Home Explore Help
Sign In
yosoyhendrix
/
hestiacp
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge branch 'fix/nginx-ssl-sni' into staging/fixes

Kristan Kenney 5 years ago
parent
e18ca0aa40 fae1c83e66
commit
86b06ef793
4 changed files with 15 additions and 2 deletions
Split View Show Diff Stats
  1. 1 1
      CHANGELOG.md
  2. 1 0
      install/deb/nginx/unassigned.inc
  3. 2 1
      install/deb/templates/web/nginx/proxy_ip.tpl
  4. 11 0
      install/upgrade/versions/1.3.1.sh

+ 1 - 1
CHANGELOG.md
View File 

@@ -21,7 +21,7 @@ All notable changes to this project will be documented in this file.
 
 - Fixed an issue where a `no backend template doesn't exist` could potentially would appear after upgrade with older templates (#1322).
 
 - Introduced caching templates for nginx + php-fpm configurations  - thanks **@cmstew**!
 
 - Fixed an issue where DNS cluster updates could fail due to the format of a DKIM record in an available zone - thanks **@jrohde**!
 
-
 
+- Improved the behavior of nginx SSL SNI detection to reject connections for domains which have no SSL certificate - thanks **@myrevery**! 
 
 ## [1.3.0] - Major Release (Feature / Quality Update)
 
 ### Features

+ 1 - 0
install/deb/nginx/unassigned.inc
View File 

@@ -37,6 +37,7 @@ server {
 
     server_name _;
 
     ssl_certificate      /usr/local/hestia/ssl/certificate.crt;
 
     ssl_certificate_key  /usr/local/hestia/ssl/certificate.key;
 
+    ssl_reject_handshake on;
 
 
     return 301 http://$host$request_uri;

+ 2 - 1
install/deb/templates/web/nginx/proxy_ip.tpl
View File 

@@ -13,10 +13,11 @@ server {
 
 }
 
 
 server {
 
-    listen      %ip%:%proxy_ssl_port% ssl http2;
 
+    listen      %ip%:%proxy_ssl_port% ssl http2 default;
 
     server_name _;
 
     ssl_certificate      /usr/local/hestia/ssl/certificate.crt;
 
     ssl_certificate_key  /usr/local/hestia/ssl/certificate.key;
 
+    ssl_reject_handshake on;
 
 
     return 301 http://$host$request_uri;

+ 11 - 0
install/upgrade/versions/1.3.1.sh
View File 

@@ -5,3 +5,14 @@
 
 #######################################################################################
 
 #######                      Place additional commands below.                   #######
 
 #######################################################################################
 
+
 
+# Update nginx configuration to block connections for unsigned (no SSL certificate) domains
 
+for ipaddr in $(ls /usr/local/hestia/data/ips/ 2>/dev/null); do
 
+    web_conf="/etc/$PROXY_SYSTEM/conf.d/$ipaddr.conf"
 
+
 
+    if [ "$PROXY_SYSTEM" = "nginx" ]; then
 
+        echo "[ * ] Hardening nginx SSL SNI configuration..."
 
+        cp -f $HESTIA_INSTALL_DIR/nginx/unassigned.inc $web_conf
 
+        sed -i 's/directIP/'$ipaddr'/g' $web_conf
 
+    fi
 
+done