Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cleanup nginx configuration #1214

Open
bwbroersma opened this issue Dec 14, 2023 · 0 comments
Open

Cleanup nginx configuration #1214

bwbroersma opened this issue Dec 14, 2023 · 0 comments
Labels
discuss Requires further team discussion and decisions infrastructure-docker

Comments

@bwbroersma
Copy link
Collaborator

See the issues:

and PR's:

So:

  • de-duplicate all 'default' headers in separate files:

    • http.headers:

      Internet.nl/docker/webserver/nginx_templates/app.conf.template

      Lines 16 to 21 in f15c239

      # default headers added to all responses
      add_header 'X-Frame-Options' 'SAMEORIGIN' always;
      add_header 'X-Content-Type-Options' 'nosniff' always;
      add_header 'X-Clacks-Overhead' 'GNU Terry Pratchett' always;
      add_header 'Referrer-Policy' 'same-origin' always;
      add_header 'X-XSS-Protection' '1; mode=block' always;
    • hsts.header (maybe also use the recommended two year instead of the current one?):

      Internet.nl/docker/webserver/nginx_templates/app.conf.template

      Lines 169 to 171 in f15c239

      # Do *not* add includeSubdomains before https://github.com/internetstandards/Internet.nl/issues/324 is resolved,
      # adding includeSubdomains without adding the wildcard SSL certificates will otherwise break the connection test.
      add_header 'Strict-Transport-Security' 'max-age=31536000;' always;
    • csp.header
      currently not in the nginx.conf, the csp.header.template should probably be: 
      add_header Content-Security-Policy "base-uri 'self' https://*.${INTERNETNL_DOMAINNAME}; form-action 'self' https://*.${INTERNETNL_DOMAINNAME}; frame-ancestors 'none'; default-src 'self' https://*.${INTERNETNL_DOMAINNAME}";
    • could also have something like all.headers with: 
      include http.headers;
include hsts.header;
include csp.header;

  • don't quote nginx header names (but it might be a style choice to discuss?), this is valid:

    add_header X-Frame-Options SAMEORIGIN always;
add_header X-Content-Type-Options nosniff always;
add_header X-Clacks-Overhead 'GNU Terry Pratchett' always; 
add_header Referrer-Policy same-origin always;
add_header X-XSS-Protection '1; mode=block' always;

add_header Strict-Transport-Security max-age=63072000 always;

  • add regex save domain names (for nginx)

  • fix all regex domains (WIP Nginx more specific server_name #1179)

  • remove location regex where possible, e.g.:

    Internet.nl/docker/webserver/nginx_templates/app.conf.template

    Line 145 in f15c239

    location ~ /(.*) {

    can be simplified to location /

  • set HSTS only in nginx (since it needs to be done in nginx, also doing it in django is an extra config)
@bwbroersma bwbroersma added the discuss Requires further team discussion and decisions label Dec 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
discuss Requires further team discussion and decisions infrastructure-docker
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bwbroersma