finishing up security pieces of install.sh

2018-04-23 21:59:50 -07:00 · 2018-04-23 21:59:50 -07:00 · add6e675cb
commit add6e675cb
parent 1707ac7761
1 changed files with 7 additions and 2 deletions
--- a/install.sh
+++ b/install.sh
@ -76,10 +76,11 @@ sudo luarocks install moonscript
 sudo luarocks install bcrypt
 sudo luarocks install lapis-console # not used yet, but I totally will

-# Certificate
+# Certificate / TLS Security
 sudo nginx -s stop
 sudo certbot-auto certonly --standalone --agree-tos -m $EMAIL_ADDRESS -d $DOMAIN_NAME
 sudo nginx
+openssl dhparam -out ./dhparams.pem 2048

 # Database access
 sudo -u postgres createuser simplex
@ -120,6 +121,10 @@ sudo echo "server {
  listen 443 ssl;
  server_name $DOMAIN_NAME;

+  add_header Strict-Transport-Security \"max-age=63072000; preload\"; # DO NOT includeSubDomains; (some subdomains intentionally served over HTTP for now)
+  add_header X-Frame-Options DENY;
+  add_header X-Content-Type-Options nosniff;
+
  ssl_certificate /etc/letsencrypt/live/$DOMAIN_NAME/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/$DOMAIN_NAME/privkey.pem;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
@ -136,7 +141,7 @@ sudo echo "server {
    proxy_pass http://127.0.0.1:$PORT
  }
 }" > /etc/nginx/sites-enabled/simplex-proxy.conf
-sudo nginx -s reload
+sudo nginx -s reload # might fail because the service isn't running yet

 # Change owner, start service
 sudo chown -R www-data:www-data ./