From cd2862a3589bef7736d391682f32dcb29d8a4598 Mon Sep 17 00:00:00 2001 From: Bensuperpc Date: Sun, 16 Apr 2023 23:43:40 +0200 Subject: [PATCH] Update infra Signed-off-by: Bensuperpc --- docker-compose.divers.yml | 2 ++ docker-compose.nginx.yml | 2 +- docker-compose.wordpress.yml | 18 ++++++++++++++---- nginx/conf.d/jellyfin.conf | 3 ++- nginx/conf.d/phpmyadmin.conf | 14 ++++++-------- nginx/conf.d/qbittorrent.conf | 2 +- nginx/conf.d/sub/options-ssl-nginx.conf | 2 ++ nginx/conf.d/wordpress.conf | 5 ++++- 8 files changed, 32 insertions(+), 16 deletions(-) diff --git a/docker-compose.divers.yml b/docker-compose.divers.yml index f8a99d0..8346786 100644 --- a/docker-compose.divers.yml +++ b/docker-compose.divers.yml @@ -44,3 +44,5 @@ services: restart: unless-stopped networks: - app-network + security_opt: + - no-new-privileges:true \ No newline at end of file diff --git a/docker-compose.nginx.yml b/docker-compose.nginx.yml index 05d26ac..177a265 100644 --- a/docker-compose.nginx.yml +++ b/docker-compose.nginx.yml @@ -21,4 +21,4 @@ services: networks: - app-network security_opt: - - "no-new-privileges:true" + - no-new-privileges:true diff --git a/docker-compose.wordpress.yml b/docker-compose.wordpress.yml index cd869a6..650b8b2 100644 --- a/docker-compose.wordpress.yml +++ b/docker-compose.wordpress.yml @@ -13,6 +13,8 @@ services: - dbdata:/var/lib/mysql networks: - app-network + security_opt: + - no-new-privileges:true wordpress: depends_on: @@ -29,8 +31,16 @@ services: networks: - app-network security_opt: - - "no-new-privileges:true" - + - no-new-privileges:true +# cap_drop: +# - ALL +# cap_add: +# - SETUID +# - SETGID +# - DAC_OVERRIDE +# - NET_BIND_SERVICE +# - NET_RAW +# - CAP_CHOWN phpmyadmin: image: phpmyadmin:5.2.0 container_name: phpmyadmin @@ -39,12 +49,12 @@ services: restart: unless-stopped env_file: - env/phpmyadmin.env -# ports: -# - 8080:80 depends_on: - wp_db networks: - app-network + security_opt: + - no-new-privileges:true volumes: wordpress: diff --git a/nginx/conf.d/jellyfin.conf b/nginx/conf.d/jellyfin.conf index 24c386e..4d13817 100644 --- a/nginx/conf.d/jellyfin.conf +++ b/nginx/conf.d/jellyfin.conf @@ -50,7 +50,6 @@ server { add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # Security / XSS Mitigation Headers # NOTE: X-Frame-Options may cause issues with the webOS app @@ -124,6 +123,8 @@ server { proxy_cache_lock on; add_header X-Cache-Status $upstream_cache_status; # This is only to check if cache is working } + + resolver 8.8.8.8; } # All configuration options are documented at https://jellyfin.org/docs/general/networking/nginx/ \ No newline at end of file diff --git a/nginx/conf.d/phpmyadmin.conf b/nginx/conf.d/phpmyadmin.conf index 5b534c5..954c929 100644 --- a/nginx/conf.d/phpmyadmin.conf +++ b/nginx/conf.d/phpmyadmin.conf @@ -1,5 +1,3 @@ -#include /etc/nginx/conf.d/sub/cache-proxy.conf; - upstream phpmyadmin_server { # ip_hash; server phpmyadmin:80; @@ -15,12 +13,12 @@ server { server_name phpmyadmin.bensuperpc.org www.phpmyadmin.bensuperpc.org; - location ~ \.php$ { - try_files $uri =404; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass phpmyadmin_server; - fastcgi_index index.php; + location / { + proxy_pass http://phpmyadmin_server; + proxy_redirect off; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-For $remote_addr; } - # resolver 8.8.8.8; + resolver 8.8.8.8; } diff --git a/nginx/conf.d/qbittorrent.conf b/nginx/conf.d/qbittorrent.conf index e46cfc3..5564b66 100644 --- a/nginx/conf.d/qbittorrent.conf +++ b/nginx/conf.d/qbittorrent.conf @@ -20,5 +20,5 @@ server { proxy_set_header X-Forwarded-For $remote_addr; } - # resolver 8.8.8.8; + resolver 8.8.8.8; } diff --git a/nginx/conf.d/sub/options-ssl-nginx.conf b/nginx/conf.d/sub/options-ssl-nginx.conf index 4e16516..6d0290f 100644 --- a/nginx/conf.d/sub/options-ssl-nginx.conf +++ b/nginx/conf.d/sub/options-ssl-nginx.conf @@ -8,6 +8,8 @@ ssl_session_tickets off; ssl_protocols TLSv1.3; ssl_prefer_server_ciphers off; +add_header Strict-Transport-Security "max-age=63072000" always; + # OCSP stapling ssl_stapling on; ssl_stapling_verify on; diff --git a/nginx/conf.d/wordpress.conf b/nginx/conf.d/wordpress.conf index b1180cb..9a2f0c6 100644 --- a/nginx/conf.d/wordpress.conf +++ b/nginx/conf.d/wordpress.conf @@ -123,7 +123,11 @@ server { # Main server wordpress_server server { listen 443 ssl http2; + #listen 443 http3 reuseport; + listen [::]:443 ssl http2; + + server_name wordpress.bensuperpc.org www.wordpress.bensuperpc.org bensuperpc.org www.bensuperpc.org; root /var/www/wordpress; @@ -175,7 +179,6 @@ server { add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; location / { try_files $uri $uri/ /index.php$is_args$args;