nginx: use safer request_uri variable

Fix >> Problem: [http_splitting] Possible HTTP-Splitting vulnerability. https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md
garage: fix s3_api root_domain
2024-10-17 21:15:57 +02:00 · 2024-10-17 21:15:57 +02:00 · 2024-10-17 21:15:55 +02:00
5 changed files with 19 additions and 8 deletions
--- a/modules/garage/default.nix
+++ b/modules/garage/default.nix
@ -99,7 +99,7 @@
      s3_api = {
        s3_region = "eu-central";
        api_bind_addr = "[::]:3900";
-        root_domain = ".s3.${config.pub-solar-os.networking.domain}";
+        root_domain = ".buckets.${config.pub-solar-os.networking.domain}";
      };
      s3_web = {
        bind_addr = "[::]:3902";
--- a/modules/mastodon/default.nix
+++ b/modules/mastodon/default.nix
@ -96,9 +96,9 @@
      # S3 File storage (optional)
      # -----------------------
      S3_ENABLED = "true";
-      S3_BUCKET = "pub-solar-mastodon";
-      S3_REGION = "europe-west-1";
-      S3_ENDPOINT = "https://gateway.tardigradeshare.io";
+      S3_BUCKET = "mastodon";
+      S3_REGION = "eu-central";
+      S3_ENDPOINT = "https://buckets.pub.solar";
      S3_ALIAS_HOST = "files.${config.pub-solar-os.networking.domain}";
      # Translation (optional)
      # -----------------------
--- a/modules/nginx-mastodon-files/default.nix
+++ b/modules/nginx-mastodon-files/default.nix
@ -1,8 +1,7 @@
 { config, ... }:

 let
-  objStorHost = "link.tardigradeshare.io";
-  objStorBucket = "s/jw24ad6l4a6zxsnd32cmf5hp5nsq/pub-solar-mastodon";
+  objStorHost = "mastodon.web.pub.solar";
 in
 {
  services.nginx.virtualHosts = {
@ -10,6 +9,12 @@ in
      enableACME = true;
      forceSSL = true;

+      # Use variable to force nginx to perform a DNS resolution on its value,
+      # the IP of the object storage provider may not always remain the same.
+      extraConfig = ''
+        set $s3_backend 'https://${objStorHost}';
+      '';
+
      locations = {
        "= /" = {
          index = "index.html";
@ -25,7 +30,6 @@ in
              deny all;
            }

-            resolver 8.8.8.8;
            proxy_set_header Host ${objStorHost};
            proxy_set_header Connection \'\';
            proxy_set_header Authorization \'\';
@ -40,7 +44,7 @@ in
            proxy_hide_header x-amz-bucket-region;
            proxy_hide_header x-amzn-requestid;
            proxy_ignore_headers Set-Cookie;
-            proxy_pass https://${objStorHost}/${objStorBucket}$request_uri?download;
+            proxy_pass $s3_backend$request_uri;
            proxy_intercept_errors off;
            proxy_ssl_protocols TLSv1.2 TLSv1.3;
            proxy_ssl_server_name on;
--- a/modules/nginx/default.nix
+++ b/modules/nginx/default.nix
@ -22,6 +22,13 @@ in
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
+    resolver.addresses = [
+      # quad9.net
+      "9.9.9.9"
+      "149.112.112.112"
+      "[2620:fe::fe]"
+      "[2620:fe::9]"
+    ];
    appendHttpConfig = ''
      # https://my.f5.com/manage/s/article/K51798430
      proxy_headers_hash_bucket_size 128;
--- a/secrets/mastodon-extra-env-secrets.age
+++ b/secrets/mastodon-extra-env-secrets.age
Author	SHA1	Message	Date
teutat3s	5300f381b0	nginx: use safer request_uri variable All checks were successful Flake checks / Check (pull_request) Successful in 21m30s Details Fix >> Problem: [http_splitting] Possible HTTP-Splitting vulnerability. https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md	2024-10-17 21:15:57 +02:00
teutat3s	8a18ee452b	garage: fix s3_api root_domain	2024-10-17 21:15:57 +02:00
teutat3s	666de2c8f4	mastodon: switch files.pub.solar from storj to garage s3 backend	2024-10-17 21:15:55 +02:00