diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2016-03-30 21:45:43 +0300 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2016-03-30 21:45:43 +0300 |
| commit | 54261953e711e67e4ee28f788ea35bcab0e86654 (patch) | |
| tree | 69eef65ef208b2a27b157d404c96b0d4051e2b5b | |
| parent | f81d8c68ba20100c13859ed522c41bed4f27d88b (diff) | |
Set HTTP security headers.
See https://securityheaders.io .
9 files changed, 18 insertions, 0 deletions
diff --git a/roles/common-web/files/etc/nginx/sites-available/default b/roles/common-web/files/etc/nginx/sites-available/default index 6df1615..6cbea18 100644 --- a/roles/common-web/files/etc/nginx/sites-available/default +++ b/roles/common-web/files/etc/nginx/sites-available/default @@ -1,11 +1,12 @@ server { listen 80 default_server; listen [::]:80 default_server; access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log info; # serve ACME challenges on all virtual hosts # /!\ need to be served individually for each explicit virtual host as well! include snippets/acme-challenge.conf; + include snippets/headers.conf; } diff --git a/roles/common-web/files/etc/nginx/snippets/headers.conf b/roles/common-web/files/etc/nginx/snippets/headers.conf new file mode 100644 index 0000000..60e5ace --- /dev/null +++ b/roles/common-web/files/etc/nginx/snippets/headers.conf @@ -0,0 +1,4 @@ +# https://securityheaders.io/ +add_header X-Frame-Options "SAMEORIGIN"; +add_header X-Content-Type-Options nosniff; +add_header X-XSS-Protection "1; mode=block"; diff --git a/roles/common-web/tasks/main.yml b/roles/common-web/tasks/main.yml index fb6bb2d..02b7134 100644 --- a/roles/common-web/tasks/main.yml +++ b/roles/common-web/tasks/main.yml @@ -2,40 +2,41 @@ apt: pkg=nginx - name: Limit Nginx logging lineinfile: "dest=/etc/logrotate.d/nginx create=yes regexp='^\\s*rotate\\s' line='\trotate 1'" tags: - logrotate - name: Copy fastcgi parameters, acme-challenge and SSL configuration snippets copy: src=etc/nginx/snippets/{{ item }} dest=/etc/nginx/snippets/{{ item }} owner=root group=root mode=0644 register: r1 with_items: - fastcgi.conf - fastcgi-php.conf - fastcgi-php-ssl.conf - ssl.conf + - headers.conf - acme-challenge.conf notify: - Restart Nginx - name: Copy /etc/nginx/sites-available/default copy: src=etc/nginx/sites-available/default dest=/etc/nginx/sites-available/default owner=root group=root mode=0644 register: r2 notify: - Restart Nginx - name: Create /etc/nginx/sites-enabled/default file: src=../sites-available/default dest=/etc/nginx/sites-enabled/default owner=root group=root state=link force=yes register: r3 notify: diff --git a/roles/git/files/etc/nginx/sites-available/git b/roles/git/files/etc/nginx/sites-available/git index a78ef3f..fbbbb48 100644 --- a/roles/git/files/etc/nginx/sites-available/git +++ b/roles/git/files/etc/nginx/sites-available/git @@ -1,44 +1,46 @@ server { listen 80; listen [::]:80; server_name git.fripost.org; include snippets/acme-challenge.conf; + include snippets/headers.conf; access_log /var/log/nginx/git.access.log; error_log /var/log/nginx/git.error.log info; location / { return 301 https://$host$request_uri; } } server { listen 443; listen [::]:443; server_name git.fripost.org; include snippets/ssl.conf; + include snippets/headers.conf; ssl_certificate /etc/nginx/ssl/git.fripost.org.pem; ssl_certificate_key /etc/nginx/ssl/git.fripost.org.key; access_log /var/log/nginx/git.access.log; error_log /var/log/nginx/git.error.log info; location ^~ /static/ { alias /usr/share/cgit/; expires 30d; } # Bypass the CGI to return static files stored on disk. Try first repo with # a trailing '.git', then without. location ~* "^/((?U)[^/]+)(?:\.git)?/objects/(?:[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(?:pack|idx))$" { root /var/lib/gitolite/repositories; try_files /$1.git/objects/$2 /$1/objects/$2 =404; expires 30d; gzip off; # TODO honor git-daemon-export-ok } diff --git a/roles/lists/files/etc/nginx/sites-available/sympa b/roles/lists/files/etc/nginx/sites-available/sympa index bcf1d22..7684867 100644 --- a/roles/lists/files/etc/nginx/sites-available/sympa +++ b/roles/lists/files/etc/nginx/sites-available/sympa @@ -1,47 +1,49 @@ server { listen 80; listen [::]:80; server_name lists.fripost.org; include snippets/acme-challenge.conf; + include snippets/headers.conf; access_log /var/log/nginx/lists.access.log; error_log /var/log/nginx/lists.error.log info; location / { return 301 https://$host$request_uri; } } server { listen 443; listen [::]:443; server_name lists.fripost.org; access_log /var/log/nginx/lists.access.log; error_log /var/log/nginx/lists.error.log info; include snippets/ssl.conf; + include snippets/headers.conf; ssl_certificate /etc/nginx/ssl/lists.fripost.org.pem; ssl_certificate_key /etc/nginx/ssl/lists.fripost.org.key; location = / { return 302 /sympa$args; } location ^~ /static-sympa/ { alias /var/lib/sympa/static_content/; expires 30d; } location ^~ /sympa { fastcgi_split_path_info ^(/sympa)(.*)$; include snippets/fastcgi.conf; fastcgi_pass unix:/run/wwsympa.socket; gzip off; } diff --git a/roles/munin-master/files/etc/nginx/sites-available/munin b/roles/munin-master/files/etc/nginx/sites-available/munin index d1cbda0..7b0b789 100644 --- a/roles/munin-master/files/etc/nginx/sites-available/munin +++ b/roles/munin-master/files/etc/nginx/sites-available/munin @@ -1,33 +1,35 @@ server { listen 127.0.0.1:80; listen [::1]:80; server_name munin.fripost.org; allow 127.0.0.0/8; allow ::1/128; deny all; access_log /var/log/nginx/munin.access.log; error_log /var/log/nginx/munin.error.log info; + include snippets/headers.conf; + location = / { return 302 /munin$args; } location /munin/static/ { alias /etc/munin/static/; } location /munin-cgi/munin-cgi-graph/ { fastcgi_split_path_info ^(/munin-cgi/munin-cgi-graph)(.*); include snippets/fastcgi.conf; fastcgi_pass unix:/run/munin/cgi-graph.socket; gzip off; } location /munin/ { fastcgi_split_path_info ^(/munin)(.*); include snippets/fastcgi.conf; fastcgi_pass unix:/run/munin/cgi-html.socket; gzip off; diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube index 304b05d..ee6ff20 100644 --- a/roles/webmail/files/etc/nginx/sites-available/roundcube +++ b/roles/webmail/files/etc/nginx/sites-available/roundcube @@ -1,49 +1,51 @@ server { listen 80; listen [::]:80; server_name mail.fripost.org; server_name webmail.fripost.org; include snippets/acme-challenge.conf; + include snippets/headers.conf; access_log /var/log/nginx/roundcube.access.log; error_log /var/log/nginx/roundcube.error.log info; location / { return 301 https://$host$request_uri; } } server { listen 443; listen [::]:443; server_name mail.fripost.org; server_name webmail.fripost.org; root /var/lib/roundcube; include snippets/ssl.conf; + include snippets/headers.conf; ssl_certificate /etc/nginx/ssl/mail.fripost.org.pem; ssl_certificate_key /etc/nginx/ssl/mail.fripost.org.key; location = /favicon.ico { root /usr/share/roundcube/skins/default/images; log_not_found off; access_log off; expires max; } location = /robots.txt { allow all; log_not_found off; access_log off; } # Deny all attempts to access hidden files, or files under hidden # directories. location ~ /\. { return 404; } diff --git a/roles/wiki/files/etc/nginx/sites-available/website b/roles/wiki/files/etc/nginx/sites-available/website index 5d382ec..43cdd05 100644 --- a/roles/wiki/files/etc/nginx/sites-available/website +++ b/roles/wiki/files/etc/nginx/sites-available/website @@ -1,46 +1,48 @@ server { listen 80; listen [::]:80; server_name fripost.org; server_name www.fripost.org; include snippets/acme-challenge.conf; + include snippets/headers.conf; access_log /var/log/nginx/www.access.log; error_log /var/log/nginx/www.error.log info; location / { return 301 https://$host$request_uri; } } server { listen 443; listen [::]:443; server_name fripost.org; server_name www.fripost.org; include snippets/ssl.conf; + include snippets/headers.conf; ssl_certificate /etc/nginx/ssl/www.fripost.org.pem; ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key; access_log /var/log/nginx/www.access.log; error_log /var/log/nginx/www.error.log info; location / { try_files $uri $uri/ =404; index index.html; root /var/lib/ikiwiki/public_html/fripost-wiki/website; } location /static/ { alias /var/lib/ikiwiki/public_html/fripost-wiki/static/; expires 30d; } location /material/ { alias /var/www/fripost.org/material/; expires 30d; } location /minutes/ { diff --git a/roles/wiki/files/etc/nginx/sites-available/wiki b/roles/wiki/files/etc/nginx/sites-available/wiki index d61ff28..d2be8db 100644 --- a/roles/wiki/files/etc/nginx/sites-available/wiki +++ b/roles/wiki/files/etc/nginx/sites-available/wiki @@ -1,45 +1,47 @@ server { listen 80; listen [::]:80; server_name wiki.fripost.org; include snippets/acme-challenge.conf; + include snippets/headers.conf; access_log /var/log/nginx/wiki.access.log; error_log /var/log/nginx/wiki.error.log info; location / { location ~ ^/website(/.*)?$ { return 302 $scheme://fripost.org$1; } return 301 https://$host$request_uri; } } server { listen 443; listen [::]:443; server_name wiki.fripost.org; include snippets/ssl.conf; + include snippets/headers.conf; ssl_certificate /etc/nginx/ssl/www.fripost.org.pem; ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key; access_log /var/log/nginx/wiki.access.log; error_log /var/log/nginx/wiki.error.log info; location / { location ~ ^/website(/.*)?$ { return 302 $scheme://fripost.org$1; } try_files $uri $uri/ =404; index index.html; root /var/lib/ikiwiki/public_html/fripost-wiki; } location = /ikiwiki.cgi { fastcgi_param DOCUMENT_ROOT /var/lib/ikiwiki/public_html/fripost-wiki; fastcgi_param SCRIPT_FILENAME /var/lib/ikiwiki/public_html/ikiwiki.cgi; fastcgi_index ikiwiki.cgi; include snippets/fastcgi.conf; fastcgi_pass unix:/var/run/fcgiwrap.socket; gzip off; |