diff options
author | Rigel Kent <par@rigelk.eu> | 2018-02-14 11:11:49 +0100 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2018-02-14 11:11:49 +0100 |
commit | e883399fa6caa56bb8519c9a2e22d88001f26661 (patch) | |
tree | 2843fa320193ed86ae153cfbe7756ca4a979c804 /support/nginx | |
parent | 1007a0185f5e3c1330a78f07d60f8dda9f5ddd15 (diff) | |
download | PeerTube-e883399fa6caa56bb8519c9a2e22d88001f26661.tar.gz PeerTube-e883399fa6caa56bb8519c9a2e22d88001f26661.tar.zst PeerTube-e883399fa6caa56bb8519c9a2e22d88001f26661.zip |
Precisions and security enhancements to the production guide (#287)
- added precisions and suggestions about how to generate Let's Encrypt certificates. Users have reported their installations didn't work when the problem came from missing certificates (false positives).
- security defaults of Nginx follow the basic robustness principle "be conservative in what you send, be liberal in what you accept", which isn't enough with modern security standards, so we should be picky with the cipher suites we use, among other things. Extra comments (especially for the TLS1.3 protocol support parameter) make the requirement of a recent Nginx installation obvious, and the downgrade alternative remains clear to the system administrator.
All in all, we should aknowledge users will most often copy and paste the configuration files. Making them secure by default may force a few users to read their configuration, but on the long run we are making the fediverse more secure.
Since I've come to modify a bit the Nginx config in `support/doc/production.md`, I've merged it with the template so that they stay consistent.
Diffstat (limited to 'support/nginx')
-rw-r--r-- | support/nginx/peertube | 51 |
1 files changed, 37 insertions, 14 deletions
diff --git a/support/nginx/peertube b/support/nginx/peertube index 5261cddb4..6a076a8f8 100644 --- a/support/nginx/peertube +++ b/support/nginx/peertube | |||
@@ -1,10 +1,10 @@ | |||
1 | server { | 1 | server { |
2 | listen 80; | 2 | listen 80; |
3 | # listen [::]:80; | 3 | listen [::]:80; |
4 | server_name domain.tld; | 4 | server_name peertube.example.com; |
5 | 5 | ||
6 | access_log /var/log/nginx/peertube_access.log; | 6 | access_log /var/log/nginx/peertube.example.com.access.log; |
7 | error_log /var/log/nginx/peertube_error.log; | 7 | error_log /var/log/nginx/peertube.example.com.error.log; |
8 | 8 | ||
9 | location /.well-known/acme-challenge/ { allow all; } | 9 | location /.well-known/acme-challenge/ { allow all; } |
10 | location / { return 301 https://$host$request_uri; } | 10 | location / { return 301 https://$host$request_uri; } |
@@ -12,16 +12,38 @@ server { | |||
12 | 12 | ||
13 | server { | 13 | server { |
14 | listen 443 ssl http2; | 14 | listen 443 ssl http2; |
15 | # listen [::]:443 ssl http2; | 15 | listen [::]:443 ssl http2; |
16 | server_name domain.tld; | 16 | server_name peertube.example.com; |
17 | 17 | ||
18 | access_log /var/log/nginx/peertube_access.log; | 18 | # For example with Let's Encrypt (you need a certificate to run https) |
19 | error_log /var/log/nginx/peertube_error.log; | 19 | ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem; |
20 | 20 | ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem; | |
21 | # For example with Let's Encrypt | 21 | |
22 | ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem; | 22 | # Security hardening (as of 11/02/2018) |
23 | ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem; | 23 | ssl_protocols TLSv1.3, TLSv1.2;# TLSv1.3 requires nginx >= 1.13.0 else use only TLSv1.2 |
24 | ssl_trusted_certificate /etc/letsencrypt/live/domain.tld/chain.pem; | 24 | ssl_prefer_server_ciphers on; |
25 | ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; | ||
26 | ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 | ||
27 | ssl_session_timeout 10m; | ||
28 | ssl_session_cache shared:SSL:10m; | ||
29 | ssl_session_tickets off; # Requires nginx >= 1.5.9 | ||
30 | ssl_stapling on; # Requires nginx >= 1.3.7 | ||
31 | ssl_stapling_verify on; # Requires nginx => 1.3.7 | ||
32 | resolver $DNS-IP-1 $DNS-IP-2 valid=300s; | ||
33 | resolver_timeout 5s; | ||
34 | add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; | ||
35 | add_header X-Frame-Options DENY; | ||
36 | add_header X-Content-Type-Options nosniff; | ||
37 | add_header X-XSS-Protection "1; mode=block"; | ||
38 | add_header X-Robots-Tag none; | ||
39 | |||
40 | access_log /var/log/nginx/peertube.example.com.access.log; | ||
41 | error_log /var/log/nginx/peertube.example.com.error.log; | ||
42 | |||
43 | location ^~ '/.well-known/acme-challenge' { | ||
44 | default_type "text/plain"; | ||
45 | root /var/www/certbot; | ||
46 | } | ||
25 | 47 | ||
26 | location ~ ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$ { | 48 | location ~ ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$ { |
27 | add_header Cache-Control "public, max-age=31536000, immutable"; | 49 | add_header Cache-Control "public, max-age=31536000, immutable"; |
@@ -46,6 +68,7 @@ server { | |||
46 | proxy_connect_timeout 600; | 68 | proxy_connect_timeout 600; |
47 | proxy_send_timeout 600; | 69 | proxy_send_timeout 600; |
48 | proxy_read_timeout 600; | 70 | proxy_read_timeout 600; |
71 | send_timeout 600; | ||
49 | } | 72 | } |
50 | 73 | ||
51 | # Bypass PeerTube webseed route for better performances | 74 | # Bypass PeerTube webseed route for better performances |