Switch from duplicating security headers to using includes

nginx/conf.d/inf-int-bin.conf

@@ -1,6 +1,6 @@
 # Inferencium - xa000-1
 # Nginx - Configuration - Inferencium - Internal - BINHOST
-# Version: 1.0.0
+# Version: 1.0.1-alpha.1
 
 # Copyright 2024 Jake Winters
 # SPDX-License-Identifier: BSD-3-Clause
@@ -39,21 +39,6 @@ server {
 	## Security
 	ssl_certificate					/etc/ssl/nginx/inferencium-int/fullchain.pem;
 	ssl_certificate_key				/etc/ssl/nginx/inferencium-int/privkey.pem;
-	ssl_protocols					TLSv1.3;
+	include							include/header-security.conf;
-	ssl_early_data					off;
-	ssl_ciphers						"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256";
-	ssl_conf_command				Ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
-	ssl_conf_command				Options PrioritizeChaCha;
-	ssl_prefer_server_ciphers		on;
-	ssl_ecdh_curve					x25519:secp256r1;
-	ssl_stapling					on;
-	ssl_stapling_verify				on;
-#	add_header						Content-Security-Policy "default-src 'self'; img-src 'self'; media-src 'self'; object-src 'none'; script-src 'none'; connect-src 'none'; frame-src 'none'; style-src 'self'; font-src 'self'";
-	add_header						Referrer-Policy no-referrer;
-	add_header						Strict-Transport-Security "max-age=126200000; always";
-	add_header						X-Content-Type-Options nosniff;
-	add_header						X-Frame-Options "DENY";
-	add_header						Set-Cookie "Path=/;Secure;HttpOnly";
-	ignore_invalid_headers			on;
 
 }

nginx/conf.d/inf-int-sd.conf

@@ -1,6 +1,6 @@
 # Inferencium - xa000-1
 # Nginx - Configuration - Inferencium - Internal - Stable Diffusion
-# Version: 1.0.0
+# Version: 1.0.1-alpha.1
 
 # Copyright 2023 Jake Winters
 # SPDX-License-Identifier: BSD-3-Clause
@@ -44,21 +44,6 @@ server {
 	## Security
 	ssl_certificate					/etc/ssl/nginx/inferencium-int/fullchain.pem;
 	ssl_certificate_key				/etc/ssl/nginx/inferencium-int/privkey.pem;
-	ssl_protocols					TLSv1.3;
+	include							include/header-security.conf;
-	ssl_early_data					off;
-	ssl_ciphers						"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256";
-	ssl_conf_command				Ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
-	ssl_conf_command				Options PrioritizeChaCha;
-	ssl_prefer_server_ciphers		on;
-	ssl_ecdh_curve					x25519:secp256r1;
-	ssl_stapling					on;
-	ssl_stapling_verify				on;
-#	add_header						Content-Security-Policy "default-src 'self'; img-src 'self'; media-src 'self'; object-src 'self'; script-src 'self'; connect-src 'none'; frame-src 'self'; style-src 'self'; font-src 'self'";
-	add_header						Referrer-Policy no-referrer;
-	add_header						Strict-Transport-Security "max-age=126200000; always";
-	add_header						X-Content-Type-Options nosniff;
-	add_header						X-Frame-Options "DENY";
-	add_header						Set-Cookie "Path=/;Secure;HttpOnly";
-	ignore_invalid_headers			on;
 
 }

nginx/conf.d/inf-int-src.conf

@@ -1,6 +1,6 @@
 # Inferencium - xa000-1
 # Nginx - Configuration - Inferencium - Internal - Source
-# Version: 1.0.0
+# Version: 1.0.0-alpha.1
 
 # Copyright 2023 Jake Winters
 # SPDX-License-Identifier: BSD-3-Clause
@@ -43,21 +43,6 @@ server {
 	## Security
 	ssl_certificate					/etc/ssl/nginx/inferencium-int/fullchain.pem;
 	ssl_certificate_key				/etc/ssl/nginx/inferencium-int/privkey.pem;
-	ssl_protocols					TLSv1.3;
+	include							include/header-security.conf;
-	ssl_early_data					off;
-	ssl_ciphers						"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256";
-	ssl_conf_command				Ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
-	ssl_conf_command				Options PrioritizeChaCha;
-	ssl_prefer_server_ciphers		on;
-	ssl_ecdh_curve					x25519:secp256r1;
-	ssl_stapling					on;
-	ssl_stapling_verify				on;
-#	add_header						Content-Security-Policy "default-src 'self'; img-src 'self'; media-src 'self'; object-src 'none'; script-src 'none'; connect-src 'none'; frame-src 'none'; style-src 'self'; font-src 'self'";
-	add_header						Referrer-Policy no-referrer;
-	add_header						Strict-Transport-Security "max-age=126200000; always";
-	add_header						X-Content-Type-Options nosniff;
-	add_header						X-Frame-Options "DENY";
-	add_header						Set-Cookie "Path=/;Secure;HttpOnly";
-	ignore_invalid_headers			on;
 
 }

nginx/conf.d/inf-int-sync.conf

@@ -1,6 +1,6 @@
 # Inferencium - xa000-1
 # Nginx - Configuration - Inferencium - Internal - Syncthing
-# Version: 1.0.0
+# Version: 1.0.0-alpha.1
 
 # Copyright 2023 Jake Winters
 # SPDX-License-Identifier: BSD-3-Clause
@@ -39,21 +39,7 @@ server {
 	## Security
 	ssl_certificate					/etc/ssl/nginx/inferencium-int/fullchain.pem;
 	ssl_certificate_key				/etc/ssl/nginx/inferencium-int/privkey.pem;
-	ssl_protocols					TLSv1.3;
+	include							include/header-security.conf;
-	ssl_early_data					off;
+	include							include/header-security-csp.conf;
-	ssl_ciphers						"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256";
-	ssl_conf_command				Ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
-	ssl_conf_command				Options PrioritizeChaCha;
-	ssl_prefer_server_ciphers		on;
-	ssl_ecdh_curve					x25519:secp256r1;
-	ssl_stapling					on;
-	ssl_stapling_verify				on;
-	add_header						Content-Security-Policy "default-src 'self'; img-src 'self'; media-src 'self'; object-src 'self'; script-src 'self'; connect-src 'none'; frame-src 'self'; style-src 'self'; font-src 'self'";
-	add_header						Referrer-Policy no-referrer;
-	add_header						Strict-Transport-Security "max-age=126200000; always";
-	add_header						X-Content-Type-Options nosniff;
-	add_header						X-Frame-Options "DENY";
-	add_header						Set-Cookie "Path=/;Secure;HttpOnly";
-	ignore_invalid_headers			on;
 
 }

nginx/conf.d/inf-int-yt.conf

@@ -1,6 +1,6 @@
 # Inferencium - xa000-1
 # Nginx - Configuration - Inferencium - Internal - YouTube
-# Version: 1.0.0
+# Version: 1.0.0-alpha.1
 
 # Copyright 2024 Jake Winters
 # SPDX-License-Identifier: BSD-3-Clause
@@ -39,25 +39,6 @@ server {
 	## Security
 	ssl_certificate					/etc/ssl/nginx/inferencium-int/fullchain.pem;
 	ssl_certificate_key				/etc/ssl/nginx/inferencium-int/privkey.pem;
-	ssl_protocols					TLSv1.3;
+	include							include/header-security.conf;
-	ssl_early_data					off;
-	ssl_ciphers						"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256";
-	ssl_conf_command				Ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
-	ssl_conf_command				Options PrioritizeChaCha;
-	ssl_prefer_server_ciphers		on;
-	ssl_ecdh_curve					x25519:secp256r1;
-	ssl_stapling					on;
-	ssl_stapling_verify				on;
-	ssl_session_timeout				1d;
-	ssl_session_cache				shared:MozSSL:10m;
-	ssl_session_cache				shared:ssl_session_cache:10m;
-	ssl_session_tickets				off;
-#	add_header						Content-Security-Policy "default-src 'self'; img-src 'self'; media-src 'self'; object-src 'self'; script-src 'self'; connect-src 'none'; frame-src 'self'; style-src 'self'; font-src 'self'";
-	add_header						Referrer-Policy no-referrer;
-	add_header						Strict-Transport-Security "max-age=126200000; always";
-	add_header						X-Content-Type-Options nosniff;
-	add_header						X-Frame-Options "DENY";
-	add_header						Set-Cookie "Path=/;Secure;HttpOnly";
-	ignore_invalid_headers			on;
 
 }