbot/www/:/var/www/certbot/:rw - - ./certbot/conf/:/etc/letsencrypt/:rw - network_mode: host - master-web: image: quay.io/mariadb-foundation/bb-master:master-web restart: unless-stopped diff --git a/docker-compose/nginx/nginx.conf b/docker-compose/nginx/nginx.conf index 1f5f80c1..0a9c160a 100644 --- a/docker-compose/nginx/nginx.conf +++ b/docker-compose/nginx/nginx.conf @@ -24,7 +24,41 @@ http { keepalive_timeout 65; + # Enable gzipped format gzip on; + # Set level of compression + gzip_comp_level 3; + # Set mime types + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + # SSL configuration + ssl_certificate /etc/nginx/ssl/fullchain.pem; + ssl_certificate_key /etc/nginx/ssl/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + + # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam + ssl_dhparam /etc/nginx/ssl/dhparam; + + # intermediate configuration + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; + ssl_prefer_server_ciphers off; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + # OCSP stapling + ssl_stapling on; + ssl_stapling_verify on; + + # verify chain of trust of OCSP response using Root CA and Intermediate certs + ssl_trusted_certificate /etc/nginx/ssl/fullchain.pem; + + # # Disable embedding the site + add_header X-Frame-Options "SAMEORIGIN"; + # # Enable XSS protection + add_header X-XSS-Protection "1;mode=block"; include /etc/nginx/conf.d/*.conf; } diff --git a/docker-compose/nginx/templates/bb.conf.template b/docker-compose/nginx/templates/bb.conf.template index 306cb7ab..23a80f69 100644 --- a/docker-compose/nginx/templates/bb.conf.template +++ b/docker-compose/nginx/templates/bb.conf.template @@ -14,40 +14,17 @@ server { } } - # Default rate limited zone, with 30 requests per minute limit_req_zone $request_uri zone=default:10m rate=30r/m; client_max_body_size 10M; server { - listen 443 ssl http2 default_server; - listen [::]:443 ssl http2 default_server; + listen 443 ssl; + listen [::]:443 ssl; + http2 on; server_name ${NGINX_BUILDBOT_VHOST}; - # SSL configuration - # ssl on; Deprecated in newer versions of NGINX (yields nginx: [emerg] unknown directive "ssl ) - ssl_certificate /etc/nginx/ssl/live/${NGINX_BUILDBOT_VHOST}/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/nginx/ssl/live/${NGINX_BUILDBOT_VHOST}/privkey.pem; # managed by Certbot - # put a one day session timeout for websockets to stay longer - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 1d; - ssl_protocols TLSv1.1 TLSv1.2; - - # Force https - Enable HSTS - add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;" always; - # # Disable embedding the site - add_header X-Frame-Options "SAMEORIGIN"; - # # Enable XSS protection - add_header X-XSS-Protection "1;mode=block"; - - # Enable gzipped format - #gzip on; already on in main conf - # Set level of compression - gzip_comp_level 3; - # Set mime types - gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; - proxy_set_header HOST $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; diff --git a/docker-compose/nginx/templates/ci.conf.template b/docker-compose/nginx/templates/ci.conf.template index f88d79ac..c65132c0 100644 --- a/docker-compose/nginx/templates/ci.conf.template +++ b/docker-compose/nginx/templates/ci.conf.template @@ -14,13 +14,23 @@ server { } } -# Build artifacts location +# Default rate limited zone, with 30 requests per minute +limit_req_zone $request_uri zone=default:10m rate=30r/m; +client_max_body_size 10M; + server { - listen 443 ssl http2; - listen [::]:443 ssl http2; + listen 443 ssl; + listen [::]:443 ssl; + http2 on; server_name ${NGINX_ARTIFACTS_VHOST}; + # ratelimit is disabled, do we need it on ci.mariadb.org, probably not + # (static website) + # Use default zone for rate limiting, allow burst of 10 requests with no + # delay + # limit_req zone=default burst=10 nodelay; + root /srv/buildbot/packages/; location /helper_files { alias /srv/buildbot/helper_files; #FIXME - for consistency, on hz-bbm2 let's rename it to helper_files instead of mariadb-shared-packages (current PROD) @@ -47,32 +57,6 @@ server { autoindex on; - # SSL configuration - # ssl on; - ssl_certificate /etc/nginx/ssl/live/${NGINX_BUILDBOT_VHOST}/fullchain.pem; - ssl_certificate_key /etc/nginx/ssl/live/${NGINX_BUILDBOT_VHOST}/privkey.pem; - ssl_protocols TLSv1.1 TLSv1.2; - - # Force https - Enable HSTS - add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;" always; - # Disable embedding the site - add_header X-Frame-Options "SAMEORIGIN"; - # Enable XSS protection - add_header X-XSS-Protection "1;mode=block"; - max_ranges 1; - msie_padding off; - - # Enable gzipped format - # gzip on; already on in main conf - # Set level of compression - gzip_comp_level 3; - # Set mime types - gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; - - # Use default zone for rate limiting, allow burst of 10 requests with - # no delay - # limit_req zone=default burst=10 nodelay; - error_page 404 /older_builds$request_uri; # logging