From 6cbc67feb057a1691e390d3bb43c885478251ad8 Mon Sep 17 00:00:00 2001 From: f Date: Sat, 7 Dec 2024 13:43:34 -0300 Subject: [PATCH 1/9] fix: no-cache makes browsers cache and revalidate --- ansible/roles/distributed_press/templates/nginx-static.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/roles/distributed_press/templates/nginx-static.j2 b/ansible/roles/distributed_press/templates/nginx-static.j2 index 89ed386e..8b7d1803 100644 --- a/ansible/roles/distributed_press/templates/nginx-static.j2 +++ b/ansible/roles/distributed_press/templates/nginx-static.j2 @@ -12,6 +12,7 @@ server { error_page 404 /404.html; + add_header Cache-Control no-cache; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header 'X-Frame-Options' 'ALLOW-FROM *'; add_header 'Access-Control-Allow-Origin' '*'; From 444c93ecf37a919deb5bff85a489dc5701f58485 Mon Sep 17 00:00:00 2001 From: f Date: Sat, 7 Dec 2024 13:44:22 -0300 Subject: [PATCH 2/9] fix: disallow embedding --- ansible/roles/distributed_press/templates/nginx-static.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ansible/roles/distributed_press/templates/nginx-static.j2 b/ansible/roles/distributed_press/templates/nginx-static.j2 index 8b7d1803..803444a2 100644 --- a/ansible/roles/distributed_press/templates/nginx-static.j2 +++ b/ansible/roles/distributed_press/templates/nginx-static.j2 @@ -14,7 +14,8 @@ server { add_header Cache-Control no-cache; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - add_header 'X-Frame-Options' 'ALLOW-FROM *'; + add_header X-Frame-Options "sameorigin"; + add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Credentials' 'true'; add_header 'Access-Control-Allow-Methods' '*'; From 213b8bf28f73aa27d25a56fb69e04f63f9d1ea0d Mon Sep 17 00:00:00 2001 From: f Date: Sat, 7 Dec 2024 13:47:44 -0300 Subject: [PATCH 3/9] fix: safety options --- ansible/roles/distributed_press/templates/nginx-static.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ansible/roles/distributed_press/templates/nginx-static.j2 b/ansible/roles/distributed_press/templates/nginx-static.j2 index 803444a2..bb26fcc0 100644 --- a/ansible/roles/distributed_press/templates/nginx-static.j2 +++ b/ansible/roles/distributed_press/templates/nginx-static.j2 @@ -15,6 +15,8 @@ server { add_header Cache-Control no-cache; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header X-Frame-Options "sameorigin"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options "nosniff"; add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Credentials' 'true'; From 54ac5040014fed23480e1f5220506aaf56fd6dcb Mon Sep 17 00:00:00 2001 From: f Date: Sat, 7 Dec 2024 13:47:56 -0300 Subject: [PATCH 4/9] fix: visitor privacy --- ansible/roles/distributed_press/templates/nginx-static.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/roles/distributed_press/templates/nginx-static.j2 b/ansible/roles/distributed_press/templates/nginx-static.j2 index bb26fcc0..536403ba 100644 --- a/ansible/roles/distributed_press/templates/nginx-static.j2 +++ b/ansible/roles/distributed_press/templates/nginx-static.j2 @@ -17,6 +17,7 @@ server { add_header X-Frame-Options "sameorigin"; add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options "nosniff"; + add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Credentials' 'true'; From e3f684fe2d0c420132a00c9931b74b1d1e2245e0 Mon Sep 17 00:00:00 2001 From: f Date: Sat, 7 Dec 2024 13:48:20 -0300 Subject: [PATCH 5/9] fix: more specific location --- .../distributed_press/templates/nginx-static.j2 | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/ansible/roles/distributed_press/templates/nginx-static.j2 b/ansible/roles/distributed_press/templates/nginx-static.j2 index 536403ba..feafbd8c 100644 --- a/ansible/roles/distributed_press/templates/nginx-static.j2 +++ b/ansible/roles/distributed_press/templates/nginx-static.j2 @@ -25,18 +25,19 @@ server { add_header 'Access-Control-Allow-Headers' '*'; add_header 'X-Ipfs-Path' '/ipns/{{ item }}'; - location /.well-known/webfinger { - default_type application/jrd+json; - } - location /.well-known/host-meta { - default_type application/xrd+xml; - } - location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. # Also try loading .html/.md/.gemini/.gmi files try_files $uri $uri/ $uri.html $uri.md $uri.gmi $uri.gemini =404; + + location = /.well-known/webfinger { + default_type application/jrd+json; + } + + location = /.well-known/host-meta { + default_type application/xrd+xml; + } } listen [::]:443 ssl; # managed by Certbot From 326fe81d7d8ba49d7f4b968eca370361b4b0446c Mon Sep 17 00:00:00 2001 From: f Date: Sat, 7 Dec 2024 13:48:45 -0300 Subject: [PATCH 6/9] feat: nodeinfo --- .../roles/distributed_press/templates/nginx-static.j2 | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/ansible/roles/distributed_press/templates/nginx-static.j2 b/ansible/roles/distributed_press/templates/nginx-static.j2 index feafbd8c..c6b2959f 100644 --- a/ansible/roles/distributed_press/templates/nginx-static.j2 +++ b/ansible/roles/distributed_press/templates/nginx-static.j2 @@ -38,6 +38,10 @@ server { location = /.well-known/host-meta { default_type application/xrd+xml; } + + location = /.well-known/nodeinfo { + default_type "application/jrd+json"; + } } listen [::]:443 ssl; # managed by Certbot @@ -46,8 +50,12 @@ server { ssl_certificate_key /etc/letsencrypt/live/{{distributed_press_cert_name}}/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot -} + # Some Fediverse endpoints don't include an extension and we'd need to + # configure everything. By adding index.json, we can serve these + # endpoints as directories. + index index.html index.json; +} server { server_name {{item}}; From 47e759fed153d6f46193435fab6f2d3c99c7eda4 Mon Sep 17 00:00:00 2001 From: f Date: Sat, 7 Dec 2024 13:50:27 -0300 Subject: [PATCH 7/9] fix: tls --- .../roles/distributed_press/templates/nginx-static.j2 | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/ansible/roles/distributed_press/templates/nginx-static.j2 b/ansible/roles/distributed_press/templates/nginx-static.j2 index c6b2959f..b8fba860 100644 --- a/ansible/roles/distributed_press/templates/nginx-static.j2 +++ b/ansible/roles/distributed_press/templates/nginx-static.j2 @@ -51,6 +51,15 @@ server { include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + ssl_early_data on; + + # https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=intermediate&openssl=1.1.1&guideline=5.7 + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; + # Some Fediverse endpoints don't include an extension and we'd need to # configure everything. By adding index.json, we can serve these # endpoints as directories. @@ -63,6 +72,6 @@ server { listen 80; listen [::]:80; - return 301 https://{{item}}$request_uri; + return 301 https://{{item}}$request_uri; } From 65426c6ce943160e1a16e481156deb5352d31e09 Mon Sep 17 00:00:00 2001 From: f Date: Sat, 7 Dec 2024 13:50:36 -0300 Subject: [PATCH 8/9] feat: gzip pre-compression --- ansible/roles/distributed_press/templates/nginx-static.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ansible/roles/distributed_press/templates/nginx-static.j2 b/ansible/roles/distributed_press/templates/nginx-static.j2 index b8fba860..c3d7b9d9 100644 --- a/ansible/roles/distributed_press/templates/nginx-static.j2 +++ b/ansible/roles/distributed_press/templates/nginx-static.j2 @@ -60,6 +60,10 @@ server { ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; + gzip_static on; + + default_type "text/html"; + # Some Fediverse endpoints don't include an extension and we'd need to # configure everything. By adding index.json, we can serve these # endpoints as directories. From ee7898d54584adf24578fed55644ece40b435c2e Mon Sep 17 00:00:00 2001 From: fauno Date: Thu, 12 Dec 2024 13:35:06 -0300 Subject: [PATCH 9/9] Update ansible/roles/distributed_press/templates/nginx-static.j2 Co-authored-by: Mauve Signweaver --- ansible/roles/distributed_press/templates/nginx-static.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/distributed_press/templates/nginx-static.j2 b/ansible/roles/distributed_press/templates/nginx-static.j2 index c3d7b9d9..9bf4dff5 100644 --- a/ansible/roles/distributed_press/templates/nginx-static.j2 +++ b/ansible/roles/distributed_press/templates/nginx-static.j2 @@ -67,7 +67,7 @@ server { # Some Fediverse endpoints don't include an extension and we'd need to # configure everything. By adding index.json, we can serve these # endpoints as directories. - index index.html index.json; + index index.html index.json index.md index.gmi index.gemini; } server {