Last active
April 1, 2018 14:55
-
-
Save TaylorBurnham/b18b56c43caca61427b266ae64b28d6f to your computer and use it in GitHub Desktop.
Securing ZNC Interface
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Assumptions are you already use letsencrypt and have dhparam generated | |
| # Configure ZNC to listen on IPv4 and only IRC + SSL for client connections | |
| <Listener listener0> | |
| AllowIRC = false | |
| AllowWeb = true | |
| IPv4 = true | |
| IPv6 = false | |
| Port = 5001 | |
| SSL = true | |
| URIPrefix = / | |
| </Listener> | |
| # Configure ZNC to listen on IPv6 and only web and TrustedProxy for local traffic | |
| TrustedProxy = 127.0.0.1 | |
| <Listener listener1> | |
| AllowIRC = false | |
| AllowWeb = true | |
| IPv4 = false | |
| IPv6 = true | |
| Port = 5002 | |
| SSL = false | |
| URIPrefix = / | |
| </Listener> | |
| # Make directory for certbot | |
| sudo mkdir -p /var/www/html/znc | |
| # Add site to nginx | |
| server { | |
| listen 80; | |
| server_name znc.domain.com; | |
| location / { | |
| 301 https://znc.domain.com; | |
| } | |
| location ~ /.well-known { | |
| allow all; | |
| root /var/www/html/znc; | |
| } | |
| } | |
| server { | |
| # SSL Configurations | |
| listen 443 ssl; | |
| include snippets/ssl-znc.domain.com.conf; | |
| include snippets/ssl-params.conf; | |
| # Server Declaration | |
| server_name znc.domain.com; | |
| allow <YourIPv4>; # Allow only your traffic | |
| deny all; # Deny all others | |
| location / { | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_pass http://[::1]:5002/; | |
| } | |
| } | |
| # ssl-params.conf | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| ssl_prefer_server_ciphers on; | |
| ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; | |
| ssl_ecdh_curve secp384r1; | |
| ssl_session_cache shared:SSL:10m; | |
| ssl_session_tickets off; | |
| ssl_stapling on; | |
| ssl_stapling_verify on; | |
| resolver 8.8.8.8 8.8.4.4 valid=300s; | |
| resolver_timeout 5s; | |
| add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; | |
| add_header X-Frame-Options DENY; | |
| add_header X-Content-Type-Options nosniff; | |
| ssl_dhparam /etc/ssl/certs/dhparam.pem; | |
| # ssl-znc.domain.com.conf | |
| ssl_certificate /etc/letsencrypt/live/znc.domain.com/fullchain.pem; | |
| ssl_certificate_key /etc/letsencrypt/live/znc.domain.com/privkey.pem; | |
| # Check config | |
| sudo nginx -t | |
| # Run certbot and create certificate | |
| letsencrypt certonly --webroot -w /var/www/html/znc/ -d znc.domain.com | |
| # Restart nginx | |
| sudo /etc/init.d/nginx restart |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment