freifunk/ansible-config
8
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

nginx: add security-related headers

Browse source
This commit is contained in:
Alexander Dietrich 2018-11-16 22:34:59 +01:00
parent 920dee9057
commit 77d88b0290
7 changed files with 40 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
production
View file

@ -6,6 +6,7 @@ srv04 ansible_host=srv04.hamburg.freifunk.net
[certbot] [certbot]
srv01 srv01
srv02
[certsync] [certsync]
srv03 srv03

4
roles/hopglass-frontend/templates/nginx-site.j2
View file

@ -7,6 +7,7 @@ server {
ssl_certificate_key {{ hopglass_frontend_tls_key }}; ssl_certificate_key {{ hopglass_frontend_tls_key }};
include snippets/header-hsts.conf; include snippets/header-hsts.conf;
include snippets/header-security.conf;
include snippets/no-unsafe-files.conf; include snippets/no-unsafe-files.conf;
root {{ hopglass_frontend_path }}/build; root {{ hopglass_frontend_path }}/build;
@ -19,8 +20,11 @@ server {
listen [::]:80; listen [::]:80;
{% if hopglass_frontend_tls_crt is defined %} {% if hopglass_frontend_tls_crt is defined %}
location / {
return 302 https://$host$request_uri; return 302 https://$host$request_uri;
}
{% else %} {% else %}
include snippets/header-security.conf;
include snippets/no-unsafe-files.conf; include snippets/no-unsafe-files.conf;
root {{ hopglass_frontend_path }}/build; root {{ hopglass_frontend_path }}/build;

3
roles/nginx/files/snippets/header-hsts.conf
View file

@ -1 +1,2 @@
add_header Strict-Transport-Security 'max-age=31536000'; add_header Strict-Transport-Security "max-age=31536000";
proxy_hide_header Strict-Transport-Security;

8
roles/nginx/files/snippets/header-security.conf Normal file
View file

@ -0,0 +1,8 @@
add_header Referrer-Policy same-origin;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options sameorigin;
add_header X-XSS-Protection "1; mode=block";
proxy_hide_header Referrer-Policy;
proxy_hide_header X-Content-Type-Options;
proxy_hide_header X-Frame-Options;
proxy_hide_header X-XSS-Protection;

6
roles/website/media/templates/site.j2
View file

@ -6,10 +6,12 @@ server {
ssl_certificate {{ media_tls_crt }}; ssl_certificate {{ media_tls_crt }};
ssl_certificate_key {{ media_tls_key }}; ssl_certificate_key {{ media_tls_key }};
root {{ media_root }};
include snippets/autoindex.conf; include snippets/autoindex.conf;
include snippets/header-hsts.conf; include snippets/header-hsts.conf;
include snippets/header-security.conf;
include snippets/no-unsafe-files.conf; include snippets/no-unsafe-files.conf;
root {{ media_root }};
} }
{% endif %} {% endif %}
@ -18,7 +20,9 @@ server {
listen 80; listen 80;
listen [::]:80; listen [::]:80;
location / {
return 302 https://$server_name$request_uri; return 302 https://$server_name$request_uri;
}
include snippets/location-acme.conf; include snippets/location-acme.conf;
} }

6
roles/website/meta/templates/site.j2
View file

@ -6,11 +6,13 @@ server {
ssl_certificate {{ meta_tls_crt }}; ssl_certificate {{ meta_tls_crt }};
ssl_certificate_key {{ meta_tls_key }}; ssl_certificate_key {{ meta_tls_key }};
root {{ meta_root }};
include snippets/autoindex.conf; include snippets/autoindex.conf;
include snippets/header-hsts.conf; include snippets/header-hsts.conf;
include snippets/header-security.conf;
include snippets/no-unsafe-files.conf; include snippets/no-unsafe-files.conf;
root {{ meta_root }};
location ~ \.php$ { location ~ \.php$ {
fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_param SCRIPT_FILENAME /var/www/meta$fastcgi_script_name; fastcgi_param SCRIPT_FILENAME /var/www/meta$fastcgi_script_name;
@ -24,7 +26,9 @@ server {
listen 80; listen 80;
listen [::]:80; listen [::]:80;
location / {
return 302 https://$server_name$request_uri; return 302 https://$server_name$request_uri;
}
include snippets/location-acme.conf; include snippets/location-acme.conf;
} }

15
roles/website/updates/templates/site.j2
View file

@ -6,9 +6,12 @@ server {
ssl_certificate {{ updates_tls_crt }}; ssl_certificate {{ updates_tls_crt }};
ssl_certificate_key {{ updates_tls_key }}; ssl_certificate_key {{ updates_tls_key }};
root {{ updates_root }};
include snippets/autoindex.conf; include snippets/autoindex.conf;
include snippets/header-hsts.conf; include snippets/header-hsts.conf;
include snippets/header-security.conf;
include snippets/no-unsafe-files.conf;
root {{ updates_root }};
} }
{% endif %} {% endif %}
@ -18,8 +21,11 @@ server {
listen 80; listen 80;
listen [::]:80; listen [::]:80;
root {{ updates_root }};
include snippets/autoindex.conf; include snippets/autoindex.conf;
include snippets/header-security.conf;
include snippets/no-unsafe-files.conf;
root {{ updates_root }};
{% if updates_letsencrypt == 'local' %} {% if updates_letsencrypt == 'local' %}
include snippets/location-acme.conf; include snippets/location-acme.conf;
@ -33,6 +39,9 @@ server {
listen 80; listen 80;
listen [::]:80; listen [::]:80;
root {{ updates_root }};
include snippets/autoindex.conf; include snippets/autoindex.conf;
include snippets/header-security.conf;
include snippets/no-unsafe-files.conf;
root {{ updates_root }};
} }