bitwarden-server/util/Setup/NginxConfigBuilder.cs

using System;
using System.IO;

namespace Bit.Setup
{
    public class NginxConfigBuilder
    {
        private const string ConfFile = "/bitwarden/nginx/default.conf";
        private const string SslCiphers =
            "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:" +
            "ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:" +
            "ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
        private const string ContentSecurityPolicy =
            "default-src 'self'; style-src 'self' 'unsafe-inline'; " +
            "img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; " +
            "child-src 'self' https://*.duosecurity.com; frame-src 'self' https://*.duosecurity.com; " +
            "connect-src 'self' wss://{0} https://haveibeenpwned.com https://api.pwnedpasswords.com;";

        public NginxConfigBuilder(string domain, string url, bool ssl, bool selfSignedSsl, bool letsEncrypt,
            bool trusted, bool diffieHellman)
        {
            Domain = domain;
            Url = url;
            Ssl = ssl;
            SelfSignedSsl = selfSignedSsl;
            LetsEncrypt = letsEncrypt;
            Trusted = trusted;
            DiffieHellman = diffieHellman;
        }

        public NginxConfigBuilder(string domain, string url)
        {
            Domain = domain;
            Url = url;
        }

        public bool Ssl { get; private set; }
        public bool SelfSignedSsl { get; private set; }
        public bool LetsEncrypt { get; private set; }
        public string Domain { get; private set; }
        public string Url { get; private set; }
        public bool DiffieHellman { get; private set; }
        public bool Trusted { get; private set; }

        public void BuildForInstaller()
        {
            Build();
        }

        public void BuildForUpdater()
        {
            if(File.Exists(ConfFile))
            {
                var confContent = File.ReadAllText(ConfFile);
                Ssl = confContent.Contains("ssl http2;");
                SelfSignedSsl = confContent.Contains("/etc/ssl/self/");
                LetsEncrypt = !SelfSignedSsl && confContent.Contains("/etc/letsencrypt/live/");
                DiffieHellman = confContent.Contains("/dhparam.pem;");
                Trusted = confContent.Contains("ssl_trusted_certificate ");
            }

            Build();
        }

        private void Build()
        {
            Directory.CreateDirectory("/bitwarden/nginx/");

            var sslPath = LetsEncrypt ? $"/etc/letsencrypt/live/{Domain}" :
                SelfSignedSsl ? $"/etc/ssl/self/{Domain}" : $"/etc/ssl/{Domain}";
            var certFile = LetsEncrypt ? "fullchain.pem" : "certificate.crt";
            var keyFile = LetsEncrypt ? "privkey.pem" : "private.key";
            var caFile = LetsEncrypt ? "fullchain.pem" : "ca.crt";

            Console.WriteLine("Building nginx config.");
            using(var sw = File.CreateText(ConfFile))
            {
                sw.WriteLine($@"# Config Parameters
# Parameter:Ssl={Ssl}
# Parameter:SelfSignedSsl={SelfSignedSsl}
# Parameter:LetsEncrypt={LetsEncrypt}
# Parameter:Domain={Domain}
# Parameter:Url={Url}
# Parameter:DiffieHellman={DiffieHellman}
# Parameter:Trusted={Trusted}

server {{
  listen 8080 default_server;
  listen [::]:8080 default_server;
  server_name {Domain};");

                if(Ssl)
                {
                    sw.WriteLine($@"  return 301 {Url}$request_uri;
}}

server {{
  listen 8443 ssl http2;
  listen [::]:8443 ssl http2;
  server_name {Domain};

  ssl_certificate {sslPath}/{certFile};
  ssl_certificate_key {sslPath}/{keyFile};

  ssl_session_timeout 30m;
  ssl_session_cache shared:SSL:20m;
  ssl_session_tickets off;");

                    if(DiffieHellman)
                    {
                        sw.WriteLine($@"
  # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
  ssl_dhparam {sslPath}/dhparam.pem;");
                    }

                    sw.WriteLine($@"
  # SSL protocol TLSv1.2 is allowed. Disabled SSLv3, TLSv1, and TLSv1.1
  ssl_protocols TLSv1.2;
  # Enable most secure cipher suites only.
  ssl_ciphers ""{SslCiphers}"";
  # Enables server-side protection from BEAST attacks
  ssl_prefer_server_ciphers on;");

                    if(Trusted)
                    {
                        sw.WriteLine($@"
  # OCSP Stapling ---
  # Fetch OCSP records from URL in ssl_certificate and cache them
  ssl_stapling on;
  ssl_stapling_verify on;

  # Verify chain of trust of OCSP response using Root CA and Intermediate certs
  ssl_trusted_certificate {sslPath}/{caFile};

  resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s;

  # This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack. 6 months age
  add_header Strict-Transport-Security max-age=15768000;");
                    }
                }

                sw.WriteLine($@"
  location / {{
    proxy_pass http://web:5000/;
    # Security headers
    #add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection ""1; mode=block"";
    add_header Referrer-Policy same-origin;
    add_header Content-Security-Policy ""{string.Format(ContentSecurityPolicy, Domain)}"";
  }}

  location = /app-id.json {{
    proxy_pass http://web:5000/app-id.json;
    proxy_hide_header Content-Type;
    add_header Content-Type $fido_content_type;
  }}

  location /attachments/ {{
    proxy_pass http://attachments:5000/;
  }}

  location /api/ {{
    proxy_pass http://api:5000/;
  }}

  location /identity/ {{
    proxy_pass http://identity:5000/;
  }}

  location /icons/ {{
    proxy_pass http://icons:5000/;
  }}

  location /notifications/ {{
    proxy_pass http://notifications:5000/;
  }}

  location /notifications/hub {{
    proxy_pass http://notifications:5000/;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
  }}

  location /admin {{
    proxy_pass http://admin:5000;
  }}
}}");
            }
        }
    }
}
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								using System;
 								using System.IO;
 								namespace Bit.Setup
 								{
 								    public class NginxConfigBuilder
 								    {
-												move cert questions up

											
										
										
											2018-03-29 19:43:52 +02:00
+								        private const string ConfFile = "/bitwarden/nginx/default.conf";
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								        private const string SslCiphers =
-												update ssl ciphers to mozilla recommendations

											
										
										
											2018-08-14 14:42:01 +02:00
+								            "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:" +
 								            "ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:" +
 								            "ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
-												csp header on nginx

											
										
										
											2018-07-19 05:06:25 +02:00
+								        private const string ContentSecurityPolicy =
-												allow gravatar in CSP

											
										
										
											2018-07-31 05:56:09 +02:00
+								            "default-src 'self'; style-src 'self' 'unsafe-inline'; " +
 								            "img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; " +
-												csp header on nginx

											
										
										
											2018-07-19 05:06:25 +02:00
+								            "child-src 'self' https://*.duosecurity.com; frame-src 'self' https://*.duosecurity.com; " +
-												add websockets to CSP

											
										
										
											2018-08-21 17:54:03 +02:00
+								            "connect-src 'self' wss://{0} https://haveibeenpwned.com https://api.pwnedpasswords.com;";
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
-												move cert questions up

											
										
										
											2018-03-29 19:43:52 +02:00
+								        public NginxConfigBuilder(string domain, string url, bool ssl, bool selfSignedSsl, bool letsEncrypt,
 								            bool trusted, bool diffieHellman)
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								        {
 								            Domain = domain;
-												proper http->https redirect with custom ports

											
										
										
											2017-11-08 04:35:36 +01:00
+								            Url = url;
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								            Ssl = ssl;
 								            SelfSignedSsl = selfSignedSsl;
 								            LetsEncrypt = letsEncrypt;
-												move cert questions up

											
										
										
											2018-03-29 19:43:52 +02:00
+								            Trusted = trusted;
 								            DiffieHellman = diffieHellman;
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								        }
-												proper http->https redirect with custom ports

											
										
										
											2017-11-08 04:35:36 +01:00
+								        public NginxConfigBuilder(string domain, string url)
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								        {
 								            Domain = domain;
-												proper http->https redirect with custom ports

											
										
										
											2017-11-08 04:35:36 +01:00
+								            Url = url;
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								        }
 								        public bool Ssl { get; private set; }
 								        public bool SelfSignedSsl { get; private set; }
 								        public bool LetsEncrypt { get; private set; }
 								        public string Domain { get; private set; }
-												proper http->https redirect with custom ports

											
										
										
											2017-11-08 04:35:36 +01:00
+								        public string Url { get; private set; }
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								        public bool DiffieHellman { get; private set; }
 								        public bool Trusted { get; private set; }
 								        public void BuildForInstaller()
 								        {
-												cert builder

											
										
										
											2017-10-24 14:45:48 +02:00
+								            Build();
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								        }
 								        public void BuildForUpdater()
 								        {
-												move cert questions up

											
										
										
											2018-03-29 19:43:52 +02:00
+								            if(File.Exists(ConfFile))
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								            {
-												move cert questions up

											
										
										
											2018-03-29 19:43:52 +02:00
+								                var confContent = File.ReadAllText(ConfFile);
 								                Ssl = confContent.Contains("ssl http2;");
-												build docker compose and allow custom ports

											
										
										
											2017-11-06 23:28:02 +01:00
+								                SelfSignedSsl = confContent.Contains("/etc/ssl/self/");
 								                LetsEncrypt = !SelfSignedSsl && confContent.Contains("/etc/letsencrypt/live/");
 								                DiffieHellman = confContent.Contains("/dhparam.pem;");
 								                Trusted = confContent.Contains("ssl_trusted_certificate ");
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								            }
-												build docker compose and allow custom ports

											
										
										
											2017-11-06 23:28:02 +01:00
+								            Build();
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								        }
-												cert builder

											
										
										
											2017-10-24 14:45:48 +02:00
+								        private void Build()
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								        {
 								            Directory.CreateDirectory("/bitwarden/nginx/");
 								            var sslPath = LetsEncrypt ? $"/etc/letsencrypt/live/{Domain}" :
 								                SelfSignedSsl ? $"/etc/ssl/self/{Domain}" : $"/etc/ssl/{Domain}";
 								            var certFile = LetsEncrypt ? "fullchain.pem" : "certificate.crt";
 								            var keyFile = LetsEncrypt ? "privkey.pem" : "private.key";
 								            var caFile = LetsEncrypt ? "fullchain.pem" : "ca.crt";
 								            Console.WriteLine("Building nginx config.");
-												move cert questions up

											
										
										
											2018-03-29 19:43:52 +02:00
+								            using(var sw = File.CreateText(ConfFile))
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								            {
 								                sw.WriteLine($@"# Config Parameters
 								# Parameter:Ssl={Ssl}
 								# Parameter:SelfSignedSsl={SelfSignedSsl}
 								# Parameter:LetsEncrypt={LetsEncrypt}
 								# Parameter:Domain={Domain}
-												proper http->https redirect with custom ports

											
										
										
											2017-11-08 04:35:36 +01:00
+								# Parameter:Url={Url}
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								# Parameter:DiffieHellman={DiffieHellman}
 								# Parameter:Trusted={Trusted}
 								server {{
-												docker as non-root

											
										
										
											2018-03-26 17:21:03 +02:00
+								  listen 8080 default_server;
 								  listen [::]:8080 default_server;
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								  server_name {Domain};");
 								                if(Ssl)
 								                {
-												remove extra $

											
										
										
											2017-11-08 04:45:01 +01:00
+								                    sw.WriteLine($@"  return 301 {Url}$request_uri;
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								}}
 								server {{
-												ssl mapped to 8443

											
										
										
											2018-03-29 19:53:39 +02:00
+								  listen 8443 ssl http2;
 								  listen [::]:8443 ssl http2;
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								  server_name {Domain};
 								  ssl_certificate {sslPath}/{certFile};
 								  ssl_certificate_key {sslPath}/{keyFile};
 								  ssl_session_timeout 30m;
 								  ssl_session_cache shared:SSL:20m;
 								  ssl_session_tickets off;");
 								                    if(DiffieHellman)
 								                    {
 								                        sw.WriteLine($@"
 								  # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
 								  ssl_dhparam {sslPath}/dhparam.pem;");
 								                    }
 								                    sw.WriteLine($@"
-												update ssl ciphers to mozilla recommendations

											
										
										
											2018-08-14 14:42:01 +02:00
+								  # SSL protocol TLSv1.2 is allowed. Disabled SSLv3, TLSv1, and TLSv1.1
-												Hardening nginx, allow TLSv1.2 with the most secure cipher suites only (#340)

* Hardening nginx, allow TLSv1.2 with the most secure cipher suites only

* Ciphers added to allow more browsers to connect

											
										
										
											2018-08-14 14:37:24 +02:00
+								  ssl_protocols TLSv1.2;
 								  # Enable most secure cipher suites only.
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								  ssl_ciphers ""{SslCiphers}"";
-												Comment capitalization

											
										
										
											2018-03-29 21:41:27 +02:00
+								  # Enables server-side protection from BEAST attacks
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								  ssl_prefer_server_ciphers on;");
 								                    if(Trusted)
 								                    {
 								                        sw.WriteLine($@"
 								  # OCSP Stapling ---
-												Comment capitalization

											
										
										
											2018-03-29 21:41:27 +02:00
+								  # Fetch OCSP records from URL in ssl_certificate and cache them
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								  ssl_stapling on;
 								  ssl_stapling_verify on;
-												Comment capitalization

											
										
										
											2018-03-29 21:41:27 +02:00
+								  # Verify chain of trust of OCSP response using Root CA and Intermediate certs
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								  ssl_trusted_certificate {sslPath}/{caFile};
 								  resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s;
 								  # This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack. 6 months age
 								  add_header Strict-Transport-Security max-age=15768000;");
 								                    }
 								                }
 								                sw.WriteLine($@"
 								  location / {{
-												docker as non-root

											
										
										
											2018-03-26 17:21:03 +02:00
+								    proxy_pass http://web:5000/;
-												move all security headers to web vault location

											
										
										
											2018-07-20 20:13:24 +02:00
+								    # Security headers
 								    #add_header X-Frame-Options SAMEORIGIN;
 								    add_header X-Content-Type-Options nosniff;
 								    add_header X-XSS-Protection ""1; mode=block"";
 								    add_header Referrer-Policy same-origin;
-												add websockets to CSP

											
										
										
											2018-08-21 17:54:03 +02:00
+								    add_header Content-Security-Policy ""{string.Format(ContentSecurityPolicy, Domain)}"";
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								  }}
 								  location = /app-id.json {{
-												docker as non-root

											
										
										
											2018-03-26 17:21:03 +02:00
+								    proxy_pass http://web:5000/app-id.json;
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								    proxy_hide_header Content-Type;
 								    add_header Content-Type $fido_content_type;
 								  }}
 								  location /attachments/ {{
-												docker as non-root

											
										
										
											2018-03-26 17:21:03 +02:00
+								    proxy_pass http://attachments:5000/;
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								  }}
 								  location /api/ {{
-												docker as non-root

											
										
										
											2018-03-26 17:21:03 +02:00
+								    proxy_pass http://api:5000/;
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								  }}
 								  location /identity/ {{
-												docker as non-root

											
										
										
											2018-03-26 17:21:03 +02:00
+								    proxy_pass http://identity:5000/;
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								  }}
 								  location /icons/ {{
-												docker as non-root

											
										
										
											2018-03-26 17:21:03 +02:00
+								    proxy_pass http://icons:5000/;
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								  }}
-												add docker build for admin

											
										
										
											2018-03-24 02:11:17 +01:00
-												build and include notifications docker

											
										
										
											2018-08-18 00:14:25 +02:00
+								  location /notifications/ {{
 								    proxy_pass http://notifications:5000/;
 								  }}
-												set connection header for signalr hub

											
										
										
											2018-08-21 18:12:33 +02:00
+								  location /notifications/hub {{
 								    proxy_pass http://notifications:5000/;
-												proxy headers for websockets

											
										
										
											2018-08-21 18:43:18 +02:00
+								    proxy_set_header Upgrade $http_upgrade;
-												set connection header for signalr hub

											
										
										
											2018-08-21 18:12:33 +02:00
+								    proxy_set_header Connection $http_connection;
 								  }}
-												build node assets and no trailing admin slash

											
										
										
											2018-03-25 06:16:26 +02:00
+								  location /admin {{
 								    proxy_pass http://admin:5000;
-												add docker build for admin

											
										
										
											2018-03-24 02:11:17 +01:00
+								  }}
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								}}");
 								            }
 								        }
 								    }
 								}