From 687a6433bb4ade3e16bbb7a04295c5ab7bd9772c Mon Sep 17 00:00:00 2001 From: Aminda Suomalainen Date: Thu, 18 May 2023 11:33:33 +0300 Subject: [PATCH] add & run prettier-plugin-nginx --- .pre-commit-config.yaml | 5 +- etc/nginx/conf.d/bitbot.conf.nginx | 23 ++++--- etc/nginx/conf.d/cloudflare.conf.nginx | 38 +++++------ etc/nginx/conf.d/default.conf.nginx | 42 +++++------- etc/nginx/conf.d/rproxy.conf.nginx | 4 +- etc/nginx/sites-enabled/old/host.nginx | 91 ++++++++++++-------------- etc/nginx/sites-enabled/rproxy.nginx | 32 +++++---- etc/nginx/sites-enabled/vhost.nginx | 49 ++++++-------- 8 files changed, 132 insertions(+), 152 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 7b3b9a94..d5ba3e14 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -18,6 +18,7 @@ repos: - id: destroyed-symlinks - id: detect-private-key - id: end-of-file-fixer + exclude: .*\.nginx$ - id: fix-byte-order-marker - id: trailing-whitespace # Let's not touch LICENSE files or reuse.software directory @@ -69,7 +70,8 @@ repos: hooks: - id: prettier exclude_types: [python, pyi, jupyter] - additional_dependencies: ["prettier@2.8.8"] + additional_dependencies: + ["prettier@2.8.8", "prettier-plugin-nginx@1.0.3"] # Black, opinionated Python code formatter # - repo: https://github.com/psf/black @@ -86,6 +88,7 @@ repos: alias: ec # I don't actually care about line lengths as more than a guideline args: [-disable-max-line-length] + exclude: .*\.nginx$ # # Python linter # - repo: local diff --git a/etc/nginx/conf.d/bitbot.conf.nginx b/etc/nginx/conf.d/bitbot.conf.nginx index 21321f0c..366f166d 100644 --- a/etc/nginx/conf.d/bitbot.conf.nginx +++ b/etc/nginx/conf.d/bitbot.conf.nginx @@ -1,17 +1,16 @@ server { - listen 80; - listen 443; - listen 14402; - listen [::]:80; - listen [::]:443; - listen [::]:14402; - ssl_certificate /etc/nginx/ssl/cert.pem; - ssl_certificate_key /etc/nginx/ssl/key.pem; - server_name bitbot.relpda.mikaela.info; - - access_log /var/log/nginx/bitbot.access.log main; + listen 80; + listen 443; + listen 14402; + listen [::]:80; + listen [::]:443; + listen [::]:14402; + ssl_certificate /etc/nginx/ssl/cert.pem; + ssl_certificate_key /etc/nginx/ssl/key.pem; + server_name bitbot.relpda.mikaela.info; + access_log /var/log/nginx/bitbot.access.log main; location / { proxy_pass http://[::1]:9050; } -} +} \ No newline at end of file diff --git a/etc/nginx/conf.d/cloudflare.conf.nginx b/etc/nginx/conf.d/cloudflare.conf.nginx index 904537c1..69bfecab 100644 --- a/etc/nginx/conf.d/cloudflare.conf.nginx +++ b/etc/nginx/conf.d/cloudflare.conf.nginx @@ -1,20 +1,20 @@ # Cloudflare - set_real_ip_from 199.27.128.0/21; - set_real_ip_from 173.245.48.0/20; - set_real_ip_from 103.21.244.0/22; - set_real_ip_from 103.22.200.0/22; - set_real_ip_from 103.31.4.0/22; - set_real_ip_from 141.101.64.0/18; - set_real_ip_from 108.162.192.0/18; - set_real_ip_from 190.93.240.0/20; - set_real_ip_from 188.114.96.0/20; - set_real_ip_from 197.234.240.0/22; - set_real_ip_from 198.41.128.0/17; - set_real_ip_from 162.158.0.0/15; - set_real_ip_from 104.16.0.0/12; - set_real_ip_from 2400:cb00::/32; - set_real_ip_from 2606:4700::/32; - set_real_ip_from 2803:f800::/32; - set_real_ip_from 2405:b500::/32; - set_real_ip_from 2405:8100::/32; - real_ip_header CF-Connecting-IP; +set_real_ip_from 199.27.128.0/21; +set_real_ip_from 173.245.48.0/20; +set_real_ip_from 103.21.244.0/22; +set_real_ip_from 103.22.200.0/22; +set_real_ip_from 103.31.4.0/22; +set_real_ip_from 141.101.64.0/18; +set_real_ip_from 108.162.192.0/18; +set_real_ip_from 190.93.240.0/20; +set_real_ip_from 188.114.96.0/20; +set_real_ip_from 197.234.240.0/22; +set_real_ip_from 198.41.128.0/17; +set_real_ip_from 162.158.0.0/15; +set_real_ip_from 104.16.0.0/12; +set_real_ip_from 2400:cb00::/32; +set_real_ip_from 2606:4700::/32; +set_real_ip_from 2803:f800::/32; +set_real_ip_from 2405:b500::/32; +set_real_ip_from 2405:8100::/32; +real_ip_header CF-Connecting-IP; diff --git a/etc/nginx/conf.d/default.conf.nginx b/etc/nginx/conf.d/default.conf.nginx index 251c1f48..7973bbc4 100644 --- a/etc/nginx/conf.d/default.conf.nginx +++ b/etc/nginx/conf.d/default.conf.nginx @@ -1,42 +1,37 @@ server { - listen 80; - listen 443 ssl; - listen 14402 ssl; - listen [::]:80 ipv6only=on; - listen [::]:443 ssl ipv6only=on; - listen [::]:14402 ssl ipv6only=on; - ssl_certificate /etc/nginx/ssl/cert.pem; + listen 80; + listen 443 ssl; + listen 14402 ssl; + listen [::]:80 ipv6only=on; + listen [::]:443 ssl ipv6only=on; + listen [::]:14402 ssl ipv6only=on; + ssl_certificate /etc/nginx/ssl/cert.pem; ssl_certificate_key /etc/nginx/ssl/key.pem; - server_name relpda.mikaela.info; + server_name relpda.mikaela.info; #charset koi8-r; #access_log /var/log/nginx/host.access.log main; - -#location /api/ { -# proxy_pass http://[::1]:9050; -# } - - + #location /api/ { + # proxy_pass http://[::1]:9050; + # } location / { - root /usr/share/nginx/html; - index index.html index.htm; + root /usr/share/nginx/html; + index index.html index.htm; } #error_page 404 /404.html; - # redirect server error pages to the static page /50x.html # - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/share/nginx/html; - } + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ \.php$ { # proxy_pass http://127.0.0.1; #} - # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ \.php$ { @@ -46,11 +41,10 @@ server { # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; # include fastcgi_params; #} - # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} -} +} \ No newline at end of file diff --git a/etc/nginx/conf.d/rproxy.conf.nginx b/etc/nginx/conf.d/rproxy.conf.nginx index 8ba2d2c4..9bd5e9f7 100644 --- a/etc/nginx/conf.d/rproxy.conf.nginx +++ b/etc/nginx/conf.d/rproxy.conf.nginx @@ -1,2 +1,2 @@ -proxy_set_header X-Real-IP $remote_addr; -proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; diff --git a/etc/nginx/sites-enabled/old/host.nginx b/etc/nginx/sites-enabled/old/host.nginx index 712599f9..73148cc4 100644 --- a/etc/nginx/sites-enabled/old/host.nginx +++ b/etc/nginx/sites-enabled/old/host.nginx @@ -1,51 +1,47 @@ server { - listen 80 default_server; - listen [::]:80 default_server ipv6only=on; - listen 443 default_server ssl http2; - listen [::]:443 default_server ssl http2 ipv6only=on; - - root /var/www/default/; - index index.php index.html index.htm; - -### Generating SSL certificate: -## mkdir -p /etc/nginx/ssl && cd /etc/nginx/ssl -## openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout nginx.key -out nginx.crt -### this takes forever and is used on line 23. -## openssl dhparam -out dhparam.pem 4096 - ssl_certificate /etc/nginx/ssl/nginx.crt; - ssl_certificate_key /etc/nginx/ssl/nginx.key; -# ----- begin of Mozilla Server Side TLS recommendations ----- -# **2014-11-07** https://wiki.mozilla.org/Security/Server_Side_TLS - ssl_session_timeout 5m; - ssl_session_cache shared:SSL:50m; - + listen 80 default_server; + listen [::]:80 default_server ipv6only=on; + listen 443 default_server ssl http2; + listen [::]:443 default_server ssl http2 ipv6only=on; + root /var/www/default/; + index index.php index.html index.htm; + ### Generating SSL certificate: + ## mkdir -p /etc/nginx/ssl && cd /etc/nginx/ssl + ## openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout nginx.key -out nginx.crt + ### this takes forever and is used on line 23. + ## openssl dhparam -out dhparam.pem 4096 + ssl_certificate /etc/nginx/ssl/nginx.crt; + ssl_certificate_key /etc/nginx/ssl/nginx.key; + # ----- begin of Mozilla Server Side TLS recommendations ----- + # **2014-11-07** https://wiki.mozilla.org/Security/Server_Side_TLS + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:50m; # Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits # See generation on line 14 - ssl_dhparam /etc/nginx/ssl/dhparam.pem; - + ssl_dhparam /etc/nginx/ssl/dhparam.pem; # Intermediate configuration. tweak to your needs. # comment just for me, don't uncomment. #ssl_ciphers ''; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; - # Enable this if your want HSTS (recommended) - add_header Strict-Transport-Security "max-age=15552000; includeSubdomains; preload"; - add_header X-Frame-Options SAMEORIGIN; - add_header Content-Security-Policy upgrade-insecure-requests; - add_header X-Xss-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - + add_header Strict-Transport-Security + "max-age=15552000; includeSubdomains; preload"; + add_header X-Frame-Options SAMEORIGIN; + add_header Content-Security-Policy + upgrade-insecure-requests; + add_header X-Xss-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; # OCSP Stapling --- # fetch OCSP records from URL in ssl_certificate and cache them - ssl_stapling on; - ssl_stapling_verify on; + ssl_stapling on; + ssl_stapling_verify on; + ## verify chain of trust of OCSP response using Root CA and Intermediate certs #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; #resolver ::1; -# ----- end of Mozilla Server Side TLS recommendations ----- - + # ----- end of Mozilla Server Side TLS recommendations ----- location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. @@ -55,34 +51,31 @@ server { # Userdir location ~ ^/~(.+?)(/.*)?$ { - alias /home/$1/public_html$2; - index index.html index.htm; + alias /home/$1/public_html$2; + index index.html index.htm; autoindex on; } - #error_page 404 /404.html; - # redirect server error pages to the static page /50x.html # #error_page 500 502 503 504 /50x.html; #location = /50x.html { # root /usr/share/nginx/html; #} - # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; - # # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini - # - # # With php5-cgi alone: - # fastcgi_pass 127.0.0.1:9000; - # # With php5-fpm: - fastcgi_pass unix:/var/run/php5-fpm.sock; - fastcgi_index index.php; + # # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini + # + # # With php5-cgi alone: + # fastcgi_pass 127.0.0.1:9000; + # # With php5-fpm: + fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_index index.php; #include fastcgi_params; - include fastcgi.conf; + include fastcgi.conf; } # deny access to .htaccess files, if Apache's document root @@ -91,4 +84,4 @@ server { location ~ /\.ht { deny all; } -} +} \ No newline at end of file diff --git a/etc/nginx/sites-enabled/rproxy.nginx b/etc/nginx/sites-enabled/rproxy.nginx index 9468a59a..322946f8 100644 --- a/etc/nginx/sites-enabled/rproxy.nginx +++ b/etc/nginx/sites-enabled/rproxy.nginx @@ -1,22 +1,20 @@ server { - listen 80; - listen [::]:80; - listen 443; - listen [::]:443; - + listen 80; + listen [::]:80; + listen 443; + listen [::]:443; # Enable this if your want HSTS (recommended) - add_header Strict-Transport-Security "max-age=15552000; includeSubdomains; preload"; - add_header X-Frame-Options SAMEORIGIN; - add_header Content-Security-Policy upgrade-insecure-requests; - add_header X-Xss-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - + add_header Strict-Transport-Security + "max-age=15552000; includeSubdomains; preload"; + add_header X-Frame-Options SAMEORIGIN; + add_header Content-Security-Policy upgrade-insecure-requests; + add_header X-Xss-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; server_name something.example.org; -# NOTE: For X-Real-IP & X-Forwarded-For see ../conf.d/rproxy.conf -# Behind CloudFlare see ../conf.d/cloudflare.conf - -location / { - proxy_pass http://localhost:8080; + # NOTE: For X-Real-IP & X-Forwarded-For see ../conf.d/rproxy.conf + # Behind CloudFlare see ../conf.d/cloudflare.conf + location / { + proxy_pass http://localhost:8080; } -} +} \ No newline at end of file diff --git a/etc/nginx/sites-enabled/vhost.nginx b/etc/nginx/sites-enabled/vhost.nginx index b5e41655..5b8ab4d0 100644 --- a/etc/nginx/sites-enabled/vhost.nginx +++ b/etc/nginx/sites-enabled/vhost.nginx @@ -1,21 +1,18 @@ server { - # default_server from default vhost must exist somewhere! - listen 80; - listen [::]:80; - listen 443; - listen [::]:443; - + listen 80; + listen [::]:80; + listen 443; + listen [::]:443; # Enable this if your want HSTS (recommended) - add_header Strict-Transport-Security "max-age=15552000; includeSubdomains; preload"; - add_header X-Frame-Options SAMEORIGIN; - add_header Content-Security-Policy upgrade-insecure-requests; - add_header X-Xss-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - - root /var/www/vhostdir; - index index.php index.html index.htm; - + add_header Strict-Transport-Security + "max-age=15552000; includeSubdomains; preload"; + add_header X-Frame-Options SAMEORIGIN; + add_header Content-Security-Policy upgrade-insecure-requests; + add_header X-Xss-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + root /var/www/vhostdir; + index index.php index.html index.htm; # vhost address server_name vhost.example.org; @@ -32,30 +29,26 @@ server { # index index.html index.htm; # autoindex on; #} - - #error_page 404 /404.html; - # redirect server error pages to the static page /50x.html # #error_page 500 502 503 504 /50x.html; #location = /50x.html { # root /usr/share/nginx/html; #} - # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; - # # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini - # - # # With php5-cgi alone: - # fastcgi_pass 127.0.0.1:9000; - # # With php5-fpm: - fastcgi_pass unix:/var/run/php5-fpm.sock; - fastcgi_index index.php; + # # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini + # + # # With php5-cgi alone: + # fastcgi_pass 127.0.0.1:9000; + # # With php5-fpm: + fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_index index.php; #include fastcgi_params; - include fastcgi.conf; + include fastcgi.conf; } # deny access to .htaccess files, if Apache's document root @@ -64,4 +57,4 @@ server { location ~ /\.ht { deny all; } -} +} \ No newline at end of file