Skip to content
This repository has been archived by the owner on Nov 1, 2024. It is now read-only.

Commit

Permalink
Merge pull request #10 from beabee-communityrm/feat/csp
Browse files Browse the repository at this point in the history
feat: add support for embedding for global gzip
  • Loading branch information
wpf500 authored Sep 20, 2023
2 parents e107e69 + 5b24541 commit 51b69b5
Show file tree
Hide file tree
Showing 4 changed files with 36 additions and 10 deletions.
8 changes: 8 additions & 0 deletions 15-trusted-origins.envsh
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
#!/bin/sh

# This script converts the TRUSTED_ORIGINS variable from the comma
# separated format beabee expects for lists, to the space separated
# on that the Content-Security-Policy header exports.
# It must be ahead of 20-envsubst-on-templates.sh

TRUSTED_ORIGINS=${TRUSTED_ORIGINS//,/ }
2 changes: 2 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
FROM nginx:1.24-alpine

COPY 15-trusted-origins.envsh /docker-entrypoint.d/
COPY sec_headers /etc/nginx/sec_headers
COPY nginx.conf /etc/nginx/templates/default.conf.template

32 changes: 22 additions & 10 deletions nginx.conf
Original file line number Diff line number Diff line change
Expand Up @@ -11,31 +11,37 @@ server {
proxy_cookie_domain ${LEGACY_APP_COOKIE_DOMAIN} $host;

# Redirect old URLs to new ones

absolute_redirect off;
rewrite ^/login/?$ /auth/login permanent;

# Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header Referrer-Policy "strict-origin";
# Gzip compression

gzip on;
gzip_vary on;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss image/svg+xml;

# Frontend app
# Frontend

location ~ ^/(assets|profile|contacts|callouts|join|auth|admin|_theme) {
# Proxy scrapers to legacy app for metadata
if ($http_user_agent ~* "linkedinbot|googlebot|yahoo|bingbot|baiduspider|yandex|yeti|yodaobot|gigabot|ia_archiver|facebookexternalhit|twitterbot|developers\.google\.com") {
proxy_pass $legacy_app/share?uri=$request_uri;
}
gzip on;
gzip_vary on;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss image/svg+xml;

include sec_headers;
add_header Content-Security-Policy "frame-ancestors ${TRUSTED_ORIGINS}";
# add_header Content-Security-Policy "default-src 'self'; font-src 'self' data: https://use.typekit.net; style-src 'self' 'unsafe-inline'; script-src 'self' https://js.stripe.com; frame-src https://js.stripe.com; connect-src 'self' https://api.stripe.com";

proxy_pass $frontend_app;
}

# The rest

include sec_headers;
add_header Content-Security-Policy "frame-ancestors 'none'";
#add_header Content-Security-Policy "default-src 'none'; frame-ancestors 'none'"

location ~ ^/(robots\.txt|android-chrome|apple-touch-icon\.png|browserconfig\.xml|favicon|mstile|safari-pinned-tab\.svg|site\.webmanifest) {
proxy_pass $legacy_app;
access_log off;
Expand All @@ -47,7 +53,13 @@ server {
proxy_pass $legacy_app;
}

location /api {
proxy_pass $legacy_app;
}

location / {
#include sec_headers;
#add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'";
proxy_pass $legacy_app;
}
}
4 changes: 4 additions & 0 deletions sec_headers
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Referrer-Policy "strict-origin";

0 comments on commit 51b69b5

Please sign in to comment.