nginx: add security-related headers
This commit is contained in:
parent
920dee9057
commit
77d88b0290
|
@ -6,6 +6,7 @@ srv04 ansible_host=srv04.hamburg.freifunk.net
|
||||||
|
|
||||||
[certbot]
|
[certbot]
|
||||||
srv01
|
srv01
|
||||||
|
srv02
|
||||||
|
|
||||||
[certsync]
|
[certsync]
|
||||||
srv03
|
srv03
|
||||||
|
|
|
@ -7,6 +7,7 @@ server {
|
||||||
ssl_certificate_key {{ hopglass_frontend_tls_key }};
|
ssl_certificate_key {{ hopglass_frontend_tls_key }};
|
||||||
|
|
||||||
include snippets/header-hsts.conf;
|
include snippets/header-hsts.conf;
|
||||||
|
include snippets/header-security.conf;
|
||||||
include snippets/no-unsafe-files.conf;
|
include snippets/no-unsafe-files.conf;
|
||||||
|
|
||||||
root {{ hopglass_frontend_path }}/build;
|
root {{ hopglass_frontend_path }}/build;
|
||||||
|
@ -19,8 +20,11 @@ server {
|
||||||
listen [::]:80;
|
listen [::]:80;
|
||||||
|
|
||||||
{% if hopglass_frontend_tls_crt is defined %}
|
{% if hopglass_frontend_tls_crt is defined %}
|
||||||
|
location / {
|
||||||
return 302 https://$host$request_uri;
|
return 302 https://$host$request_uri;
|
||||||
|
}
|
||||||
{% else %}
|
{% else %}
|
||||||
|
include snippets/header-security.conf;
|
||||||
include snippets/no-unsafe-files.conf;
|
include snippets/no-unsafe-files.conf;
|
||||||
|
|
||||||
root {{ hopglass_frontend_path }}/build;
|
root {{ hopglass_frontend_path }}/build;
|
||||||
|
|
|
@ -1 +1,2 @@
|
||||||
add_header Strict-Transport-Security 'max-age=31536000';
|
add_header Strict-Transport-Security "max-age=31536000";
|
||||||
|
proxy_hide_header Strict-Transport-Security;
|
||||||
|
|
8
roles/nginx/files/snippets/header-security.conf
Normal file
8
roles/nginx/files/snippets/header-security.conf
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
add_header Referrer-Policy same-origin;
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-Frame-Options sameorigin;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
proxy_hide_header Referrer-Policy;
|
||||||
|
proxy_hide_header X-Content-Type-Options;
|
||||||
|
proxy_hide_header X-Frame-Options;
|
||||||
|
proxy_hide_header X-XSS-Protection;
|
|
@ -6,10 +6,12 @@ server {
|
||||||
ssl_certificate {{ media_tls_crt }};
|
ssl_certificate {{ media_tls_crt }};
|
||||||
ssl_certificate_key {{ media_tls_key }};
|
ssl_certificate_key {{ media_tls_key }};
|
||||||
|
|
||||||
root {{ media_root }};
|
|
||||||
include snippets/autoindex.conf;
|
include snippets/autoindex.conf;
|
||||||
include snippets/header-hsts.conf;
|
include snippets/header-hsts.conf;
|
||||||
|
include snippets/header-security.conf;
|
||||||
include snippets/no-unsafe-files.conf;
|
include snippets/no-unsafe-files.conf;
|
||||||
|
|
||||||
|
root {{ media_root }};
|
||||||
}
|
}
|
||||||
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
@ -18,7 +20,9 @@ server {
|
||||||
listen 80;
|
listen 80;
|
||||||
listen [::]:80;
|
listen [::]:80;
|
||||||
|
|
||||||
|
location / {
|
||||||
return 302 https://$server_name$request_uri;
|
return 302 https://$server_name$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
include snippets/location-acme.conf;
|
include snippets/location-acme.conf;
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,11 +6,13 @@ server {
|
||||||
ssl_certificate {{ meta_tls_crt }};
|
ssl_certificate {{ meta_tls_crt }};
|
||||||
ssl_certificate_key {{ meta_tls_key }};
|
ssl_certificate_key {{ meta_tls_key }};
|
||||||
|
|
||||||
root {{ meta_root }};
|
|
||||||
include snippets/autoindex.conf;
|
include snippets/autoindex.conf;
|
||||||
include snippets/header-hsts.conf;
|
include snippets/header-hsts.conf;
|
||||||
|
include snippets/header-security.conf;
|
||||||
include snippets/no-unsafe-files.conf;
|
include snippets/no-unsafe-files.conf;
|
||||||
|
|
||||||
|
root {{ meta_root }};
|
||||||
|
|
||||||
location ~ \.php$ {
|
location ~ \.php$ {
|
||||||
fastcgi_pass unix:/var/run/php5-fpm.sock;
|
fastcgi_pass unix:/var/run/php5-fpm.sock;
|
||||||
fastcgi_param SCRIPT_FILENAME /var/www/meta$fastcgi_script_name;
|
fastcgi_param SCRIPT_FILENAME /var/www/meta$fastcgi_script_name;
|
||||||
|
@ -24,7 +26,9 @@ server {
|
||||||
listen 80;
|
listen 80;
|
||||||
listen [::]:80;
|
listen [::]:80;
|
||||||
|
|
||||||
|
location / {
|
||||||
return 302 https://$server_name$request_uri;
|
return 302 https://$server_name$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
include snippets/location-acme.conf;
|
include snippets/location-acme.conf;
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,9 +6,12 @@ server {
|
||||||
ssl_certificate {{ updates_tls_crt }};
|
ssl_certificate {{ updates_tls_crt }};
|
||||||
ssl_certificate_key {{ updates_tls_key }};
|
ssl_certificate_key {{ updates_tls_key }};
|
||||||
|
|
||||||
root {{ updates_root }};
|
|
||||||
include snippets/autoindex.conf;
|
include snippets/autoindex.conf;
|
||||||
include snippets/header-hsts.conf;
|
include snippets/header-hsts.conf;
|
||||||
|
include snippets/header-security.conf;
|
||||||
|
include snippets/no-unsafe-files.conf;
|
||||||
|
|
||||||
|
root {{ updates_root }};
|
||||||
}
|
}
|
||||||
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
@ -18,8 +21,11 @@ server {
|
||||||
listen 80;
|
listen 80;
|
||||||
listen [::]:80;
|
listen [::]:80;
|
||||||
|
|
||||||
root {{ updates_root }};
|
|
||||||
include snippets/autoindex.conf;
|
include snippets/autoindex.conf;
|
||||||
|
include snippets/header-security.conf;
|
||||||
|
include snippets/no-unsafe-files.conf;
|
||||||
|
|
||||||
|
root {{ updates_root }};
|
||||||
|
|
||||||
{% if updates_letsencrypt == 'local' %}
|
{% if updates_letsencrypt == 'local' %}
|
||||||
include snippets/location-acme.conf;
|
include snippets/location-acme.conf;
|
||||||
|
@ -33,6 +39,9 @@ server {
|
||||||
listen 80;
|
listen 80;
|
||||||
listen [::]:80;
|
listen [::]:80;
|
||||||
|
|
||||||
root {{ updates_root }};
|
|
||||||
include snippets/autoindex.conf;
|
include snippets/autoindex.conf;
|
||||||
|
include snippets/header-security.conf;
|
||||||
|
include snippets/no-unsafe-files.conf;
|
||||||
|
|
||||||
|
root {{ updates_root }};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue