diff --git a/docker/Dockerfile b/Dockerfile similarity index 100% rename from docker/Dockerfile rename to Dockerfile diff --git a/README.md b/README.md index 75c5a40..420b3ec 100644 --- a/README.md +++ b/README.md @@ -204,5 +204,4 @@ Community hosted instances: | URL | Country | Info | |-----------------------------|---------|------| | [safetwitch.projectsegfau.lt](https://safetwitch.projectsegfau.lt/) | 🇺🇸 🇮🇳 🇱🇺 | #2 | - - +| [stream.whateveritworks.org](https://stream.whateveritworks.org) | :DE: | Hosted on Hetzner/Dedicated Server with Encryption at rest \ No newline at end of file diff --git a/backend-nginx.conf b/backend-nginx.conf new file mode 100644 index 0000000..41f3aea --- /dev/null +++ b/backend-nginx.conf @@ -0,0 +1,42 @@ +server { + server_name changethis; + + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + ssl_certificate /etc/letsencrypt/live/changethis/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/changethis/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + add_header strict_sni on; + add_header strict_sni_header on; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Content-Security-Policy upgrade-insecure-requests; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "DENY"; + add_header Clear-Site-Data "cookies"; + add_header Referrer-Policy "no-referrer"; + add_header Permissions-Policy "interest-cohort=(),accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"; + resolver 1.1.1.1; + + ssl_trusted_certificate /etc/letsencrypt/live/changethis/chain.pem; + ssl_stapling on; + ssl_stapling_verify on; + + access_log /dev/null; + error_log /dev/null; + + location / { + proxy_set_header X-Forwarded-For $remote_addr; + proxy_pass http://localhost:7100; + } +} + +server { + listen 80; + listen [::]:80; + server_name changethis; + return 301 https://changethis$request_uri; + } diff --git a/docker-compose.yml b/docker-compose.yml index 52e0234..d7f406c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,20 +1,41 @@ -version: "3.9" +version: "3.7" + services: - frontend: - image: codeberg.org/dragongoose/safetwitch + safetwitch-frontend: + container_name: safetwitch-frontend + hostname: safetwitch-frontend + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + cap_add: + - CHOWN + - SETGID + - SETUID + restart: always + image: codeberg.org/dragongoose/safetwitch:latest ports: - - "8080:80" - environment: - - SAFETWITCH_BACKEND_DOMAIN=localhost:7000 - - SAFETWITCH_INSTANCE_DOMAIN=localhost:80 - - SAFETWITCH_HTTPS=false + - "127.0.0.1:8280:80" + environment: + - SAFETWITCH_BACKEND_DOMAIN=changethis + - SAFETWITCH_INSTANCE_DOMAIN=changethis + - SAFETWITCH_HTTPS=true - SAFETWITCH_DEFAULT_LOCALE=en - - SAFETWITCH_FALLBACK_LOCALE=ja - backend: - image: codeberg.org/dragongoose/safetwitch-backend + - SAFETWITCH_FALLBACK_LOCALE=en + + safetwitch-backend: + container_name: safetwitch-backend + hostname: safetwitch-backend + user: 65534:65534 + read_only: true + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + restart: always + image: codeberg.org/dragongoose/safetwitch-backend:latest ports: - - "7000:7000" + - "127.0.0.1:7100:7000" environment: - PORT=7000 - - URL=http://localhost:7000 - + - URL=https://changethis \ No newline at end of file diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml deleted file mode 100644 index d1c44ad..0000000 --- a/docker/docker-compose.yml +++ /dev/null @@ -1,15 +0,0 @@ -version: "3.9" -services: - frontend: - build: - context: "../" - dockerfile: ./docker/Dockerfile - ports: - - "8080:80" - environment: - - SAFETWITCH_BACKEND_DOMAIN=localhost:7000 - - SAFETWITCH_INSTANCE_DOMAIN=localhost:80 - - SAFETWITCH_HTTPS=false - - SAFETWITCH_DEFAULT_LOCALE=en - - SAFETWITCH_FALLBACK_LOCALE=ja - diff --git a/frontend-nginx.conf b/frontend-nginx.conf new file mode 100644 index 0000000..a173dc2 --- /dev/null +++ b/frontend-nginx.conf @@ -0,0 +1,42 @@ +server { + server_name changethis; + + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + ssl_certificate /etc/letsencrypt/live/changethis/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/changethis/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + add_header strict_sni on; + add_header strict_sni_header on; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Content-Security-Policy upgrade-insecure-requests; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "DENY"; + add_header Clear-Site-Data "cookies"; + add_header Referrer-Policy "no-referrer"; + add_header Permissions-Policy "interest-cohort=(),accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"; + resolver 1.1.1.1; + + ssl_trusted_certificate /etc/letsencrypt/live/changethis/chain.pem; + ssl_stapling on; + ssl_stapling_verify on; + + access_log /dev/null; + error_log /dev/null; + + location / { + proxy_set_header X-Forwarded-For $remote_addr; + proxy_pass http://localhost:8280; + } +} + +server { + listen 80; + listen [::]:80; + server_name changethis; + return 301 https://changethis$request_uri; + }