Update infra

Signed-off-by: Bensuperpc <bensuperpc@gmail.com>
2024-11-14 22:21:32 +01:00 · 2023-04-16 23:43:40 +02:00 · 2023-04-16 23:43:40 +02:00 · cd2862a358
commit cd2862a358
parent 13c2b7df19
8 changed files with 32 additions and 16 deletions
--- a/docker-compose.divers.yml
+++ b/docker-compose.divers.yml
@ -44,3 +44,5 @@ services:
    restart: unless-stopped
    networks:
      - app-network
+    security_opt:
+      - no-new-privileges:true
--- a/docker-compose.nginx.yml
+++ b/docker-compose.nginx.yml
@ -21,4 +21,4 @@ services:
    networks:
      - app-network
    security_opt:
-      - "no-new-privileges:true"
+      - no-new-privileges:true
--- a/docker-compose.wordpress.yml
+++ b/docker-compose.wordpress.yml
@ -13,6 +13,8 @@ services:
      - dbdata:/var/lib/mysql
    networks:
      - app-network
+    security_opt:
+      - no-new-privileges:true

  wordpress:
    depends_on: 
@ -29,8 +31,16 @@ services:
    networks:
      - app-network
    security_opt:
-      - "no-new-privileges:true"
-
+      - no-new-privileges:true
+#    cap_drop:
+#        - ALL
+#    cap_add:
+#      - SETUID
+#      - SETGID
+#      - DAC_OVERRIDE
+#      - NET_BIND_SERVICE
+#      - NET_RAW
+#      - CAP_CHOWN
  phpmyadmin:
    image: phpmyadmin:5.2.0
    container_name: phpmyadmin
@ -39,12 +49,12 @@ services:
    restart: unless-stopped
    env_file: 
      - env/phpmyadmin.env
-#    ports:
-#      - 8080:80
    depends_on:
      - wp_db
    networks:
      - app-network
+    security_opt:
+      - no-new-privileges:true

 volumes:
  wordpress:
--- a/nginx/conf.d/jellyfin.conf
+++ b/nginx/conf.d/jellyfin.conf
@ -50,7 +50,6 @@ server {
        add_header X-Content-Type-Options "nosniff" always;
        add_header Referrer-Policy "no-referrer-when-downgrade" always;
        add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
-        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

        # Security / XSS Mitigation Headers
        # NOTE: X-Frame-Options may cause issues with the webOS app
@ -124,6 +123,8 @@ server {
                proxy_cache_lock on;
                add_header X-Cache-Status $upstream_cache_status; # This is only to check if cache is working
        }
+
+        resolver 8.8.8.8;
 }

 # All configuration options are documented at https://jellyfin.org/docs/general/networking/nginx/
--- a/nginx/conf.d/phpmyadmin.conf
+++ b/nginx/conf.d/phpmyadmin.conf
@ -1,5 +1,3 @@
-#include /etc/nginx/conf.d/sub/cache-proxy.conf;
-
 upstream phpmyadmin_server {
        # ip_hash;
        server phpmyadmin:80;
@ -15,12 +13,12 @@ server {

        server_name phpmyadmin.bensuperpc.org www.phpmyadmin.bensuperpc.org;

-        location ~ \.php$ {
-                try_files $uri =404;
-                fastcgi_split_path_info ^(.+\.php)(/.+)$;
-                fastcgi_pass phpmyadmin_server;
-                fastcgi_index index.php;
+        location / {
+                proxy_pass http://phpmyadmin_server;
+                proxy_redirect off;
+                proxy_set_header X-Forwarded-Host $http_host;
+                proxy_set_header X-Forwarded-For  $remote_addr;
        }

-        # resolver 8.8.8.8;
+        resolver 8.8.8.8;
 }
--- a/nginx/conf.d/qbittorrent.conf
+++ b/nginx/conf.d/qbittorrent.conf
@ -20,5 +20,5 @@ server {
                proxy_set_header X-Forwarded-For  $remote_addr;
        }

-        # resolver 8.8.8.8;
+        resolver 8.8.8.8;
 }
--- a/nginx/conf.d/sub/options-ssl-nginx.conf
+++ b/nginx/conf.d/sub/options-ssl-nginx.conf
@ -8,6 +8,8 @@ ssl_session_tickets off;
 ssl_protocols TLSv1.3;
 ssl_prefer_server_ciphers off;

+add_header Strict-Transport-Security "max-age=63072000" always;
+
 # OCSP stapling
 ssl_stapling on;
 ssl_stapling_verify on;
--- a/nginx/conf.d/wordpress.conf
+++ b/nginx/conf.d/wordpress.conf
@ -123,7 +123,11 @@ server {
 # Main server wordpress_server
 server {
        listen 443 ssl http2;
+        #listen 443 http3 reuseport;
+
        listen [::]:443 ssl http2;
+
+
        server_name wordpress.bensuperpc.org www.wordpress.bensuperpc.org bensuperpc.org www.bensuperpc.org;

        root /var/www/wordpress;
@ -175,7 +179,6 @@ server {
        add_header X-Content-Type-Options "nosniff" always;
        add_header Referrer-Policy "no-referrer-when-downgrade" always;
        add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
-        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

        location / {
                try_files $uri $uri/ /index.php$is_args$args;