Disroot-Ansible/nginx
11
1
Fork 0
Code Pull requests 3 Projects Releases 1 Activity

add missing deps to create selfsigned certificate #19

Merged
meaz merged 9 commits from selfsignedcertif into master 2022-06-01 22:11:07 +02:00
Conversation 2 Commits 9 Files changed 2 +15 -11
2 changed files with 15 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit cbd1d09b5d - Show all commits

2
templates/etc/nginx/sites-available/core.j2
View file

@ -57,10 +57,10 @@ server {
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy {{ item.referrer | default('no-referrer') }};
{% endif %}
{% if item.header_sameorigin is defined %}
add_header X-Frame-Options "SAMEORIGIN";
{% endif %}
{% endif %}
{% if item.nginx_HSTS_policy is defined %}
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
{% endif %}

24
templates/etc/nginx/sites-available/cryptpad.j2
View file

@ -24,13 +24,16 @@
add_header Access-Control-Allow-Origin "*";
set $coop '';
#set $coop '';
#if ($uri ~ ^\/(sheet|presentation|doc|convert)\/.*$) { set $coop 'same-origin'; }
# Opt out of Google's FLoC Network
add_header Permissions-Policy interest-cohort=();
# Enable SharedArrayBuffer in Firefox (for .xlsx export)
add_header Cross-Origin-Resource-Policy cross-origin;
add_header Cross-Origin-Opener-Policy $coop;
add_header Cross-Origin-Embedder-Policy require-corp;
# any static assets loaded with "ver=" in their URL will be cached for a year
if ($args ~ ver=) {
set $cacheControl max-age=31536000;
@ -42,23 +45,24 @@
add_header Cache-Control $cacheControl;
# CSS can be dynamically set inline, loaded from the same domain, or from $main_domain
set $styleSrc "'unsafe-inline' 'self' ${main_domain}";
set $styleSrc "'unsafe-inline' 'self' https://${main_domain}";
# connect-src restricts URLs which can be loaded using script interfaces
set $connectSrc "'self' https://${main_domain} ${main_domain} https://${api_domain} blob: wss://${api_domain} ${api_domain} ${files_domain} https://${sandbox_domain}";
set $connectSrc "'self' https://${main_domain} blob: wss://${api_domain} https://${sandbox_domain}";
# fonts can be loaded from data-URLs or the main domain
set $fontSrc "'self' data: ${main_domain}";
set $fontSrc "'self' data: https://${main_domain}";
# images can be loaded from anywhere, though we'd like to deprecate this as it allows the use of images for tracking
set $imgSrc "'self' data: * blob: ${main_domain}";
set $imgSrc "'self' data: blob: https://${main_domain}";
# frame-src specifies valid sources for nested browsing contexts.
# this prevents loading any iframes from anywhere other than the sandbox domain
set $frameSrc "'self' ${sandbox_domain} blob:";
set $frameSrc "'self' https://${sandbox_domain} blob:";
# specifies valid sources for loading media using video or audio
set $mediaSrc "'self' data: * blob: ${main_domain}";
#set $mediaSrc "'self' data: * blob: ${main_domain}";
set $mediaSrc "blob:";
# defines valid sources for webworkers and nested browser contexts
# deprecated in favour of worker-src and frame-src
@ -66,10 +70,10 @@
# specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
# supercedes child-src but is unfortunately not yet universally supported.
set $workerSrc "https://${main_domain}";
set $workerSrc "'self'";
# script-src specifies valid sources for javascript, including inline handlers
set $scriptSrc "'self' resource: ${main_domain}";
set $scriptSrc "'self' resource: https://${main_domain}";
set $unsafe 0;
# the following assets are loaded via the sandbox domain