From 56c49513e0f66fe6e40724c6b7f18c29263c77ca Mon Sep 17 00:00:00 2001 From: shibayashi Date: Sat, 3 Nov 2018 23:41:37 +0100 Subject: [PATCH 1/4] Use the server name as variable --- installation/caddyfile-pleroma.example | 2 +- installation/pleroma-apache.conf | 20 +++++++++++--------- installation/pleroma.nginx | 12 ++++++------ 3 files changed, 18 insertions(+), 16 deletions(-) diff --git a/installation/caddyfile-pleroma.example b/installation/caddyfile-pleroma.example index 2c1efde2d..d74eb82b6 100644 --- a/installation/caddyfile-pleroma.example +++ b/installation/caddyfile-pleroma.example @@ -22,7 +22,7 @@ social.domain.tld { Referrer-Policy "same-origin" Strict-Transport-Security "max-age=31536000; includeSubDomains;" Expect-CT "enforce, max-age=2592000" - Content-Security-Policy "default-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://social.domain.tld; upgrade-insecure-requests;" + Content-Security-Policy "default-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://{host}; upgrade-insecure-requests;" } # If you do not want remote frontends to be able to access your Pleroma backend server, remove these lines. diff --git a/installation/pleroma-apache.conf b/installation/pleroma-apache.conf index 992c0c900..6174c85c0 100644 --- a/installation/pleroma-apache.conf +++ b/installation/pleroma-apache.conf @@ -1,24 +1,26 @@ #Example configuration for when Apache httpd and Pleroma are on the same host. -#Needed modules: headers proxy proxy_http proxy_wstunnel rewrite ssl +#Needed modules: define headers proxy proxy_http proxy_wstunnel rewrite ssl #This assumes a Debian style Apache config. Put this in /etc/apache2/sites-available #Install your TLS certificate, possibly using Let's Encrypt. #Replace 'pleroma.example.com' with your instance's domain wherever it appears -ServerName pleroma.example.com +Define servername pleroma.example.com + +ServerName ${servername} ServerTokens Prod ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined - Redirect permanent / https://pleroma.example.com + Redirect permanent / https://${servername} SSLEngine on - SSLCertificateFile /etc/letsencrypt/live/pleroma.example.com/cert.pem - SSLCertificateKeyFile /etc/letsencrypt/live/pleroma.example.com/privkey.pem - SSLCertificateChainFile /etc/letsencrypt/live/pleroma.example.com/fullchain.pem + SSLCertificateFile /etc/letsencrypt/live/${servername}/cert.pem + SSLCertificateKeyFile /etc/letsencrypt/live/${servername}/privkey.pem + SSLCertificateChainFile /etc/letsencrypt/live/${servername}/fullchain.pem # Mozilla modern configuration, tweak to your needs SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 @@ -31,7 +33,7 @@ CustomLog ${APACHE_LOG_DIR}/access.log combined Header always set X-Frame-Options "DENY" Header always set X-Content-Type-Options "nosniff" Header always set Referrer-Policy same-origin - Header always set Content-Security-Policy "default-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://pleroma.example.tld; upgrade-insecure-requests;" + Header always set Content-Security-Policy "default-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://${servername}; upgrade-insecure-requests;" # Uncomment this only after you get HTTPS working. # Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" @@ -45,7 +47,7 @@ CustomLog ${APACHE_LOG_DIR}/access.log combined ProxyPass / http://localhost:4000/ ProxyPassReverse / http://localhost:4000/ - RequestHeader set Host "pleroma.example.com" + RequestHeader set Host ${servername} ProxyPreserveHost On @@ -53,4 +55,4 @@ CustomLog ${APACHE_LOG_DIR}/access.log combined SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off -SSLStaplingCache shmcb:/var/run/ocsp(128000) \ No newline at end of file +SSLStaplingCache shmcb:/var/run/ocsp(128000) diff --git a/installation/pleroma.nginx b/installation/pleroma.nginx index f648336ca..94db8d685 100644 --- a/installation/pleroma.nginx +++ b/installation/pleroma.nginx @@ -31,9 +31,9 @@ server { listen 443 ssl http2; ssl_session_timeout 5m; - ssl_trusted_certificate /etc/letsencrypt/live/example.tld/fullchain.pem; - ssl_certificate /etc/letsencrypt/live/example.tld/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/example.tld/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/$server_name/fullchain.pem; + ssl_certificate /etc/letsencrypt/live/$server_name/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/$server_name/privkey.pem; # Add TLSv1.0 to support older devices ssl_protocols TLSv1.2; @@ -46,7 +46,7 @@ server { ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; ssl_stapling on; ssl_stapling_verify on; - + server_name example.tld; gzip_vary on; @@ -77,8 +77,8 @@ server { add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "same-origin" always; add_header X-Download-Options "noopen" always; - add_header Content-Security-Policy "default-src 'none'; base-uri 'self'; form-action *; frame-ancestors 'none'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://example.tld; upgrade-insecure-requests;" always; - + add_header Content-Security-Policy "default-src 'none'; base-uri 'self'; form-action *; frame-ancestors 'none'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://$server_name; upgrade-insecure-requests;" always; + # Uncomment this only after you get HTTPS working. # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; From 732d3fce73122536beaddff0d97adc650655c1fe Mon Sep 17 00:00:00 2001 From: shibayashi Date: Sat, 3 Nov 2018 23:44:26 +0100 Subject: [PATCH 2/4] Use the same example domain in all config examples --- installation/caddyfile-pleroma.example | 8 ++++---- installation/pleroma-apache.conf | 4 ++-- installation/pleroma.nginx | 6 +++--- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/installation/caddyfile-pleroma.example b/installation/caddyfile-pleroma.example index d74eb82b6..41a7eaa72 100644 --- a/installation/caddyfile-pleroma.example +++ b/installation/caddyfile-pleroma.example @@ -1,4 +1,4 @@ -social.domain.tld { +pleroma.example.tld { log /var/log/caddy/pleroma_access.log errors /var/log/caddy/pleroma_error.log @@ -9,7 +9,7 @@ social.domain.tld { transparent } - tls user@domain.tld { + tls user@example.tld { # Remove the rest of the lines in here, if you want to support older devices key_type p256 ciphers ECDHE-ECDSA-WITH-CHACHA20-POLY1305 ECDHE-RSA-WITH-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 @@ -29,8 +29,8 @@ social.domain.tld { # If you want to allow all origins access, remove the origin lines. # To use this directive, you need the http.cors plugin for Caddy. cors / { - origin https://halcyon.domain.tld - origin https://pinafore.domain.tld + origin https://halcyon.example.tld + origin https://pinafore.example.tld methods POST,PUT,DELETE,GET,PATCH,OPTIONS allowed_headers Authorization,Content-Type,Idempotency-Key exposed_headers Link,X-RateLimit-Reset,X-RateLimit-Limit,X-RateLimit-Remaining,X-Request-Id diff --git a/installation/pleroma-apache.conf b/installation/pleroma-apache.conf index 6174c85c0..5fc04d69f 100644 --- a/installation/pleroma-apache.conf +++ b/installation/pleroma-apache.conf @@ -2,9 +2,9 @@ #Needed modules: define headers proxy proxy_http proxy_wstunnel rewrite ssl #This assumes a Debian style Apache config. Put this in /etc/apache2/sites-available #Install your TLS certificate, possibly using Let's Encrypt. -#Replace 'pleroma.example.com' with your instance's domain wherever it appears +#Replace 'pleroma.example.tld' with your instance's domain wherever it appears -Define servername pleroma.example.com +Define servername pleroma.example.tld ServerName ${servername} ServerTokens Prod diff --git a/installation/pleroma.nginx b/installation/pleroma.nginx index 94db8d685..202e4a620 100644 --- a/installation/pleroma.nginx +++ b/installation/pleroma.nginx @@ -2,7 +2,7 @@ # # Simple installation instructions: # 1. Install your TLS certificate, possibly using Let's Encrypt. -# 2. Replace 'example.tld' with your instance's domain wherever it appears. +# 2. Replace 'pleroma.example.tld' with your instance's domain wherever it appears. # 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it # in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx. @@ -10,8 +10,8 @@ proxy_cache_path /tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cac inactive=720m use_temp_path=off; server { + server_name pleroma.example.tld; listen 80; - server_name example.tld; return 301 https://$server_name$request_uri; # Uncomment this if you need to use the 'webroot' method with certbot. Make sure @@ -47,7 +47,7 @@ server { ssl_stapling on; ssl_stapling_verify on; - server_name example.tld; + server_name pleroma.example.tld; gzip_vary on; gzip_proxied any; From 941f9a888c1d08e0e5a158956e55439631748764 Mon Sep 17 00:00:00 2001 From: shibayashi Date: Sat, 3 Nov 2018 23:59:52 +0100 Subject: [PATCH 3/4] Update instructions --- installation/caddyfile-pleroma.example | 8 +++++++- installation/pleroma-apache.conf | 15 ++++++++++----- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/installation/caddyfile-pleroma.example b/installation/caddyfile-pleroma.example index 41a7eaa72..f5ecf9d26 100644 --- a/installation/caddyfile-pleroma.example +++ b/installation/caddyfile-pleroma.example @@ -1,3 +1,9 @@ +# default Caddyfile config for Pleroma +# +# Simple installation instructions: +# 1. Replace 'pleroma.example.tld' with your instance's domain wherever it appears. +# 2. Copy this section into your Caddyfile and restart Caddy. + pleroma.example.tld { log /var/log/caddy/pleroma_access.log errors /var/log/caddy/pleroma_error.log @@ -9,7 +15,7 @@ pleroma.example.tld { transparent } - tls user@example.tld { + tls { # Remove the rest of the lines in here, if you want to support older devices key_type p256 ciphers ECDHE-ECDSA-WITH-CHACHA20-POLY1305 ECDHE-RSA-WITH-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 diff --git a/installation/pleroma-apache.conf b/installation/pleroma-apache.conf index 5fc04d69f..10918ed1f 100644 --- a/installation/pleroma-apache.conf +++ b/installation/pleroma-apache.conf @@ -1,8 +1,13 @@ -#Example configuration for when Apache httpd and Pleroma are on the same host. -#Needed modules: define headers proxy proxy_http proxy_wstunnel rewrite ssl -#This assumes a Debian style Apache config. Put this in /etc/apache2/sites-available -#Install your TLS certificate, possibly using Let's Encrypt. -#Replace 'pleroma.example.tld' with your instance's domain wherever it appears +# default Apache site config for Pleroma +# +# needed modules: define headers proxy proxy_http proxy_wstunnel rewrite ssl +# +# Simple installation instructions: +# 1. Install your TLS certificate, possibly using Let's Encrypt. +# 2. Replace 'pleroma.example.tld' with your instance's domain wherever it appears. +# 3. This assumes a Debian style Apache config. Copy this file to +# /etc/apache2/sites-available/ and then add a symlink to it in +# /etc/apache2/sites-enabled/ by running 'a2ensite pleroma-apache.conf', then restart Apache. Define servername pleroma.example.tld From 800d233631c37f75d17ddc1fbad7ac0e44366b1a Mon Sep 17 00:00:00 2001 From: shibayashi Date: Sun, 4 Nov 2018 14:06:18 +0100 Subject: [PATCH 4/4] Use example.tld so a single search and replace works --- installation/caddyfile-pleroma.example | 4 ++-- installation/pleroma-apache.conf | 4 ++-- installation/pleroma.nginx | 12 ++++++------ 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/installation/caddyfile-pleroma.example b/installation/caddyfile-pleroma.example index f5ecf9d26..305f2aa79 100644 --- a/installation/caddyfile-pleroma.example +++ b/installation/caddyfile-pleroma.example @@ -1,10 +1,10 @@ # default Caddyfile config for Pleroma # # Simple installation instructions: -# 1. Replace 'pleroma.example.tld' with your instance's domain wherever it appears. +# 1. Replace 'example.tld' with your instance's domain wherever it appears. # 2. Copy this section into your Caddyfile and restart Caddy. -pleroma.example.tld { +example.tld { log /var/log/caddy/pleroma_access.log errors /var/log/caddy/pleroma_error.log diff --git a/installation/pleroma-apache.conf b/installation/pleroma-apache.conf index 10918ed1f..fb777983e 100644 --- a/installation/pleroma-apache.conf +++ b/installation/pleroma-apache.conf @@ -4,12 +4,12 @@ # # Simple installation instructions: # 1. Install your TLS certificate, possibly using Let's Encrypt. -# 2. Replace 'pleroma.example.tld' with your instance's domain wherever it appears. +# 2. Replace 'example.tld' with your instance's domain wherever it appears. # 3. This assumes a Debian style Apache config. Copy this file to # /etc/apache2/sites-available/ and then add a symlink to it in # /etc/apache2/sites-enabled/ by running 'a2ensite pleroma-apache.conf', then restart Apache. -Define servername pleroma.example.tld +Define servername example.tld ServerName ${servername} ServerTokens Prod diff --git a/installation/pleroma.nginx b/installation/pleroma.nginx index 202e4a620..6dc2c9760 100644 --- a/installation/pleroma.nginx +++ b/installation/pleroma.nginx @@ -2,7 +2,7 @@ # # Simple installation instructions: # 1. Install your TLS certificate, possibly using Let's Encrypt. -# 2. Replace 'pleroma.example.tld' with your instance's domain wherever it appears. +# 2. Replace 'example.tld' with your instance's domain wherever it appears. # 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it # in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx. @@ -10,7 +10,7 @@ proxy_cache_path /tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cac inactive=720m use_temp_path=off; server { - server_name pleroma.example.tld; + server_name example.tld; listen 80; return 301 https://$server_name$request_uri; @@ -31,9 +31,9 @@ server { listen 443 ssl http2; ssl_session_timeout 5m; - ssl_trusted_certificate /etc/letsencrypt/live/$server_name/fullchain.pem; - ssl_certificate /etc/letsencrypt/live/$server_name/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/$server_name/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/example.tld/fullchain.pem; + ssl_certificate /etc/letsencrypt/live/example.tld/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/example.tld/privkey.pem; # Add TLSv1.0 to support older devices ssl_protocols TLSv1.2; @@ -47,7 +47,7 @@ server { ssl_stapling on; ssl_stapling_verify on; - server_name pleroma.example.tld; + server_name example.tld; gzip_vary on; gzip_proxied any;