1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-12-25 03:17:13 +00:00
nixpkgs/nixos/modules/services/web-servers
Martin Weinelt 506bc7ba02
nixos/nginx: update hardening settings
- Set an explicit umask that allows u+rwx and g+r.
- Adds `ProtectControlGroups` and `ProtectKernelLogs`, there should be
  no need to access either.
- Adds `ProtectClock` to prevent write-access to the system clock.
- `ProtectProc` hides processes from other users within the /proc
  filesystem and `ProcSubSet` hides all files/directories unrelated to
  the process management of the units process.
- Sets `RemoveIPC`, as there is no SysV or POSIX IPC within nginx that I
  know of.
- Restricts the creation of arbitrary namespaces
- Adds a reasonable `SystemCallFilter` preventing calls to @privileged,
  @obsolete and others.

And finally applies some sorting based on the order these options appear
in systemd.exec(5).
2021-04-30 18:49:43 +02:00
..
apache-httpd nixos/httpd: Fix httpd module for php8 2021-03-02 09:22:32 +01:00
hitch
jboss
lighttpd
nginx nixos/nginx: update hardening settings 2021-04-30 18:49:43 +02:00
phpfpm
unit nixos/unit: add stateDir and logDir types 2021-01-31 13:41:53 +01:00
varnish
caddy.nix
darkhttpd.nix
fcgiwrap.nix
hydron.nix
mighttpd2.nix
minio.nix nixos/minio: allow multiple data directories for erasure coding 2021-04-10 14:44:45 +03:00
molly-brown.nix
pomerium.nix nixos/pomerium: fix useACMEHost 2021-04-07 01:26:44 +00:00
shellinabox.nix
tomcat.nix
traefik.nix
ttyd.nix
uwsgi.nix
zope2.nix