From 13d9c32282df3e6f3df5d5e012105cddafd7fdf0 Mon Sep 17 00:00:00 2001 From: rskntroot Date: Mon, 10 Jun 2024 02:29:11 +0000 Subject: [PATCH] enhance security via nginx static hosting --- .gitignore | 2 +- compose.yml | 19 ++++++++++--- mkdocs/docs/index.md | 4 +-- nginx/etc/conf.d/default.conf | 34 +++++++++++++++++++++++ traefik/log/{required.md => .required.md} | 0 traefik/tls/{required.md => .required.md} | 0 6 files changed, 52 insertions(+), 7 deletions(-) create mode 100644 nginx/etc/conf.d/default.conf rename traefik/log/{required.md => .required.md} (100%) rename traefik/tls/{required.md => .required.md} (100%) diff --git a/.gitignore b/.gitignore index b904a1c..fd89bd6 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,4 @@ -docs/build +mkdocs/site traefik/log/*.log traefik/log/*.gz traefik/tls/*.json diff --git a/compose.yml b/compose.yml index e5c3fbe..0888efb 100644 --- a/compose.yml +++ b/compose.yml @@ -1,4 +1,11 @@ services: + mkdocs: + image: squidfunk/mkdocs-material + command: + - build + volumes: + - ./mkdocs:/docs + traefik: image: traefik:latest command: @@ -13,8 +20,8 @@ services: - ./traefik/log:/var/log/traefik - ./traefik/tls:/letsencrypt - mkdocs: - image: squidfunk/mkdocs-material + nginx: + image: nginx:latest labels: - traefik.enable=true - traefik.http.routers.rskio.entrypoints=websecure @@ -22,7 +29,11 @@ services: - traefik.http.routers.rskio.tls=true - traefik.http.routers.rskio.tls.certresolver=rskio_certresolver - traefik.http.routers.rskio.service=rskio@docker - - traefik.http.services.rskio.loadbalancer.server.port=8000 + - traefik.http.services.rskio.loadbalancer.server.port=80 volumes: - - ./mkdocs:/docs + - ./mkdocs/site:/opt/share/mkdocs/html:ro + - ./nginx/etc/conf.d:/etc/nginx/conf.d:ro + depends_on: + mkdocs: + condition: service_completed_successfully diff --git a/mkdocs/docs/index.md b/mkdocs/docs/index.md index 9a0da13..792a563 100644 --- a/mkdocs/docs/index.md +++ b/mkdocs/docs/index.md @@ -2,14 +2,14 @@ ## Rskio -This site (a project of mine in and of itself) is meant to catalog my efforts. Through the years, I have "spun my wheels" in order to learn, get something working, or even try something interesting--only for it to be lost to time. You could boil this site down to my notes. However, I fully intend for it to be much more than that. This site exists for me and the possibilty that it might help you too. +This site is meant to catalog my efforts. Through the years, I have "spun my wheels" in order to learn, get something working, or even try something interesting--only for it to be lost to time. You could boil this site down to my notes. However, I fully intend for it to be much more than that. This site exists for me and the possibilty something I did might help you too. ## About Its been what, now? Around 10 years since I started working in computing proffessionally (right after dropping out of a Computer Science program, oops). Oh and about 14 since I'd learned my first programming language. What?! I'm in my thirties?! Guess I can't go saying I'm just some random kid on the internet anymore. -Just like everyone else my age, I got into computing because my family didn't know how to get the wifi working when we finally got broadband internet. Somehow that got me into robotics and programming in middle school and it snowballed from there. After a multi-year stint with the challenges of the cyber security field, I found peace by letting other people deal with it. These days I'm a full-time computer engineer that designs and deploys network infrastructure for a Tier-1 cloud provider. In my spare time, I work on projects, or dream of a financial freedom and getting able to work on whatever projects I want full-time, or both. +Just like everyone else my age, I got into computing because my family didn't know how to get the wifi working when we finally got broadband internet. Somehow that got me into robotics and programming in middle school and it snowballed from there. After a multi-year stint with the challenges of the cyber security field, I found peace letting other people deal with it. These days I'm a full-time computer engineer that designs and deploys network infrastructure for a Tier-1 cloud provider. In my spare time, I work on projects or dream of financial freedom that would allow me to work on whatever projects I want full-time. ## What does Rskio Mean? diff --git a/nginx/etc/conf.d/default.conf b/nginx/etc/conf.d/default.conf new file mode 100644 index 0000000..4f0902d --- /dev/null +++ b/nginx/etc/conf.d/default.conf @@ -0,0 +1,34 @@ +server { + listen 80; + listen [::]:80; + server_name rskio.com; + + server_tokens off; + + add_header X-Frame-Options "SAMEORIGIN"; + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; + add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always; + add_header X-XSS-Protection "1; mode=block"; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + + # rskio logging is handled via traefik + #access_log /var/log/nginx/host.access.log main; + + location / { + root /opt/share/mkdocs/html; + index index.html index.htm; + limit_except GET HEAD POST { deny all; } + } + + # rskio auth is handled via traefik + #error_page 404 /404.html; + + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + limit_except GET HEAD POST { deny all; } + } +} + diff --git a/traefik/log/required.md b/traefik/log/.required.md similarity index 100% rename from traefik/log/required.md rename to traefik/log/.required.md diff --git a/traefik/tls/required.md b/traefik/tls/.required.md similarity index 100% rename from traefik/tls/required.md rename to traefik/tls/.required.md