2017-10-24 04:45:59 +02:00
|
|
|
|
using System;
|
|
|
|
|
using System.IO;
|
|
|
|
|
|
|
|
|
|
namespace Bit.Setup
|
|
|
|
|
{
|
|
|
|
|
public class NginxConfigBuilder
|
|
|
|
|
{
|
2018-03-29 19:43:52 +02:00
|
|
|
|
private const string ConfFile = "/bitwarden/nginx/default.conf";
|
2017-10-24 04:45:59 +02:00
|
|
|
|
private const string SslCiphers =
|
|
|
|
|
"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:" +
|
|
|
|
|
"DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:" +
|
|
|
|
|
"ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:" +
|
2018-03-08 23:31:51 +01:00
|
|
|
|
"ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:" +
|
|
|
|
|
"AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGTH";
|
2018-07-19 05:06:25 +02:00
|
|
|
|
private const string ContentSecurityPolicy =
|
|
|
|
|
"default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com; " +
|
|
|
|
|
"child-src 'self' https://*.duosecurity.com; frame-src 'self' https://*.duosecurity.com; " +
|
|
|
|
|
"connect-src 'self' https://haveibeenpwned.com https://api.pwnedpasswords.com;";
|
2017-10-24 04:45:59 +02:00
|
|
|
|
|
2018-03-29 19:43:52 +02:00
|
|
|
|
public NginxConfigBuilder(string domain, string url, bool ssl, bool selfSignedSsl, bool letsEncrypt,
|
|
|
|
|
bool trusted, bool diffieHellman)
|
2017-10-24 04:45:59 +02:00
|
|
|
|
{
|
|
|
|
|
Domain = domain;
|
2017-11-08 04:35:36 +01:00
|
|
|
|
Url = url;
|
2017-10-24 04:45:59 +02:00
|
|
|
|
Ssl = ssl;
|
|
|
|
|
SelfSignedSsl = selfSignedSsl;
|
|
|
|
|
LetsEncrypt = letsEncrypt;
|
2018-03-29 19:43:52 +02:00
|
|
|
|
Trusted = trusted;
|
|
|
|
|
DiffieHellman = diffieHellman;
|
2017-10-24 04:45:59 +02:00
|
|
|
|
}
|
|
|
|
|
|
2017-11-08 04:35:36 +01:00
|
|
|
|
public NginxConfigBuilder(string domain, string url)
|
2017-10-24 04:45:59 +02:00
|
|
|
|
{
|
|
|
|
|
Domain = domain;
|
2017-11-08 04:35:36 +01:00
|
|
|
|
Url = url;
|
2017-10-24 04:45:59 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public bool Ssl { get; private set; }
|
|
|
|
|
public bool SelfSignedSsl { get; private set; }
|
|
|
|
|
public bool LetsEncrypt { get; private set; }
|
|
|
|
|
public string Domain { get; private set; }
|
2017-11-08 04:35:36 +01:00
|
|
|
|
public string Url { get; private set; }
|
2017-10-24 04:45:59 +02:00
|
|
|
|
public bool DiffieHellman { get; private set; }
|
|
|
|
|
public bool Trusted { get; private set; }
|
|
|
|
|
|
|
|
|
|
public void BuildForInstaller()
|
|
|
|
|
{
|
2017-10-24 14:45:48 +02:00
|
|
|
|
Build();
|
2017-10-24 04:45:59 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public void BuildForUpdater()
|
|
|
|
|
{
|
2018-03-29 19:43:52 +02:00
|
|
|
|
if(File.Exists(ConfFile))
|
2017-10-24 04:45:59 +02:00
|
|
|
|
{
|
2018-03-29 19:43:52 +02:00
|
|
|
|
var confContent = File.ReadAllText(ConfFile);
|
|
|
|
|
Ssl = confContent.Contains("ssl http2;");
|
2017-11-06 23:28:02 +01:00
|
|
|
|
SelfSignedSsl = confContent.Contains("/etc/ssl/self/");
|
|
|
|
|
LetsEncrypt = !SelfSignedSsl && confContent.Contains("/etc/letsencrypt/live/");
|
|
|
|
|
DiffieHellman = confContent.Contains("/dhparam.pem;");
|
|
|
|
|
Trusted = confContent.Contains("ssl_trusted_certificate ");
|
2017-10-24 04:45:59 +02:00
|
|
|
|
}
|
|
|
|
|
|
2017-11-06 23:28:02 +01:00
|
|
|
|
Build();
|
2017-10-24 04:45:59 +02:00
|
|
|
|
}
|
|
|
|
|
|
2017-10-24 14:45:48 +02:00
|
|
|
|
private void Build()
|
2017-10-24 04:45:59 +02:00
|
|
|
|
{
|
|
|
|
|
Directory.CreateDirectory("/bitwarden/nginx/");
|
|
|
|
|
|
|
|
|
|
var sslPath = LetsEncrypt ? $"/etc/letsencrypt/live/{Domain}" :
|
|
|
|
|
SelfSignedSsl ? $"/etc/ssl/self/{Domain}" : $"/etc/ssl/{Domain}";
|
|
|
|
|
var certFile = LetsEncrypt ? "fullchain.pem" : "certificate.crt";
|
|
|
|
|
var keyFile = LetsEncrypt ? "privkey.pem" : "private.key";
|
|
|
|
|
var caFile = LetsEncrypt ? "fullchain.pem" : "ca.crt";
|
|
|
|
|
|
|
|
|
|
Console.WriteLine("Building nginx config.");
|
2018-03-29 19:43:52 +02:00
|
|
|
|
using(var sw = File.CreateText(ConfFile))
|
2017-10-24 04:45:59 +02:00
|
|
|
|
{
|
|
|
|
|
sw.WriteLine($@"# Config Parameters
|
|
|
|
|
# Parameter:Ssl={Ssl}
|
|
|
|
|
# Parameter:SelfSignedSsl={SelfSignedSsl}
|
|
|
|
|
# Parameter:LetsEncrypt={LetsEncrypt}
|
|
|
|
|
# Parameter:Domain={Domain}
|
2017-11-08 04:35:36 +01:00
|
|
|
|
# Parameter:Url={Url}
|
2017-10-24 04:45:59 +02:00
|
|
|
|
# Parameter:DiffieHellman={DiffieHellman}
|
|
|
|
|
# Parameter:Trusted={Trusted}
|
|
|
|
|
|
|
|
|
|
server {{
|
2018-03-26 17:21:03 +02:00
|
|
|
|
listen 8080 default_server;
|
|
|
|
|
listen [::]:8080 default_server;
|
2017-10-24 04:45:59 +02:00
|
|
|
|
server_name {Domain};");
|
|
|
|
|
|
|
|
|
|
if(Ssl)
|
|
|
|
|
{
|
2017-11-08 04:45:01 +01:00
|
|
|
|
sw.WriteLine($@" return 301 {Url}$request_uri;
|
2017-10-24 04:45:59 +02:00
|
|
|
|
}}
|
|
|
|
|
|
|
|
|
|
server {{
|
2018-03-29 19:53:39 +02:00
|
|
|
|
listen 8443 ssl http2;
|
|
|
|
|
listen [::]:8443 ssl http2;
|
2017-10-24 04:45:59 +02:00
|
|
|
|
server_name {Domain};
|
|
|
|
|
|
|
|
|
|
ssl_certificate {sslPath}/{certFile};
|
|
|
|
|
ssl_certificate_key {sslPath}/{keyFile};
|
|
|
|
|
|
|
|
|
|
ssl_session_timeout 30m;
|
|
|
|
|
ssl_session_cache shared:SSL:20m;
|
|
|
|
|
ssl_session_tickets off;");
|
|
|
|
|
|
|
|
|
|
if(DiffieHellman)
|
|
|
|
|
{
|
|
|
|
|
sw.WriteLine($@"
|
|
|
|
|
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
|
|
|
|
|
ssl_dhparam {sslPath}/dhparam.pem;");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sw.WriteLine($@"
|
|
|
|
|
# SSL protocols TLS v1~TLSv1.2 are allowed. Disabed SSLv3
|
|
|
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
|
|
|
# Disabled insecure ciphers suite. For example, MD5, DES, RC4, PSK
|
|
|
|
|
ssl_ciphers ""{SslCiphers}"";
|
2018-03-29 21:41:27 +02:00
|
|
|
|
# Enables server-side protection from BEAST attacks
|
2017-10-24 04:45:59 +02:00
|
|
|
|
ssl_prefer_server_ciphers on;");
|
|
|
|
|
|
|
|
|
|
if(Trusted)
|
|
|
|
|
{
|
|
|
|
|
sw.WriteLine($@"
|
|
|
|
|
# OCSP Stapling ---
|
2018-03-29 21:41:27 +02:00
|
|
|
|
# Fetch OCSP records from URL in ssl_certificate and cache them
|
2017-10-24 04:45:59 +02:00
|
|
|
|
ssl_stapling on;
|
|
|
|
|
ssl_stapling_verify on;
|
|
|
|
|
|
2018-03-29 21:41:27 +02:00
|
|
|
|
# Verify chain of trust of OCSP response using Root CA and Intermediate certs
|
2017-10-24 04:45:59 +02:00
|
|
|
|
ssl_trusted_certificate {sslPath}/{caFile};
|
|
|
|
|
|
|
|
|
|
resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s;
|
|
|
|
|
|
|
|
|
|
# This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack. 6 months age
|
|
|
|
|
add_header Strict-Transport-Security max-age=15768000;");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sw.WriteLine($@"
|
|
|
|
|
location / {{
|
2018-03-26 17:21:03 +02:00
|
|
|
|
proxy_pass http://web:5000/;
|
2018-07-20 20:13:24 +02:00
|
|
|
|
# Security headers
|
|
|
|
|
#add_header X-Frame-Options SAMEORIGIN;
|
|
|
|
|
add_header X-Content-Type-Options nosniff;
|
|
|
|
|
add_header X-XSS-Protection ""1; mode=block"";
|
|
|
|
|
add_header Referrer-Policy same-origin;
|
2018-07-20 20:11:20 +02:00
|
|
|
|
add_header Content-Security-Policy ""{ContentSecurityPolicy}"";
|
2017-10-24 04:45:59 +02:00
|
|
|
|
}}
|
|
|
|
|
|
|
|
|
|
location = /app-id.json {{
|
2018-03-26 17:21:03 +02:00
|
|
|
|
proxy_pass http://web:5000/app-id.json;
|
2017-10-24 04:45:59 +02:00
|
|
|
|
proxy_hide_header Content-Type;
|
|
|
|
|
add_header Content-Type $fido_content_type;
|
|
|
|
|
}}
|
|
|
|
|
|
|
|
|
|
location /attachments/ {{
|
2018-03-26 17:21:03 +02:00
|
|
|
|
proxy_pass http://attachments:5000/;
|
2017-10-24 04:45:59 +02:00
|
|
|
|
}}
|
|
|
|
|
|
|
|
|
|
location /api/ {{
|
2018-03-26 17:21:03 +02:00
|
|
|
|
proxy_pass http://api:5000/;
|
2017-10-24 04:45:59 +02:00
|
|
|
|
}}
|
|
|
|
|
|
|
|
|
|
location /identity/ {{
|
2018-03-26 17:21:03 +02:00
|
|
|
|
proxy_pass http://identity:5000/;
|
2017-10-24 04:45:59 +02:00
|
|
|
|
}}
|
|
|
|
|
|
|
|
|
|
location /icons/ {{
|
2018-03-26 17:21:03 +02:00
|
|
|
|
proxy_pass http://icons:5000/;
|
2017-10-24 04:45:59 +02:00
|
|
|
|
}}
|
2018-03-24 02:11:17 +01:00
|
|
|
|
|
2018-03-25 06:16:26 +02:00
|
|
|
|
location /admin {{
|
|
|
|
|
proxy_pass http://admin:5000;
|
2018-03-24 02:11:17 +01:00
|
|
|
|
}}
|
2017-10-24 04:45:59 +02:00
|
|
|
|
}}");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|