From df35dc5e05fb451683ac2e188f5e43a503002243 Mon Sep 17 00:00:00 2001 From: Daniel Winzen Date: Thu, 6 Jun 2024 13:52:15 +0200 Subject: [PATCH] Add mta-sts configuration --- etc/nginx/sites-enabled/mail | 3 --- etc/nginx/sites-enabled/mta-sts | 18 ++++++++++++++++++ etc/nginx/sites-enabled/openpgpkey | 3 +-- etc/prosody/prosody.cfg.lua | 2 +- 4 files changed, 20 insertions(+), 6 deletions(-) create mode 100644 etc/nginx/sites-enabled/mta-sts diff --git a/etc/nginx/sites-enabled/mail b/etc/nginx/sites-enabled/mail index 17020f3..9e77fef 100644 --- a/etc/nginx/sites-enabled/mail +++ b/etc/nginx/sites-enabled/mail @@ -45,7 +45,6 @@ server { add_header Referrer-Policy no-referrer always; add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), geolocation=(), fullscreen=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), sync-script=(), vertical-scroll=(), serial=(), trust-token-redemption=(), interest-cohort=(), otp-credentials=()" always; add_header Onion-Location http://danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion$request_uri always; - add_header Expect-CT "max-age=86400, enforce" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header Cross-Origin-Embedder-Policy require-corp always; add_header Cross-Origin-Opener-Policy same-origin always; @@ -70,7 +69,6 @@ server { add_header Referrer-Policy no-referrer always; add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), geolocation=(), fullscreen=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), sync-script=(), vertical-scroll=(), serial=(), trust-token-redemption=(), interest-cohort=(), otp-credentials=()" always; add_header Onion-Location http://danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion$request_uri always; - add_header Expect-CT "max-age=86400, enforce" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header Cross-Origin-Embedder-Policy require-corp always; add_header Cross-Origin-Opener-Policy same-origin always; @@ -82,7 +80,6 @@ server { location ~ \.php$ { add_header Referrer-Policy no-referrer always; add_header Onion-Location http://danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion$request_uri always; - add_header Expect-CT "max-age=86400, enforce" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; include snippets/fastcgi-php.conf; fastcgi_pass unix:/run/php/php8.2-fpm.sock; diff --git a/etc/nginx/sites-enabled/mta-sts b/etc/nginx/sites-enabled/mta-sts new file mode 100644 index 0000000..3192b87 --- /dev/null +++ b/etc/nginx/sites-enabled/mta-sts @@ -0,0 +1,18 @@ +server { + listen [::]:443 ssl http2; + server_name mta-sts.danwin1210.de; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; + ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; + location / { + return 404; + } + location = /.well-known/mta-sts.txt { + default_type text/plain; + return 200 "version: STSv1 +mode: enforce +mx: danwin1210.de +max_age: 86400 +"; + } +} \ No newline at end of file diff --git a/etc/nginx/sites-enabled/openpgpkey b/etc/nginx/sites-enabled/openpgpkey index 835e034..9ec6587 100644 --- a/etc/nginx/sites-enabled/openpgpkey +++ b/etc/nginx/sites-enabled/openpgpkey @@ -1,6 +1,5 @@ server { - listen [::]:443 ssl proxy_protocol http2; - add_header Expect-CT "max-age=86400, enforce" always; + listen [::]:443 ssl http2; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; root /var/www/html; location / { diff --git a/etc/prosody/prosody.cfg.lua b/etc/prosody/prosody.cfg.lua index 1ec42bd..20fdae8 100644 --- a/etc/prosody/prosody.cfg.lua +++ b/etc/prosody/prosody.cfg.lua @@ -247,7 +247,7 @@ contact_info = { security = { "https://danwin1210.de/contact.php", "mailto:daniel@danwin1210.de" }; support = { "https://danwin1210.de/contact.php", "mailto:daniel@danwin1210.de" }; } -data_path = "/srv/var/lib/prosody" +data_path = "/var/lib/prosody" legacy_ssl_ports = {5223} external_services = { {