Hardening server

2024-04-25 08:14:07 +01:00 · 2024-04-25 08:14:07 +01:00 · 63009e5e54
parent f6292ba4c8
commit 63009e5e54
2 changed files with 11 additions and 2 deletions
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@ -14,6 +14,7 @@ services:
    networks:
      matrix_server:
        ipv4_address: 10.10.10.4
+      matrix_db:
    ports:
      - 8008:8008

@ -27,8 +28,7 @@ services:
    volumes:
      - ./db:/var/lib/postgresql/data
    networks:
-      matrix_server:
-        ipv4_address: 10.10.10.2
+      matrix_db:
  
  element:
    image: vectorim/element-web:latest
@ -70,6 +70,7 @@ services:
    networks:
      matrix_server:
        ipv4_address: 10.10.10.7
+      matrix_db:
    depends_on:
      - synapse

@ -102,3 +103,5 @@ services:
 networks:
  matrix_server:
    external: true
+  matrix_db:
+    external: false
--- a/install.sh
+++ b/install.sh
@ -85,6 +85,7 @@ apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker
 echo -e "Create docker network\n"

 docker network create --driver=bridge --subnet=10.10.10.0/24 --gateway=10.10.10.1 matrix_server
+docker network create --driver=bridge --subnet=10.100.0.0/24 --gateway=10.100.0.1 --internal matrix_db

 # Randomly pick a DB password
 PG_PASS=$(pwgen -s 28 -1)
@ -147,6 +148,11 @@ server {
    listen 80;
    server_name ${DOMAIN};

+    # Hardening
+    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
+    add_header Content-Security-Policy "default-src 'self' ${DOMAIN} http: https: data: blob: 'unsafe-inline' 'unsafe-eval'" always;
+    add_header X-Frame-Options "SAMEORIGIN";
+
    location /.well-known/matrix/client {
        default_type application/json;
        add_header Access-Control-Allow-Origin *;