diff --git a/util/Nginx/.dockerignore b/util/Nginx/.dockerignore index ecb4c57f7c..f92b8369f8 100644 --- a/util/Nginx/.dockerignore +++ b/util/Nginx/.dockerignore @@ -1,3 +1,5 @@ * !entrypoint.sh !nginx.conf +!proxy.conf +!mime.types diff --git a/util/Nginx/Dockerfile b/util/Nginx/Dockerfile index ff3e127648..7dc47c707b 100644 --- a/util/Nginx/Dockerfile +++ b/util/Nginx/Dockerfile @@ -1,7 +1,8 @@ FROM nginx:stable -RUN rm /etc/nginx/nginx.conf -COPY nginx.conf /etc/nginx/nginx.conf +COPY nginx.conf /etc/nginx +COPY proxy.conf /etc/nginx +COPY mime.types /etc/nginx COPY entrypoint.sh / RUN chmod +x /entrypoint.sh diff --git a/util/Nginx/mime.types b/util/Nginx/mime.types new file mode 100644 index 0000000000..7c3b1e7386 --- /dev/null +++ b/util/Nginx/mime.types @@ -0,0 +1,138 @@ +types { + + # Data interchange + + application/atom+xml atom; + application/json json map topojson; + application/ld+json jsonld; + application/rss+xml rss; + application/vnd.geo+json geojson; + application/xml rdf xml; + + + # JavaScript + + # Normalize to standard type. + # https://tools.ietf.org/html/rfc4329#section-7.2 + application/javascript js; + + + # Manifest files + + application/manifest+json webmanifest; + application/x-web-app-manifest+json webapp; + text/cache-manifest appcache; + + + # Media files + + audio/midi mid midi kar; + audio/mp4 aac f4a f4b m4a; + audio/mpeg mp3; + audio/ogg oga ogg opus; + audio/x-realaudio ra; + audio/x-wav wav; + image/bmp bmp; + image/gif gif; + image/jpeg jpeg jpg; + image/jxr jxr hdp wdp; + image/png png; + image/svg+xml svg svgz; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/webp webp; + image/x-jng jng; + video/3gpp 3gp 3gpp; + video/mp4 f4p f4v m4v mp4; + video/mpeg mpeg mpg; + video/ogg ogv; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-mng mng; + video/x-ms-asf asf asx; + video/x-ms-wmv wmv; + video/x-msvideo avi; + + # Serving `.ico` image files with a different media type + # prevents Internet Explorer from displaying then as images: + # https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee + + image/x-icon cur ico; + + + # Microsoft Office + + application/msword doc; + application/vnd.ms-excel xls; + application/vnd.ms-powerpoint ppt; + application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; + application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; + + + # Web fonts + + application/font-woff woff; + application/font-woff2 woff2; + application/vnd.ms-fontobject eot; + + # Browsers usually ignore the font media types and simply sniff + # the bytes to figure out the font type. + # https://mimesniff.spec.whatwg.org/#matching-a-font-type-pattern + # + # However, Blink and WebKit based browsers will show a warning + # in the console if the following font types are served with any + # other media types. + + application/x-font-ttf ttc ttf; + font/opentype otf; + + + # Other + + application/java-archive ear jar war; + application/mac-binhex40 hqx; + application/octet-stream bin deb dll dmg exe img iso msi msm msp safariextz; + application/pdf pdf; + application/postscript ai eps ps; + application/rtf rtf; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/vnd.wap.wmlc wmlc; + application/x-7z-compressed 7z; + application/x-bb-appworld bbaw; + application/x-bittorrent torrent; + application/x-chrome-extension crx; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-opera-extension oex; + application/x-perl pl pm; + application/x-pilot pdb prc; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert crt der pem; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/xslt+xml xsl; + application/zip zip; + text/css css; + text/csv csv; + text/html htm html shtml; + text/markdown md; + text/mathml mml; + text/plain txt; + text/vcard vcard vcf; + text/vnd.rim.location.xloc xloc; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/vtt vtt; + text/x-component htc; + +} diff --git a/util/Nginx/nginx.conf b/util/Nginx/nginx.conf index 94b97727ec..12183d0488 100644 --- a/util/Nginx/nginx.conf +++ b/util/Nginx/nginx.conf @@ -30,6 +30,7 @@ error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; http { + include proxy.conf; # Hide nginx version information. server_tokens off; @@ -38,8 +39,17 @@ http { include mime.types; default_type application/octet-stream; - # Update charset_types due to updated mime.types - charset_types text/css text/plain text/vnd.wap.wml application/javascript application/json application/rss+xml application/xml; + # Update charset_types to match updated mime.types. + # text/html is always included by charset module. + # Default: text/html text/xml text/plain text/vnd.wap.wml application/javascript application/rss+xml + charset_types + text/css + text/plain + text/vnd.wap.wml + application/javascript + application/json + application/rss+xml + application/xml; # Format to use in log files log_format main '$remote_addr - $remote_user [$time_local] "$request" ' diff --git a/util/Nginx/proxy.conf b/util/Nginx/proxy.conf new file mode 100644 index 0000000000..9b6ce6b7db --- /dev/null +++ b/util/Nginx/proxy.conf @@ -0,0 +1,12 @@ +proxy_redirect off; +proxy_set_header Host $host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Url-Scheme $scheme; +proxy_set_header X-Forwarded-Proto $scheme; +client_max_body_size 105m; +client_body_buffer_size 128k; +proxy_connect_timeout 90; +proxy_send_timeout 90; +proxy_read_timeout 90; +proxy_buffers 32 4k; diff --git a/util/Setup/Program.cs b/util/Setup/Program.cs index 79425596ec..d90ee4e9d9 100644 --- a/util/Setup/Program.cs +++ b/util/Setup/Program.cs @@ -249,122 +249,97 @@ namespace Setup using(var sw = File.CreateText("/bitwarden/nginx/default.conf")) { sw.WriteLine($@"server {{ - listen 80 default_server; - listen [::]:80 default_server; - server_name {_domain};"); + listen 80 default_server; + listen [::]:80 default_server; + server_name {_domain};"); if(_ssl) { - sw.WriteLine($@" return 301 https://$server_name$request_uri; + sw.WriteLine($@" return 301 https://$server_name$request_uri; }} server {{ - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name {_domain}; + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name {_domain}; - ssl_certificate {sslPath}/{certFile}; - ssl_certificate_key {sslPath}/{keyFile}; - - ssl_session_timeout 30m; - ssl_session_cache shared:SSL:20m; - ssl_session_tickets off;"); + ssl_certificate {sslPath}/{certFile}; + ssl_certificate_key {sslPath}/{keyFile}; + + ssl_session_timeout 30m; + ssl_session_cache shared:SSL:20m; + ssl_session_tickets off;"); if(dh) { sw.WriteLine($@" - # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits - ssl_dhparam {sslPath}/dhparam.pem;"); + # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits + ssl_dhparam {sslPath}/dhparam.pem;"); } sw.WriteLine($@" - # SSL protocols TLS v1~TLSv1.2 are allowed. Disabed SSLv3 - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - # Disabled insecure ciphers suite. For example, MD5, DES, RC4, PSK - ssl_ciphers ""{sslCiphers}""; - # enables server-side protection from BEAST attacks - ssl_prefer_server_ciphers on;"); + # SSL protocols TLS v1~TLSv1.2 are allowed. Disabed SSLv3 + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + # Disabled insecure ciphers suite. For example, MD5, DES, RC4, PSK + ssl_ciphers ""{sslCiphers}""; + # enables server-side protection from BEAST attacks + ssl_prefer_server_ciphers on;"); if(trusted) { sw.WriteLine($@" - # OCSP Stapling --- - # fetch OCSP records from URL in ssl_certificate and cache them - ssl_stapling on; - ssl_stapling_verify on; + # OCSP Stapling --- + # fetch OCSP records from URL in ssl_certificate and cache them + ssl_stapling on; + ssl_stapling_verify on; - ## verify chain of trust of OCSP response using Root CA and Intermediate certs - ssl_trusted_certificate {sslPath}/{caFile}; + ## verify chain of trust of OCSP response using Root CA and Intermediate certs + ssl_trusted_certificate {sslPath}/{caFile}; - resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s; + resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s; - # This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack. 6 months age - add_header Strict-Transport-Security max-age=15768000;"); + # This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack. 6 months age + add_header Strict-Transport-Security max-age=15768000;"); } } sw.WriteLine($@" - # X-Frame-Options is to prevent from clickJacking attack - add_header X-Frame-Options SAMEORIGIN; + # X-Frame-Options is to prevent from clickJacking attack + add_header X-Frame-Options SAMEORIGIN; - # disable content-type sniffing on some browsers. - add_header X-Content-Type-Options nosniff; + # disable content-type sniffing on some browsers. + add_header X-Content-Type-Options nosniff; - # This header enables the Cross-site scripting (XSS) filter - add_header X-XSS-Protection ""1; mode=block""; + # This header enables the Cross-site scripting (XSS) filter + add_header X-XSS-Protection ""1; mode=block""; - # This header controls what referrer information is shared - add_header Referrer-Policy same-origin; + # This header controls what referrer information is shared + add_header Referrer-Policy same-origin; - # Content-Security-Policy is set via meta tag on the website so it is not included here"); + # Content-Security-Policy is set via meta tag on the website so it is not included here"); sw.WriteLine($@" - location / {{ - proxy_pass http://web/; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Url-Scheme $scheme; - proxy_redirect off; - }} + location / {{ + proxy_pass http://web/; + }} - location = /app-id.json {{ - proxy_pass http://web/app-id.json; - proxy_hide_header Content-Type; - add_header Content-Type $fido_content_type; - proxy_redirect off; - }} + location = /app-id.json {{ + proxy_pass http://web/app-id.json; + proxy_hide_header Content-Type; + add_header Content-Type $fido_content_type; + }} - location /attachments/ {{ - proxy_pass http://attachments/; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Url-Scheme $scheme; - proxy_redirect off; - }} + location /attachments/ {{ + proxy_pass http://attachments/; + }} - location /api/ {{ - proxy_pass http://api/; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Url-Scheme $scheme; - proxy_redirect off; - }} + location /api/ {{ + proxy_pass http://api/; + }} - location /identity/ {{ - proxy_pass http://identity/; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Url-Scheme $scheme; - proxy_redirect off; - }} + location /identity/ {{ + proxy_pass http://identity/; + }} }}"); } }