From a12feebf9376e5b562fe154f138d210a02a79f28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn?= Date: Wed, 5 Aug 2020 21:49:13 +0200 Subject: [PATCH] adding #20 --- app/Commands/NginxVhostsCommand.php | 17 ++++++++++++++++- resources/nginx/snippts/deny.conf | 6 ++++++ resources/nginx/snippts/expires.conf | 11 +++++++++++ resources/nginx/snippts/secure-headers.conf | 16 ++++++++++++++++ resources/nginx/snippts/ssl-params.conf | 15 +++++++++++++++ resources/nginx/templates/flight.blade.php | 10 ++++++++++ resources/nginx/templates/wordpress.blade.php | 9 ++++++--- 7 files changed, 80 insertions(+), 4 deletions(-) create mode 100644 resources/nginx/snippts/deny.conf create mode 100644 resources/nginx/snippts/expires.conf create mode 100644 resources/nginx/snippts/secure-headers.conf create mode 100644 resources/nginx/snippts/ssl-params.conf diff --git a/app/Commands/NginxVhostsCommand.php b/app/Commands/NginxVhostsCommand.php index 0263cf5..00c1ba8 100644 --- a/app/Commands/NginxVhostsCommand.php +++ b/app/Commands/NginxVhostsCommand.php @@ -108,6 +108,8 @@ class NginxVhostsCommand extends Command 'redirect_www' => true ]; + exec('find /lib/systemd/system/ -name "php[0-9\.]*-fpm.service"', $files); + // create checkbox for ssl $checkboxSSL = new CheckboxItem('ssl', function(CliMenu $menu) use (&$configuration) { $configuration['ssl'] = $menu->getSelectedItem()->getChecked(); @@ -152,6 +154,18 @@ class NginxVhostsCommand extends Command $menu->getSelectedItem()->setText('index: '.$result->fetch()); $menu->redraw(); }) + ->addLineBreak('-'); + + foreach($files as $index => $file) { + $file = str_replace('/lib/systemd/system/', '', $file); + $file = str_replace('.service', '', $file); + + $builder->addRadioItem($file, function(CliMenu $menu) use (&$configuration) { + $configuration['php_fpm'] = $menu->getSelectedItem()->getText(); + }); + } + + $builder ->addLineBreak('-') // options @@ -169,7 +183,8 @@ class NginxVhostsCommand extends Command $validator = v::key('domain', v::domain(false)) ->key('root', v::directory()) - ->key('index', v::file()); + ->key('index', v::file()) + ->key('php_fpm', v::notEmpty()); try { $validator->assert($data); diff --git a/resources/nginx/snippts/deny.conf b/resources/nginx/snippts/deny.conf new file mode 100644 index 0000000..5614847 --- /dev/null +++ b/resources/nginx/snippts/deny.conf @@ -0,0 +1,6 @@ +# deny hidden files +location ~ /\. { + access_log off; + log_not_found off; + deny all; +} \ No newline at end of file diff --git a/resources/nginx/snippts/expires.conf b/resources/nginx/snippts/expires.conf new file mode 100644 index 0000000..271b2a8 --- /dev/null +++ b/resources/nginx/snippts/expires.conf @@ -0,0 +1,11 @@ +location ~* \.(?:manifest|appcache|html?|xml|json)$ { + access_log off; + log_not_found off; + expires -1; +} + +location ~* \.(?:rss|atom)$ { + access_log off; + log_not_found off; + expires 1h; +} diff --git a/resources/nginx/snippts/secure-headers.conf b/resources/nginx/snippts/secure-headers.conf new file mode 100644 index 0000000..3adf7a1 --- /dev/null +++ b/resources/nginx/snippts/secure-headers.conf @@ -0,0 +1,16 @@ +# X-Frame-Options is an HTTP header that allows sites control over how your site may be framed within an iframe +# https://infosec.mozilla.org/guidelines/web_security#x-frame-options +add_header X-Frame-Options DENY; + +# send referrer, but only on requests to the same origin +# https://infosec.mozilla.org/guidelines/web_security#referrer-policy +add_header Referrer-Policy same-origin; + +# This header enables the Cross-site scripting (XSS) filter +# https://infosec.mozilla.org/guidelines/web_security#x-xss-protection +add_header X-XSS-Protection "1; mode=block"; + +# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header, +# to disable content-type sniffing on some browsers. +# https://infosec.mozilla.org/guidelines/web_security#x-content-type-options +add_header X-Content-Type-Options nosniff; diff --git a/resources/nginx/snippts/ssl-params.conf b/resources/nginx/snippts/ssl-params.conf new file mode 100644 index 0000000..2a797d2 --- /dev/null +++ b/resources/nginx/snippts/ssl-params.conf @@ -0,0 +1,15 @@ +# from https://cipherli.st/ +# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_prefer_server_ciphers on; +ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; +ssl_ecdh_curve secp384r1; +ssl_session_cache shared:SSL:10m; +ssl_session_tickets off; +ssl_stapling on; +ssl_stapling_verify on; +resolver 8.8.8.8 8.8.4.4 valid=300s; +resolver_timeout 5s; + +ssl_dhparam /etc/ssl/certs/dhparam.pem; diff --git a/resources/nginx/templates/flight.blade.php b/resources/nginx/templates/flight.blade.php index d747672..232036f 100644 --- a/resources/nginx/templates/flight.blade.php +++ b/resources/nginx/templates/flight.blade.php @@ -8,4 +8,14 @@ location / { try_files $uri $uri/ /index.php; } + + # php-fpm configuration. + location ~ \.php(/|$) { + fastcgi_split_path_info ^(.+\.php)(.*)$; + fastcgi_pass unix:/var/run/php/php7.2-fpm.sock; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; + fastcgi_param DOCUMENT_ROOT $realpath_root; + include /etc/nginx/fastcgi_params; + } @endsection \ No newline at end of file diff --git a/resources/nginx/templates/wordpress.blade.php b/resources/nginx/templates/wordpress.blade.php index d83808c..b3190fa 100644 --- a/resources/nginx/templates/wordpress.blade.php +++ b/resources/nginx/templates/wordpress.blade.php @@ -1,7 +1,7 @@ @extends($ssl ? 'layouts.ssl' : 'layouts.no-ssl') @section('server') - + root {{ $root }}; index {{ $index }}; @@ -21,9 +21,10 @@ access_log off; } - location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { + location ~* \.(js|css|png|jpg|jpeg|gif|ico|woff|eot|ttf|svg|mp4|webm)$ { expires max; log_not_found off; + access_log off; } location ~ /\. { @@ -34,10 +35,12 @@ deny all; } + find /lib/systemd/system/ -name 'php[0-9\.]*-fpm.service'php7.2-fpm + # php-fpm configuration. location ~ \.php(/|$) { fastcgi_split_path_info ^(.+\.php)(.*)$; - fastcgi_pass unix:/var/run/php/php7.2-fpm.sock; + fastcgi_pass unix:/var/run/php/{{ $phpFpmVersion }}.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT $realpath_root;