nginx: add security-related headers
This commit is contained in:
parent
920dee9057
commit
77d88b0290
7 changed files with 40 additions and 9 deletions
|
@ -6,6 +6,7 @@ srv04 ansible_host=srv04.hamburg.freifunk.net
|
|||
|
||||
[certbot]
|
||||
srv01
|
||||
srv02
|
||||
|
||||
[certsync]
|
||||
srv03
|
||||
|
|
|
@ -7,6 +7,7 @@ server {
|
|||
ssl_certificate_key {{ hopglass_frontend_tls_key }};
|
||||
|
||||
include snippets/header-hsts.conf;
|
||||
include snippets/header-security.conf;
|
||||
include snippets/no-unsafe-files.conf;
|
||||
|
||||
root {{ hopglass_frontend_path }}/build;
|
||||
|
@ -19,8 +20,11 @@ server {
|
|||
listen [::]:80;
|
||||
|
||||
{% if hopglass_frontend_tls_crt is defined %}
|
||||
return 302 https://$host$request_uri;
|
||||
location / {
|
||||
return 302 https://$host$request_uri;
|
||||
}
|
||||
{% else %}
|
||||
include snippets/header-security.conf;
|
||||
include snippets/no-unsafe-files.conf;
|
||||
|
||||
root {{ hopglass_frontend_path }}/build;
|
||||
|
|
|
@ -1 +1,2 @@
|
|||
add_header Strict-Transport-Security 'max-age=31536000';
|
||||
add_header Strict-Transport-Security "max-age=31536000";
|
||||
proxy_hide_header Strict-Transport-Security;
|
||||
|
|
8
roles/nginx/files/snippets/header-security.conf
Normal file
8
roles/nginx/files/snippets/header-security.conf
Normal file
|
@ -0,0 +1,8 @@
|
|||
add_header Referrer-Policy same-origin;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-Frame-Options sameorigin;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
proxy_hide_header Referrer-Policy;
|
||||
proxy_hide_header X-Content-Type-Options;
|
||||
proxy_hide_header X-Frame-Options;
|
||||
proxy_hide_header X-XSS-Protection;
|
|
@ -6,10 +6,12 @@ server {
|
|||
ssl_certificate {{ media_tls_crt }};
|
||||
ssl_certificate_key {{ media_tls_key }};
|
||||
|
||||
root {{ media_root }};
|
||||
include snippets/autoindex.conf;
|
||||
include snippets/header-hsts.conf;
|
||||
include snippets/header-security.conf;
|
||||
include snippets/no-unsafe-files.conf;
|
||||
|
||||
root {{ media_root }};
|
||||
}
|
||||
|
||||
{% endif %}
|
||||
|
@ -18,7 +20,9 @@ server {
|
|||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
return 302 https://$server_name$request_uri;
|
||||
location / {
|
||||
return 302 https://$server_name$request_uri;
|
||||
}
|
||||
|
||||
include snippets/location-acme.conf;
|
||||
}
|
||||
|
|
|
@ -6,11 +6,13 @@ server {
|
|||
ssl_certificate {{ meta_tls_crt }};
|
||||
ssl_certificate_key {{ meta_tls_key }};
|
||||
|
||||
root {{ meta_root }};
|
||||
include snippets/autoindex.conf;
|
||||
include snippets/header-hsts.conf;
|
||||
include snippets/header-security.conf;
|
||||
include snippets/no-unsafe-files.conf;
|
||||
|
||||
root {{ meta_root }};
|
||||
|
||||
location ~ \.php$ {
|
||||
fastcgi_pass unix:/var/run/php5-fpm.sock;
|
||||
fastcgi_param SCRIPT_FILENAME /var/www/meta$fastcgi_script_name;
|
||||
|
@ -24,7 +26,9 @@ server {
|
|||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
return 302 https://$server_name$request_uri;
|
||||
location / {
|
||||
return 302 https://$server_name$request_uri;
|
||||
}
|
||||
|
||||
include snippets/location-acme.conf;
|
||||
}
|
||||
|
|
|
@ -6,9 +6,12 @@ server {
|
|||
ssl_certificate {{ updates_tls_crt }};
|
||||
ssl_certificate_key {{ updates_tls_key }};
|
||||
|
||||
root {{ updates_root }};
|
||||
include snippets/autoindex.conf;
|
||||
include snippets/header-hsts.conf;
|
||||
include snippets/header-security.conf;
|
||||
include snippets/no-unsafe-files.conf;
|
||||
|
||||
root {{ updates_root }};
|
||||
}
|
||||
|
||||
{% endif %}
|
||||
|
@ -18,8 +21,11 @@ server {
|
|||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
root {{ updates_root }};
|
||||
include snippets/autoindex.conf;
|
||||
include snippets/header-security.conf;
|
||||
include snippets/no-unsafe-files.conf;
|
||||
|
||||
root {{ updates_root }};
|
||||
|
||||
{% if updates_letsencrypt == 'local' %}
|
||||
include snippets/location-acme.conf;
|
||||
|
@ -33,6 +39,9 @@ server {
|
|||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
root {{ updates_root }};
|
||||
include snippets/autoindex.conf;
|
||||
include snippets/header-security.conf;
|
||||
include snippets/no-unsafe-files.conf;
|
||||
|
||||
root {{ updates_root }};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue