provision/roles/fruitbar/templates/etc/nginx/sites-available/fruitbar at 5fcf0955129c

158:5fcf0955129c

Anton Shestakov <av6@dwimlabs.net>, Tue, 31 Oct 2017 12:53:48 +0800

provision: add CSP header, *-src are either 'self' or 'none'

previous change

154:646c6d06235f

provision/roles/fruitbar/templates/etc/nginx/sites-available/fruitbar

Permissions: -rw-r--r--

File Latest Revisions Annotate Diff Comparison

Other formats:

JSON Raw

Feeds:

Atom RSS

upstream fruitbar {
    server unix:/home/{{ user }}/webapps/fruitbar/socket;
}
{% if certfile.stat.exists and keyfile.stat.exists %}
server {
    server_name fruitbar.{{ umbrella }};
    listen 80;
    listen [::]:80;
    access_log /var/log/nginx/fruitbar.{{ umbrella }}.access.log;
    error_log /var/log/nginx/fruitbar.{{ umbrella }}.error.log;
    return 301 https://$host$request_uri;
}
{% endif %}
server {
    server_name fruitbar.{{ umbrella }};
{% if certfile.stat.exists and keyfile.stat.exists %}
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
{% else %}
    listen 80;
    listen [::]:80;
{% endif %}
{% if certfile.stat.exists and keyfile.stat.exists %}
    ssl_certificate {{ ssl_cert }};
    ssl_certificate_key {{ ssl_key }};
    ssl_dhparam /etc/nginx/dh-2048.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 10m;
    # OCSP
    ssl_stapling on;
    resolver {{ nginx_resolver }};
    resolver_timeout {{ nginx_resolver_timeout }};
{% if hpkpinfo.results|length > 1 %}
    # HPKP: 5184000 = 60 days
    add_header Public-Key-Pins '{% for r in hpkpinfo.results %}pin-sha256="{{ r.stdout }}"; {% endfor %}max-age=5184000' always;
{% endif %}
    # HSTS: 31536000 = 365 days (set to 0 to expire and allow plain HTTP)
    add_header Strict-Transport-Security 'max-age=31536000' always;
    # CSP
    set $CSP "default-src 'none';";
    # unsafe-inline is for underscore template config snippet
    # unsafe-eval is for jQuery
    set $CSP "$CSP script-src 'self' 'unsafe-inline' 'unsafe-eval';";
    # unsafe-inline is for initial "opacity: 0" on body
    set $CSP "$CSP style-src 'self' 'unsafe-inline';";
    set $CSP "$CSP img-src 'self';";
    set $CSP "$CSP font-src 'self';";
    set $CSP "$CSP connect-src 'self';";
    add_header Content-Security-Policy "$CSP" always;
    add_header Cache-Control private;
{% endif %}
    # Various security headers not related to HTTPS
    # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
    add_header X-Frame-Options DENY always;
    add_header X-Content-Type-Options nosniff always;
    add_header X-XSS-Protection '1; mode=block' always;
    access_log /var/log/nginx/fruitbar.{{ umbrella }}.access.log;
    error_log /var/log/nginx/fruitbar.{{ umbrella }}.error.log;
    client_max_body_size 1M;
    keepalive_timeout 5;
    root /home/{{ user }}/webapps/fruitbar;
    location /static/ {
        access_log off;
        gzip on;
        gzip_types text/css application/javascript application/x-javascript text/javascript;
        gzip_vary on;
        expires max;
    }
    location / {
        proxy_pass http://fruitbar;
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-Ip $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}