Inital commit

2023-03-09 22:32:16 +13:00 · 2023-03-09 22:32:16 +13:00 · eeb2e0663d
commit eeb2e0663d
6 changed files with 157 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+cloudflare.ini
--- a/README.md
+++ b/README.md
@ -0,0 +1,13 @@
+## Get TLS certs
+
+```docker-composer run --rm certbot```
+
+
+## Generate DH params
+
+```docker-compose run --rm nginx openssl  dhparam  -out   /etc/letsencrypt/ssl-dhparams.pem  2048```
+
+## Start Nginx
+
+```docker-compose up -d nginx```
+
--- a/cloudflare.ini.sample
+++ b/cloudflare.ini.sample
@ -0,0 +1 @@
+dns_cloudflare_api_token = 
--- a/conf/example.com.conf.sample
+++ b/conf/example.com.conf.sample
@ -0,0 +1,46 @@
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name example.com;
+    server_tokens off;
+
+    location / {
+        return 301 https://example.com$request_uri;
+    }
+}
+
+server {   
+    
+     
+    ### SSL LetsEncrypt
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name example.com;
+    resolver 127.0.0.11 valid=30s ipv6=off;
+
+    location / {
+        set $backend http://example:80;
+        proxy_pass $backend;
+    }
+    
+    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
+
+    ### Create the dhparam file: 
+    ### openssl  dhparam  -out  ssl-dhparams.pem  2048
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:1m;  # about 4000 sessions
+    ssl_session_tickets off;
+
+    # intermediate configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+    add_header Strict-Transport-Security "max-age=63072000" always;
+}
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@ -0,0 +1,44 @@
+version: '3'
+services:
+
+  certbot:
+    image: certbot/dns-cloudflare
+    volumes:
+      - certbot_etc:/etc/letsencrypt
+      - ./cloudflare.ini:/root/cloudflare.ini
+    command: >-
+      certonly --dns-cloudflare
+      --dns-cloudflare-credentials /root/cloudflare.ini
+      --dns-cloudflare-propagation-seconds 15
+      --email admin@example.com
+      --agree-tos --no-eff-email
+      --keep-until-expiring
+      -d *.example.coms
+#      --force-renewal
+ 
+  nginx:
+    image: nginx
+    ports:
+      - "80:80"
+      - "443:443"
+    restart: "always"
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "1m"
+        max-file: "10"
+    volumes:
+      - ./conf:/etc/nginx/conf.d
+      - ./nginx.conf:/etc/nginx/nginx.conf
+      - certbot_etc:/etc/letsencrypt
+    networks:
+      - nginx
+    stdin_open: true
+    tty: true
+
+volumes:
+  certbot_etc:
+
+networks:
+  nginx:
+    name: nginx
--- a/nginx.conf
+++ b/nginx.conf
@ -0,0 +1,52 @@
+user  nginx;
+worker_processes  auto;
+load_module "/usr/lib/nginx/modules/ngx_http_xslt_filter_module.so";
+
+error_log  /var/log/nginx/error.log notice;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    include /etc/nginx/conf.d/*.conf;
+
+    # Disable sending the server identification
+    server_tokens off;
+
+    # Prevent displaying Botpress in an iframe (clickjacking protection)
+    add_header X-Frame-Options SAMEORIGIN;
+
+    # Prevent browsers from detecting the mimetype if not sent by the server.
+    add_header X-Content-Type-Options nosniff;
+
+    # Force enable the XSS filter for the website, in case it was disabled manually
+    add_header X-XSS-Protection "1; mode=block";
+
+    # Configure the cache for static assets
+    proxy_cache_path /srv/nginx_cache levels=1:2 keys_zone=my_cache:10m max_size=10g
+                inactive=60m use_temp_path=off;
+
+    # Set the max file size for uploads (make sure it is larger than the configured media size in botpress.config.json)
+    client_max_body_size 15M;
+}
+