From 790f12435541c081b0cafbf7816362ab7599cf30 Mon Sep 17 00:00:00 2001 From: Joby Elliott Date: Fri, 25 Oct 2024 13:21:43 -0600 Subject: [PATCH] nginx site config updates --- site-config.conf | 16 ++++++++++--- update-site.sh | 59 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 72 insertions(+), 3 deletions(-) create mode 100644 update-site.sh diff --git a/site-config.conf b/site-config.conf index 92e92fe..ee7127b 100644 --- a/site-config.conf +++ b/site-config.conf @@ -32,8 +32,12 @@ server { # Apply general rate limit limit_req zone=general burst=100 nodelay; - # Content Security Policy (needs to be per-domain) - add_header Content-Security-Policy "default-src 'self' *.$DOMAIN; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.$DOMAIN; style-src 'self' 'unsafe-inline' *.$DOMAIN; img-src 'self' data: *.$DOMAIN; font-src 'self' data: *.$DOMAIN; connect-src 'self' *.$DOMAIN; frame-src 'self' *.$DOMAIN; media-src 'self' *.$DOMAIN; object-src 'none'; base-uri 'self'; form-action 'self' *.$DOMAIN" always; + # Content Security Policy and other security headers + set $content_security_policy "default-src 'self' *.$DOMAIN; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.$DOMAIN; style-src 'self' 'unsafe-inline' *.$DOMAIN; img-src 'self' data: *.$DOMAIN; font-src 'self' data: *.$DOMAIN; connect-src 'self' *.$DOMAIN; frame-src 'self' *.$DOMAIN; media-src 'self' *.$DOMAIN; object-src 'none'; base-uri 'self'; form-action 'self' *.$DOMAIN"; + add_header Content-Security-Policy $content_security_policy always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; # Subdomain handling set $subdomain ''; @@ -83,10 +87,16 @@ server { fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } - # Static file handling + # Static file handling (matches any file extension except .php) location ~* ^.+\.((?!php).)*$ { + # Caching and security headers expires 30d; add_header Cache-Control "public, no-transform"; + add_header Content-Security-Policy $content_security_policy always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + # Try to serve the file directly try_files $uri $uri/ =404; } diff --git a/update-site.sh b/update-site.sh new file mode 100644 index 0000000..9faaff1 --- /dev/null +++ b/update-site.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +# Script to update Nginx configuration for an existing site +if [ "$EUID" -ne 0 ]; then + echo "Please run as root or with sudo" + exit 1 +fi + +# Set up logging +LOG_FILE="/var/log/site_setup.log" +exec > >(tee -a "$LOG_FILE") 2>&1 +echo "Configuration update started at $(date)" +echo "Logging to $LOG_FILE" + +# Prompt for domain input +read -p "Enter the domain name (e.g., example.com): " domain +if [[ ! "$domain" =~ ^[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$ ]]; then + echo "Invalid domain name format" + exit 1 +fi + +# Verify domain exists in Nginx config +if [ ! -f "/etc/nginx/sites-available/$domain" ]; then + echo "Error: Domain configuration not found in /etc/nginx/sites-available/$domain" + exit 1 +fi + +# Verify SSL certificates exist +if [ ! -d "/etc/letsencrypt/live/$domain" ]; then + echo "Error: SSL certificates not found for $domain" + exit 1 +fi + +# Backup existing configuration +backup_file="/etc/nginx/sites-available/${domain}.backup-$(date +%Y%m%d-%H%M%S)" +cp "/etc/nginx/sites-available/$domain" "$backup_file" +echo "Backed up existing configuration to $backup_file" + +# Copy new Nginx configuration from adjacent file +nginx_config="/etc/nginx/sites-available/$domain" +cp "$(realpath "site-config.conf")" "$nginx_config" + +# Replace $DOMAIN placeholder in the nginx config file +sed -i "s/\$DOMAIN/$domain/g" "$nginx_config" + +# Test Nginx configuration +echo "Testing new configuration..." +nginx -t +if [ $? -ne 0 ]; then + echo "Error: Invalid Nginx configuration. Restoring backup..." + cp "$backup_file" "$nginx_config" + exit 1 +fi + +# Reload nginx +systemctl reload nginx + +echo "Configuration update complete for $domain" +echo "Previous configuration backed up to: $backup_file"