From ace8c98b80b6b9bbabf1c67d19b12dee4696e8a8 Mon Sep 17 00:00:00 2001
From: Saeed Vaziry <mr.saeedvaziry@gmail.com>
Date: Sun, 1 Feb 2026 13:01:54 +0100
Subject: [PATCH] Prevent cross-site SSL inheritance

---
 app/Services/Webserver/Nginx.php                 | 16 ++++++++++++++++
 .../webserver/nginx/create-default-ssl.blade.php |  9 +++++++++
 .../webserver/nginx/default-ssl-vhost.blade.php  | 11 +++++++++++
 3 files changed, 36 insertions(+)
 create mode 100644 resources/views/ssh/services/webserver/nginx/create-default-ssl.blade.php
 create mode 100644 resources/views/ssh/services/webserver/nginx/default-ssl-vhost.blade.php

diff --git a/app/Services/Webserver/Nginx.php b/app/Services/Webserver/Nginx.php
index 3c40a749f..b5ad51d59 100755
--- a/app/Services/Webserver/Nginx.php
+++ b/app/Services/Webserver/Nginx.php
@@ -43,6 +43,22 @@ public function install(): void
             'root'
         );
 
+        $this->service->server->ssh()->exec(
+            view('ssh.services.webserver.nginx.create-default-ssl'),
+            'create-default-ssl'
+        );
+
+        $this->service->server->ssh()->write(
+            '/etc/nginx/sites-available/000-default-ssl',
+            view('ssh.services.webserver.nginx.default-ssl-vhost'),
+            'root'
+        );
+
+        $this->service->server->ssh()->exec(
+            'sudo ln -sf /etc/nginx/sites-available/000-default-ssl /etc/nginx/sites-enabled/000-default-ssl',
+            'enable-default-ssl'
+        );
+
         $this->service->server->systemd()->restart('nginx');
         event('service.installed', $this->service);
         $this->service->server->os()->cleanup();
diff --git a/resources/views/ssh/services/webserver/nginx/create-default-ssl.blade.php b/resources/views/ssh/services/webserver/nginx/create-default-ssl.blade.php
new file mode 100644
index 000000000..1f2388fab
--- /dev/null
+++ b/resources/views/ssh/services/webserver/nginx/create-default-ssl.blade.php
@@ -0,0 +1,9 @@
+sudo mkdir -p /etc/nginx/ssl
+
+sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
+    -keyout /etc/nginx/ssl/default.key \
+    -out /etc/nginx/ssl/default.crt \
+    -subj "/CN=default"
+
+sudo chmod 600 /etc/nginx/ssl/default.key
+sudo chmod 644 /etc/nginx/ssl/default.crt
diff --git a/resources/views/ssh/services/webserver/nginx/default-ssl-vhost.blade.php b/resources/views/ssh/services/webserver/nginx/default-ssl-vhost.blade.php
new file mode 100644
index 000000000..2f9dc91bb
--- /dev/null
+++ b/resources/views/ssh/services/webserver/nginx/default-ssl-vhost.blade.php
@@ -0,0 +1,11 @@
+server {
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+    server_name _;
+
+    ssl_certificate /etc/nginx/ssl/default.crt;
+    ssl_certificate_key /etc/nginx/ssl/default.key;
+
+    # Return 444 to close the connection without sending a response
+    return 444;
+}