nginx: add security-related headers

2018-11-16 22:34:59 +01:00 · 2018-11-16 22:34:59 +01:00 · 77d88b0290
commit 77d88b0290
parent 920dee9057
7 changed files with 40 additions and 9 deletions
--- a/roles/website/media/templates/site.j2
+++ b/roles/website/media/templates/site.j2
@ -6,10 +6,12 @@ server {
    ssl_certificate {{ media_tls_crt }};
    ssl_certificate_key {{ media_tls_key }};

-    root {{ media_root }};
    include snippets/autoindex.conf;
    include snippets/header-hsts.conf;
+    include snippets/header-security.conf;
    include snippets/no-unsafe-files.conf;
+
+    root {{ media_root }};
 }

 {% endif %}
@ -18,7 +20,9 @@ server {
    listen 80;
    listen [::]:80;

-    return 302 https://$server_name$request_uri;
+    location / {
+        return 302 https://$server_name$request_uri;
+    }

    include snippets/location-acme.conf;
 }
--- a/roles/website/meta/templates/site.j2
+++ b/roles/website/meta/templates/site.j2
@ -6,11 +6,13 @@ server {
    ssl_certificate {{ meta_tls_crt }};
    ssl_certificate_key {{ meta_tls_key }};

-    root {{ meta_root }};
    include snippets/autoindex.conf;
    include snippets/header-hsts.conf;
+    include snippets/header-security.conf;
    include snippets/no-unsafe-files.conf;

+    root {{ meta_root }};
+
    location ~ \.php$ {
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_param SCRIPT_FILENAME /var/www/meta$fastcgi_script_name;
@ -24,7 +26,9 @@ server {
    listen 80;
    listen [::]:80;

-    return 302 https://$server_name$request_uri;
+    location / {
+        return 302 https://$server_name$request_uri;
+    }

    include snippets/location-acme.conf;
 }
--- a/roles/website/updates/templates/site.j2
+++ b/roles/website/updates/templates/site.j2
@ -6,9 +6,12 @@ server {
    ssl_certificate {{ updates_tls_crt }};
    ssl_certificate_key {{ updates_tls_key }};

-    root {{ updates_root }};
    include snippets/autoindex.conf;
    include snippets/header-hsts.conf;
+    include snippets/header-security.conf;
+    include snippets/no-unsafe-files.conf;
+
+    root {{ updates_root }};
 }

 {% endif %}
@ -18,8 +21,11 @@ server {
    listen 80;
    listen [::]:80;

-    root {{ updates_root }};
    include snippets/autoindex.conf;
+    include snippets/header-security.conf;
+    include snippets/no-unsafe-files.conf;
+
+    root {{ updates_root }};

 {% if updates_letsencrypt == 'local' %}
    include snippets/location-acme.conf;
@ -33,6 +39,9 @@ server {
    listen 80;
    listen [::]:80;

-    root {{ updates_root }};
    include snippets/autoindex.conf;
+    include snippets/header-security.conf;
+    include snippets/no-unsafe-files.conf;
+
+    root {{ updates_root }};
 }