Basic hardening

main
Florent Daigniere 2 years ago
parent 50f94a282f
commit 1379a58352

@ -1,4 +1,4 @@
#!/bin/sh #!/bin/bash
[[ `curl -I -so /dev/null -w "%{http_code}" http://localhost/` -ne 200 ]] && echo "The default page of rainloop hasn't returned 200!" >>/dev/stderr && exit 1 [[ `curl -I -so /dev/null -w "%{http_code}" http://localhost/` -ne 200 ]] && echo "The default page of snappymail hasn't returned 200!" >>/dev/stderr && exit 1
[[ `curl -I -so /dev/null -w "%{http_code}" http://localhost/?admin` -ne 403 ]] && echo "The admin of rainloop is not disabled!" >>/dev/stderr && exit 1 [[ `curl -I -so /dev/null -w "%{http_code}" http://localhost/?admin` -ne 403 ]] && echo "The admin of snappymail is not disabled!" >>/dev/stderr && exit 1

@ -16,6 +16,11 @@ server {
# set maximum body size to configured limit # set maximum body size to configured limit
client_max_body_size {{ MESSAGE_SIZE_LIMIT|int + 8388608 }}; client_max_body_size {{ MESSAGE_SIZE_LIMIT|int + 8388608 }};
fastcgi_hide_header X-Powered-By;
add_header X-Download-Options "noopen" always;
add_header X-Robots-Tag "none" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header Referrer-Policy "no-referrer" always;
location / { location / {
try_files $uri $uri/ /index.php$args; try_files $uri $uri/ /index.php$args;
@ -42,10 +47,14 @@ server {
{% endif %} {% endif %}
} }
location ~ /\. { location ~ (^|/)\. {
deny all; deny all;
} }
location ~* ^/(config|temp|logs) {
deny all;
}
location ^~ /data { location ^~ /data {
deny all; deny all;
} }

@ -6,3 +6,6 @@ session.auto_start=Off
mbstring.func_overload=Off mbstring.func_overload=Off
file_uploads=On file_uploads=On
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors=Off
log_errors=On
zlib.output_compression=Off

Loading…
Cancel
Save