Merge branch 'master' into maintenance-vhost
This commit is contained in:
commit
89715ab247
8 changed files with 111 additions and 69 deletions
|
|
@ -15,6 +15,7 @@ nginx_log_dir: '/var/log/nginx'
|
|||
nginx_events_use: 'epoll'
|
||||
nginx_www_dir: '/var/www/'
|
||||
nginx_HSTS_policy: 'false'
|
||||
nginx_hsts_age: '63072000'
|
||||
nginx_http_types_hash_max_size: 4096
|
||||
nginx_http_default_type: 'application/octet-stream'
|
||||
nginx_http_access_log: 'off'
|
||||
|
|
|
|||
|
|
@ -49,50 +49,41 @@ server {
|
|||
{% if item.headers is defined and item.headers == 'none' %}
|
||||
{% else %}
|
||||
## HEADERS
|
||||
{% if item.permission_policy is defined and item.permission_policy == 'none' %}
|
||||
{% if item.header_permission_policy is defined and item.header_permission_policy == 'none' %}
|
||||
{% else %}
|
||||
add_header Permissions-Policy "geolocation=(),interest-cohort=()";
|
||||
{% endif %}
|
||||
{% if item.secure_site is defined %}
|
||||
{% if item.secure_site is defined and item.secure_site == 'none' %}
|
||||
{% else %}
|
||||
add_header X-Download-Options noopen;
|
||||
add_header X-Permitted-Cross-Domain-Policies none;
|
||||
add_header Referrer-Policy {{ item.referrer | default('no-referrer') }};
|
||||
{% endif %}
|
||||
{% if item.header_sameorigin is defined %}
|
||||
add_header X-Frame-Options "SAMEORIGIN";
|
||||
{% endif %}
|
||||
{% if item.nginx_HSTS_policy is defined %}
|
||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
|
||||
{% endif %}
|
||||
{% if item.referrer is defined %}
|
||||
add_header Referrer-Policy no-referrer;
|
||||
{% endif %}
|
||||
{% if item.csp is defined %}
|
||||
add_header Content-Security-Policy "{{ item.csp }}";
|
||||
{% endif %}
|
||||
{% if item.cto is defined %}
|
||||
{% if item.cto == 'none' %}
|
||||
{% if item.header_referrer is defined and item.header_referrer == 'none' %}
|
||||
{% else %}
|
||||
add_header X-Content-Type-Options {{ item.cto }};
|
||||
add_header Referrer-Policy "{{ item.header_referrer | default('no-referrer') }}";
|
||||
{% endif %}
|
||||
{% if item.header_xframe is defined and item.header_xframe == 'none' %}
|
||||
{% else %}
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-Frame-Options "{{ item.header_xframe | default("SAMEORIGIN") }}";
|
||||
{% endif %}
|
||||
{%if item.xss is defined %}
|
||||
{% if item.xss == 'none' %}
|
||||
{% if item.nginx_HSTS_policy is defined and item.nginx_HSTS_policy == 'none' %}
|
||||
{% else %}
|
||||
add_header X-XSS-Protection "{{ item.xss }}";
|
||||
add_header Strict-Transport-Security "max-age={{ nginx_hsts_age }}; includeSubDomains; preload;" always;
|
||||
{% endif %}
|
||||
{% else %}
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
{% if item.header_csp is defined %}
|
||||
add_header Content-Security-Policy "{{ item.header_csp | default("default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';") }}";
|
||||
{% endif %}
|
||||
{% if item.robots is defined %}
|
||||
{% if item.robots == 'none' %}
|
||||
{% if item.header_cto is defined and item.header_cto == 'none' %}
|
||||
{% else %}
|
||||
add_header X-Robots-Tag "{{ item.robots }}";
|
||||
add_header X-Content-Type-Options "{{ item.header_cto | default('nosniff') }}";
|
||||
{% endif %}
|
||||
{%if item.header_xss is defined and item.header_xss == 'none' %}
|
||||
{% else %}
|
||||
add_header X-Robots-Tag none;
|
||||
add_header X-XSS-Protection "{{ item.header_xss | default('1; mode=block') }}";
|
||||
{% endif %}
|
||||
{% if item.header_robots is defined and item.header_robots == 'none' %}
|
||||
{% else %}
|
||||
add_header X-Robots-Tag "{{ item.header_robots | default('none') }}";
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endblock %}
|
||||
|
|
@ -115,16 +106,16 @@ server {
|
|||
{% if item.secure_site is defined %}
|
||||
add_header X-Download-Options noopen;
|
||||
add_header X-Permitted-Cross-Domain-Policies none;
|
||||
{% endif %}
|
||||
{% if item.referrer is defined %}
|
||||
add_header Referrer-Policy {{ item.referrer | default('no-referrer') }};
|
||||
{% endif %}
|
||||
{% if item.header_sameorigin is defined %}
|
||||
add_header X-Frame-Options "SAMEORIGIN";
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if item.nginx_HSTS_policy is defined %}
|
||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
|
||||
{% endif %}
|
||||
{% if item.referrer is defined %}
|
||||
add_header Referrer-Policy no-referrer;
|
||||
add_header Strict-Transport-Security "max-age={{ nginx_hsts_age }}; includeSubDomains; preload;" always;
|
||||
{% endif %}
|
||||
{% if item.csp is defined %}
|
||||
add_header Content-Security-Policy "{{ item.csp }}";
|
||||
|
|
|
|||
28
templates/etc/nginx/sites-available/etherpad.j2
Normal file
28
templates/etc/nginx/sites-available/etherpad.j2
Normal file
|
|
@ -0,0 +1,28 @@
|
|||
{% extends "core.j2" %}
|
||||
|
||||
{% block location %}
|
||||
|
||||
## LOCATIONS
|
||||
location / {
|
||||
proxy_pass {{ item.upstream_proto }}://{{ item.upstream_name }}:{{ item.upstream_port}};
|
||||
proxy_set_header Host $host;
|
||||
proxy_pass_header Server;
|
||||
proxy_buffering off;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
|
||||
{% if item.secure_cookie is defined %}
|
||||
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
{% endblock %}
|
||||
{% block app_specific %}
|
||||
rewrite /stats =404;
|
||||
|
||||
{% endblock %}
|
||||
|
|
@ -39,7 +39,7 @@
|
|||
location ~ \.php$ {
|
||||
{% if item.upstream_params is defined and item.upstream_params is iterable %}
|
||||
{% for param in item.upstream_params %}
|
||||
{{ param }}
|
||||
{{ param }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -5,10 +5,21 @@
|
|||
## LOCATIONS
|
||||
location / {
|
||||
proxy_pass {{ item.upstream_proto }}://{{ item.upstream_name }}:{{ item.upstream_port}};
|
||||
|
||||
# Add cache for static files
|
||||
if ($request_uri ~* ^/(img|css|font|js)/) {
|
||||
add_header Expires "Thu, 31 Dec 2037 23:55:55 GMT";
|
||||
add_header Cache-Control "public, max-age=315360000";
|
||||
}
|
||||
|
||||
# HTTPS only header, improves security
|
||||
add_header Strict-Transport-Security "max-age=15768000";
|
||||
|
||||
add_header Permissions-Policy "geolocation=(),interest-cohort=()";
|
||||
add_header Referrer-Policy no-referrer;
|
||||
{% if item.secure_cookie is defined %}
|
||||
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||
{% endif %}
|
||||
|
||||
# Really important! Lufi uses WebSocket, it won't work without this
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
|
|
|
|||
|
|
@ -17,12 +17,15 @@ upstream php-handler {
|
|||
{% block headers %}
|
||||
|
||||
## HEADERS
|
||||
add_header Referrer-Policy "no-referrer" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-Download-Options "noopen" always;
|
||||
add_header X-Permitted-Cross-Domain-Policies "none" always;
|
||||
add_header X-Robots-Tag "none" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header Permissions-Policy "geolocation=(),interest-cohort=()";
|
||||
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
|
||||
add_header Referrer-Policy "no-referrer" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-Download-Options "noopen" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-Permitted-Cross-Domain-Policies "none" always;
|
||||
add_header X-Robots-Tag "none" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
|
||||
# Remove X-Powered-By, which is an information leak
|
||||
fastcgi_hide_header X-Powered-By;
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ proxy_cache_path /tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cac
|
|||
inactive=720m use_temp_path=off;
|
||||
|
||||
upstream phoenix {
|
||||
server 127.0.0.1:4000 max_fails=5 fail_timeout=60s;
|
||||
server {{ item.upstream_name }}:4000 max_fails=5 fail_timeout=60s;
|
||||
}
|
||||
{% endblock %}
|
||||
|
||||
|
|
@ -28,4 +28,13 @@ upstream phoenix {
|
|||
chunked_transfer_encoding on;
|
||||
proxy_pass http://phoenix;
|
||||
}
|
||||
{% endblock %}
|
||||
|
||||
{% endblock %}
|
||||
{% block app_specific %}
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
||||
{% endblock %}
|
||||
|
|
|
|||
|
|
@ -16,45 +16,44 @@
|
|||
{% endif %}
|
||||
{% if item.root_custom_headers is defined %}
|
||||
{% for header in item.root_custom_headers %}
|
||||
{% if header.secure_site is defined %}
|
||||
|
||||
#headers
|
||||
{% if header.permission_policy is defined and header.permission_policy == 'none' %}
|
||||
{% else %}
|
||||
add_header Permissions-Policy "geolocation=(),interest-cohort=()";
|
||||
{% endif %}
|
||||
{% if header.secure_site is defined and header.secure_site == 'none' %}
|
||||
{% else %}
|
||||
add_header X-Download-Options noopen;
|
||||
add_header X-Permitted-Cross-Domain-Policies none;
|
||||
add_header Referrer-Policy {{ item.referrer | default('no-referrer') }};
|
||||
{% if header.header_sameorigin is defined %}
|
||||
add_header X-Frame-Options "SAMEORIGIN";
|
||||
{% endif %}
|
||||
{% if header.referrer is defined and header.referrer == 'none' %}
|
||||
{% else %}
|
||||
add_header Referrer-Policy "{{ header.referrer | default('no-referrer') }}";
|
||||
{% endif %}
|
||||
{% if header.nginx_HSTS_policy is defined %}
|
||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
|
||||
{% if header.xframe is defined and header.xframe == 'none' %}
|
||||
{% else %}
|
||||
add_header X-Frame-Options "{{ header.xframe | default("SAMEORIGIN") }}";
|
||||
{% endif %}
|
||||
{% if header.referrer is defined %}
|
||||
add_header Referrer-Policy no-referrer;
|
||||
{% if header.nginx_HSTS_policy is defined and header.nginx_HSTS_policy == 'none' %}
|
||||
{% else %}
|
||||
add_header Strict-Transport-Security "max-age={{ nginx_hsts_age }}; includeSubDomains; preload;" always;
|
||||
{% endif %}
|
||||
{% if header.csp is defined %}
|
||||
add_header Content-Security-Policy "{{ header.csp }}";
|
||||
add_header Content-Security-Policy "{{ header.csp | default("default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';") }}";
|
||||
{% endif %}
|
||||
{% if header.cto is defined %}
|
||||
{% if header.cto == 'none' %}
|
||||
{% if header.cto is defined and header.cto == 'none' %}
|
||||
{% else %}
|
||||
add_header X-Content-Type-Options {{ header.cto }};
|
||||
add_header X-Content-Type-Options "{{ header.cto | default('nosniff') }}";
|
||||
{% endif %}
|
||||
{%if header.xss is defined and header.xss == 'none' %}
|
||||
{% else %}
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "{{ header.xss | default('1; mode=block') }}";
|
||||
{% endif %}
|
||||
{%if header.xss is defined %}
|
||||
{% if header.xss == 'none' %}
|
||||
{% if header.robots is defined and header.robots == 'none' %}
|
||||
{% else %}
|
||||
add_header X-XSS-Protection "{{ header.xss }}";
|
||||
add_header X-Robots-Tag "{{ header.robots | default('none') }}";
|
||||
{% endif %}
|
||||
{% else %}
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
{% endif %}
|
||||
{% if header.robots is defined %}
|
||||
add_header X-Robots-Tag "{{ header.robots }}";
|
||||
{% else %}
|
||||
add_header X-Robots-Tag none;
|
||||
{% endif %}
|
||||
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
|
|
@ -130,4 +129,4 @@
|
|||
{% endfor %}
|
||||
{% endif %}
|
||||
{% endblock %}
|
||||
```
|
||||
```
|
||||
|
|
|
|||
Loading…
Reference in a new issue