From 857885567ea4ef42fea9e9eb1b9aec9fe9f7f14c Mon Sep 17 00:00:00 2001 From: Guanran Wang Date: Sat, 4 May 2024 16:12:36 +0800 Subject: [PATCH] lightsail-tokyo/caddy: add hardening and robots.txt --- hosts/lightsail-tokyo/Caddyfile | 69 +++++++++++++++++++++++++++++++ hosts/lightsail-tokyo/default.nix | 45 ++++---------------- hosts/lightsail-tokyo/robots.txt | 34 +++++++++++++++ 3 files changed, 110 insertions(+), 38 deletions(-) create mode 100644 hosts/lightsail-tokyo/Caddyfile create mode 100644 hosts/lightsail-tokyo/robots.txt diff --git a/hosts/lightsail-tokyo/Caddyfile b/hosts/lightsail-tokyo/Caddyfile new file mode 100644 index 0000000..fa4ecd3 --- /dev/null +++ b/hosts/lightsail-tokyo/Caddyfile @@ -0,0 +1,69 @@ +{ + # Disables HTTP/3 for Hysteria + # https://github.com/apernet/hysteria/issues/768 + servers :443 { + protocols h1 h2 h2c + } +} + +(header) { + header { + # https://observatory.mozilla.org/analyze/ny4.dev + # https://infosec.mozilla.org/guidelines/web_security + # https://caddyserver.com/docs/caddyfile/directives/header#examples + + Content-Security-Policy "default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'" + Permissions-Policy interest-Hpcohort=() + Strict-Transport-Security max-age=31536000; + X-Content-Type-Options nosniff + X-Frame-Options DENY + } +} + +(compression) { + encode zstd gzip +} + +(robots) { + handle_path /robots.txt { + file_server * { + root /var/www/robots/robots.txt + } + } +} + +(default) { + import header + import compression + import robots +} + +www.ny4.dev { + import default + redir https://ny4.dev +} + +ny4.dev { + import default + respond "Hello, world!" +} + +searx.ny4.dev { + import default + reverse_proxy localhost:8100 +} + +pb.ny4.dev { + import default + reverse_proxy localhost:8200 +} + +uptime.ny4.dev { + import default + reverse_proxy localhost:8300 +} + +ntfy.ny4.dev { + import default + reverse_proxy localhost:8400 +} diff --git a/hosts/lightsail-tokyo/default.nix b/hosts/lightsail-tokyo/default.nix index ef1ab75..ff33572 100644 --- a/hosts/lightsail-tokyo/default.nix +++ b/hosts/lightsail-tokyo/default.nix @@ -43,46 +43,15 @@ networking.firewall.allowedUDPPorts = [443]; # h3 hysteria -> caddy networking.firewall.allowedTCPPorts = [80 443]; # caddy + systemd.tmpfiles.settings = { + "10-www" = { + "/var/www/robots/robots.txt".C.argument = toString ./robots.txt; + }; + }; + services.caddy = { enable = true; - configFile = pkgs.writeText "Caddyfile" '' - { - # Disables HTTP/3 for Hysteria - # https://github.com/apernet/hysteria/issues/768 - servers :443 { - protocols h1 h2 h2c - } - } - - www.ny4.dev { - redir https://ny4.dev - } - - ny4.dev { - encode zstd gzip - respond "Hello, world!" - } - - searx.ny4.dev { - encode zstd gzip - reverse_proxy localhost:8100 - } - - pb.ny4.dev { - encode zstd gzip - reverse_proxy localhost:8200 - } - - uptime.ny4.dev { - encode zstd gzip - reverse_proxy localhost:8300 - } - - ntfy.ny4.dev { - encode zstd gzip - reverse_proxy localhost:8400 - } - ''; + configFile = ./Caddyfile; }; services.hysteria = { diff --git a/hosts/lightsail-tokyo/robots.txt b/hosts/lightsail-tokyo/robots.txt new file mode 100644 index 0000000..7d1ecef --- /dev/null +++ b/hosts/lightsail-tokyo/robots.txt @@ -0,0 +1,34 @@ +User-agent: GPTBot +Disallow: / + +User-agent: ChatGPT-User +Disallow: / + +User-agent: Google-Extended +Disallow: / + +User-agent: CCBot +Disallow: / + +User-agent: Amazonbot +Disallow: / + +User-agent: FacebookBot +Disallow: / + +User-agent: anthopic-ai +Disallow: / + +User-agent: Claude-Web +Disallow: / + +User-agent: cohere-ai +Disallow: / + +User-agent: Omgilibot +Disallow: / + +User-Agent: * +Disallow: /harming/humans +Disallow: /ignoring/human/orders +Disallow: /harm/to/self