Commit Graph

66 Commits

Author SHA1 Message Date
Daniel Micay
d5ed786d2a add minimal Permissions Policy as a starting point 2022-10-17 22:27:09 -04:00
Daniel Micay
4f1aa5bceb increase resolver timeout 2022-10-12 16:30:25 -04:00
Daniel Micay
a1997d89c4 rename conn limit memory zone 2022-10-01 12:56:03 -04:00
Daniel Micay
06cd80873f use custom format for access log again 2022-09-27 10:27:36 -04:00
Daniel Micay
0e16b5798b reduce HTTP/2 chunk size to match TLS record size 2022-09-26 13:14:40 -04:00
Daniel Micay
9ed069073c use syslog (journald) for nginx access log 2022-09-25 14:18:13 -04:00
Daniel Micay
7b8a505d17 reduce keepalive requests 2022-09-24 11:53:02 -04:00
Daniel Micay
9cdf30c08c reduce connection limit to 128 2022-09-24 11:27:15 -04:00
Daniel Micay
0bcd3cdca3 reduce HTTP/2 concurrent streams to 16 2022-09-24 11:22:11 -04:00
Daniel Micay
46ca28258f reduce max client header buffer size 2022-09-24 11:11:01 -04:00
Daniel Micay
913cde9ff2 send X-Robots-Tag on errors too 2022-08-18 18:11:08 -04:00
Daniel Micay
a5c257d8a5 remove legacy Expect-CT header 2022-08-11 17:29:34 -04:00
Daniel Micay
fa61606984 add Origin-Agent-Cluster header 2022-07-30 20:13:28 -04:00
Daniel Micay
90d542e2f4 stop setting CORP header for synapse API for now 2022-07-13 13:04:46 -04:00
Daniel Micay
69b0ff7bb3 move nginx status API to socket 2022-07-02 12:38:33 -04:00
Daniel Micay
11579e87ca reduce proxy send timeout 2022-06-27 23:58:50 -04:00
Daniel Micay
12d81c7885 use standard GrapheneOS mime.types 2022-06-26 17:51:01 -04:00
Daniel Micay
30209020a7 raise expected nginx version 2022-06-10 19:40:32 -04:00
Daniel Micay
316a5c696b enable sendfile support again
There's a remaining issue fixed in mainline that's not fixed in the
current stable branch yet, but it doesn't apply unless HTTP/2 is being
used without encryption. Currently sendfile is only really used for the
backend proxy connections in practice due to TLS, and those are never
HTTP/2.
2022-05-03 19:10:31 -04:00
Daniel Micay
21059f1360 add resolver setup to baseline configuration 2022-05-02 04:10:42 -04:00
Daniel Micay
087c1a6349 disable traditional stateful TLS session cache
This is useless for TLSv1.3 since there's no longer any distinction in
the protocol based on whether the server is using stateless or stateful
session resumption. OpenSSL has a non-standard anti-replay mechanism for
0-RTT based on stateful session resumption but 0-RTT still ends up being
a downgrade for the TLS security properties. nginx disables that feature
since otherwise 0-RTT wouldn't work with the default stateless approach.

Since this cache is only used for TLSv1.2 when stateless resumption
isn't disabled and nearly all TLSv1.2 clients support tickets, it isn't
getting any significant use. It provides worse forward secrecy than
tickets because we implement ticket key rotation based on the expiry
time and sessions aren't actively purged from the stateful cache when
they expire. Cached session state varies in size and nginx ends up
writing errors to the log when clearing out a session fails to make room
for a new one due to it being larger. It's best to finally get rid of
this flawed approach to session resumption.

TLSv1.3 provides the option of forward secrecy for resumed sessions and
it's the only approach that's normally enabled so we don't need to worry
about this anymore once TLSv1.2 is disabled as long as we never enable
0-RTT which weakens forward secrecy and other security properties.
2022-04-30 22:53:43 -04:00
Daniel Micay
a703ab5d8c reduce proxy connect timeout 2022-04-18 10:26:47 -04:00
Daniel Micay
0a6c8e5c1f use IPv6 only for internal nginx status service 2022-04-17 13:15:36 -04:00
Daniel Micay
218927ac6e switch to certbot webroot plugin 2022-02-19 08:17:14 -05:00
Daniel Micay
548554be39 set charset in Content-Type header for CSS too 2021-12-10 05:57:45 -05:00
Daniel Micay
91cb36d7a0 disable legacy X-XSS-Protection feature 2021-12-10 04:31:03 -05:00
Daniel Micay
27934d8d58 set a max connection limit to synapse from nginx 2021-12-03 22:44:24 -05:00
Daniel Micay
cdcd278394 nginx: enable aio_write due to 1.20.2 AIO fix 2021-11-28 19:03:51 -05:00
Daniel Micay
a2bfaef2fc nginx: disable sendfile due to bugs with AIO 2021-11-28 19:01:38 -05:00
Daniel Micay
bfcc6b5958 nginx regex: don't capture groups unnecessarily 2021-11-23 20:00:41 -05:00
Daniel Micay
f945befca2 nginx: use syslog for error log 2021-09-07 08:05:23 -04:00
Daniel Micay
19222d2b0a add nginx modules symlink 2021-07-28 00:44:32 -04:00
Daniel Micay
a97dd92eb8 minor improvements to CSP 2021-07-22 00:12:22 -04:00
Daniel Micay
fa9de7b0e0 disable aio_write temporarily 2021-07-13 23:30:24 -04:00
Daniel Micay
faa1b0a270 permit frames fetching resources for Element CORP 2021-07-13 22:27:38 -04:00
Daniel Micay
e1d5caf206 raise file size limit to 100M 2021-07-13 22:27:12 -04:00
Daniel Micay
3e94c41567 remove unused pdf file extension 2021-07-07 04:41:08 -04:00
Daniel Micay
75e800cdab add wasm mime type 2021-07-06 14:13:18 -04:00
Daniel Micay
740b720285 enable brotli/gzip via precompression for Element 2021-07-06 13:53:00 -04:00
Daniel Micay
9074148b6e add gzip/brotli configuration for future use 2021-07-04 03:34:49 -04:00
Daniel Micay
c98929ea0d set manifest-src to 'self' for Element 2021-07-03 08:56:02 -04:00
Daniel Micay
b9adc72a0c remove duplicate Referrer-Policy headers 2021-07-02 11:13:24 -04:00
Daniel Micay
0e8b60b7fe enable AIO via thread pool 2021-06-30 23:17:25 -04:00
Daniel Micay
167c728852 set if_modified_since to more aggressive mode 2021-06-30 22:53:05 -04:00
Daniel Micay
b75070b85c match configuration format of other services 2021-06-29 06:12:19 -04:00
Daniel Micay
9d862cc58d set Referrer-Policy header 2021-06-29 06:07:54 -04:00
Daniel Micay
6d1669c3c2 pass through synapse CSP alongside static one 2021-06-29 06:05:12 -04:00
Daniel Micay
384f37a9f4 add font-src to CSP 2021-06-22 23:51:37 -04:00
Daniel Micay
1cf2da16c9 cleaner nginx status monitoring configuration 2021-06-22 23:43:32 -04:00
Daniel Micay
d4e4cca682 set security headers on error responses too 2021-06-18 20:22:34 -04:00