diff options
| -rw-r--r-- | installation/caddyfile-pleroma.example | 2 | ||||
| -rw-r--r-- | installation/pleroma-apache.conf | 20 | ||||
| -rw-r--r-- | installation/pleroma.nginx | 12 |
3 files changed, 18 insertions, 16 deletions
diff --git a/installation/caddyfile-pleroma.example b/installation/caddyfile-pleroma.example index 2c1efde2d..d74eb82b6 100644 --- a/installation/caddyfile-pleroma.example +++ b/installation/caddyfile-pleroma.example @@ -22,7 +22,7 @@ social.domain.tld { Referrer-Policy "same-origin" Strict-Transport-Security "max-age=31536000; includeSubDomains;" Expect-CT "enforce, max-age=2592000" - Content-Security-Policy "default-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://social.domain.tld; upgrade-insecure-requests;" + Content-Security-Policy "default-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://{host}; upgrade-insecure-requests;" } # If you do not want remote frontends to be able to access your Pleroma backend server, remove these lines. diff --git a/installation/pleroma-apache.conf b/installation/pleroma-apache.conf index 992c0c900..6174c85c0 100644 --- a/installation/pleroma-apache.conf +++ b/installation/pleroma-apache.conf @@ -1,24 +1,26 @@ #Example configuration for when Apache httpd and Pleroma are on the same host. -#Needed modules: headers proxy proxy_http proxy_wstunnel rewrite ssl +#Needed modules: define headers proxy proxy_http proxy_wstunnel rewrite ssl #This assumes a Debian style Apache config. Put this in /etc/apache2/sites-available #Install your TLS certificate, possibly using Let's Encrypt. #Replace 'pleroma.example.com' with your instance's domain wherever it appears -ServerName pleroma.example.com +Define servername pleroma.example.com + +ServerName ${servername} ServerTokens Prod ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined <VirtualHost *:80> - Redirect permanent / https://pleroma.example.com + Redirect permanent / https://${servername} </VirtualHost> <VirtualHost *:443> SSLEngine on - SSLCertificateFile /etc/letsencrypt/live/pleroma.example.com/cert.pem - SSLCertificateKeyFile /etc/letsencrypt/live/pleroma.example.com/privkey.pem - SSLCertificateChainFile /etc/letsencrypt/live/pleroma.example.com/fullchain.pem + SSLCertificateFile /etc/letsencrypt/live/${servername}/cert.pem + SSLCertificateKeyFile /etc/letsencrypt/live/${servername}/privkey.pem + SSLCertificateChainFile /etc/letsencrypt/live/${servername}/fullchain.pem # Mozilla modern configuration, tweak to your needs SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 @@ -31,7 +33,7 @@ CustomLog ${APACHE_LOG_DIR}/access.log combined Header always set X-Frame-Options "DENY" Header always set X-Content-Type-Options "nosniff" Header always set Referrer-Policy same-origin - Header always set Content-Security-Policy "default-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://pleroma.example.tld; upgrade-insecure-requests;" + Header always set Content-Security-Policy "default-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://${servername}; upgrade-insecure-requests;" # Uncomment this only after you get HTTPS working. # Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" @@ -45,7 +47,7 @@ CustomLog ${APACHE_LOG_DIR}/access.log combined ProxyPass / http://localhost:4000/ ProxyPassReverse / http://localhost:4000/ - RequestHeader set Host "pleroma.example.com" + RequestHeader set Host ${servername} ProxyPreserveHost On </VirtualHost> @@ -53,4 +55,4 @@ CustomLog ${APACHE_LOG_DIR}/access.log combined SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off -SSLStaplingCache shmcb:/var/run/ocsp(128000)
\ No newline at end of file +SSLStaplingCache shmcb:/var/run/ocsp(128000) diff --git a/installation/pleroma.nginx b/installation/pleroma.nginx index f648336ca..94db8d685 100644 --- a/installation/pleroma.nginx +++ b/installation/pleroma.nginx @@ -31,9 +31,9 @@ server { listen 443 ssl http2; ssl_session_timeout 5m; - ssl_trusted_certificate /etc/letsencrypt/live/example.tld/fullchain.pem; - ssl_certificate /etc/letsencrypt/live/example.tld/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/example.tld/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/$server_name/fullchain.pem; + ssl_certificate /etc/letsencrypt/live/$server_name/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/$server_name/privkey.pem; # Add TLSv1.0 to support older devices ssl_protocols TLSv1.2; @@ -46,7 +46,7 @@ server { ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; ssl_stapling on; ssl_stapling_verify on; - + server_name example.tld; gzip_vary on; @@ -77,8 +77,8 @@ server { add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "same-origin" always; add_header X-Download-Options "noopen" always; - add_header Content-Security-Policy "default-src 'none'; base-uri 'self'; form-action *; frame-ancestors 'none'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://example.tld; upgrade-insecure-requests;" always; - + add_header Content-Security-Policy "default-src 'none'; base-uri 'self'; form-action *; frame-ancestors 'none'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://$server_name; upgrade-insecure-requests;" always; + # Uncomment this only after you get HTTPS working. # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; |