summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--roles/common-web/files/etc/nginx/sites-available/default1
-rw-r--r--roles/common-web/files/etc/nginx/snippets/headers.conf4
-rw-r--r--roles/common-web/tasks/main.yml1
-rw-r--r--roles/git/files/etc/nginx/sites-available/git2
-rw-r--r--roles/lists/files/etc/nginx/sites-available/sympa2
-rw-r--r--roles/munin-master/files/etc/nginx/sites-available/munin2
-rw-r--r--roles/webmail/files/etc/nginx/sites-available/roundcube2
-rw-r--r--roles/wiki/files/etc/nginx/sites-available/website2
-rw-r--r--roles/wiki/files/etc/nginx/sites-available/wiki2
9 files changed, 18 insertions, 0 deletions
diff --git a/roles/common-web/files/etc/nginx/sites-available/default b/roles/common-web/files/etc/nginx/sites-available/default
index 6df1615..6cbea18 100644
--- a/roles/common-web/files/etc/nginx/sites-available/default
+++ b/roles/common-web/files/etc/nginx/sites-available/default
@@ -8,4 +8,5 @@ server {
# serve ACME challenges on all virtual hosts
# /!\ need to be served individually for each explicit virtual host as well!
include snippets/acme-challenge.conf;
+ include snippets/headers.conf;
}
diff --git a/roles/common-web/files/etc/nginx/snippets/headers.conf b/roles/common-web/files/etc/nginx/snippets/headers.conf
new file mode 100644
index 0000000..60e5ace
--- /dev/null
+++ b/roles/common-web/files/etc/nginx/snippets/headers.conf
@@ -0,0 +1,4 @@
+# https://securityheaders.io/
+add_header X-Frame-Options "SAMEORIGIN";
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";
diff --git a/roles/common-web/tasks/main.yml b/roles/common-web/tasks/main.yml
index fb6bb2d..02b7134 100644
--- a/roles/common-web/tasks/main.yml
+++ b/roles/common-web/tasks/main.yml
@@ -19,6 +19,7 @@
- fastcgi-php.conf
- fastcgi-php-ssl.conf
- ssl.conf
+ - headers.conf
- acme-challenge.conf
notify:
- Restart Nginx
diff --git a/roles/git/files/etc/nginx/sites-available/git b/roles/git/files/etc/nginx/sites-available/git
index a78ef3f..fbbbb48 100644
--- a/roles/git/files/etc/nginx/sites-available/git
+++ b/roles/git/files/etc/nginx/sites-available/git
@@ -5,6 +5,7 @@ server {
server_name git.fripost.org;
include snippets/acme-challenge.conf;
+ include snippets/headers.conf;
access_log /var/log/nginx/git.access.log;
error_log /var/log/nginx/git.error.log info;
@@ -22,6 +23,7 @@ server {
server_name git.fripost.org;
include snippets/ssl.conf;
+ include snippets/headers.conf;
ssl_certificate /etc/nginx/ssl/git.fripost.org.pem;
ssl_certificate_key /etc/nginx/ssl/git.fripost.org.key;
diff --git a/roles/lists/files/etc/nginx/sites-available/sympa b/roles/lists/files/etc/nginx/sites-available/sympa
index bcf1d22..7684867 100644
--- a/roles/lists/files/etc/nginx/sites-available/sympa
+++ b/roles/lists/files/etc/nginx/sites-available/sympa
@@ -5,6 +5,7 @@ server {
server_name lists.fripost.org;
include snippets/acme-challenge.conf;
+ include snippets/headers.conf;
access_log /var/log/nginx/lists.access.log;
error_log /var/log/nginx/lists.error.log info;
@@ -25,6 +26,7 @@ server {
error_log /var/log/nginx/lists.error.log info;
include snippets/ssl.conf;
+ include snippets/headers.conf;
ssl_certificate /etc/nginx/ssl/lists.fripost.org.pem;
ssl_certificate_key /etc/nginx/ssl/lists.fripost.org.key;
diff --git a/roles/munin-master/files/etc/nginx/sites-available/munin b/roles/munin-master/files/etc/nginx/sites-available/munin
index d1cbda0..7b0b789 100644
--- a/roles/munin-master/files/etc/nginx/sites-available/munin
+++ b/roles/munin-master/files/etc/nginx/sites-available/munin
@@ -11,6 +11,8 @@ server {
access_log /var/log/nginx/munin.access.log;
error_log /var/log/nginx/munin.error.log info;
+ include snippets/headers.conf;
+
location = / {
return 302 /munin$args;
}
diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube
index 304b05d..ee6ff20 100644
--- a/roles/webmail/files/etc/nginx/sites-available/roundcube
+++ b/roles/webmail/files/etc/nginx/sites-available/roundcube
@@ -7,6 +7,7 @@ server {
server_name webmail.fripost.org;
include snippets/acme-challenge.conf;
+ include snippets/headers.conf;
access_log /var/log/nginx/roundcube.access.log;
error_log /var/log/nginx/roundcube.error.log info;
@@ -27,6 +28,7 @@ server {
root /var/lib/roundcube;
include snippets/ssl.conf;
+ include snippets/headers.conf;
ssl_certificate /etc/nginx/ssl/mail.fripost.org.pem;
ssl_certificate_key /etc/nginx/ssl/mail.fripost.org.key;
diff --git a/roles/wiki/files/etc/nginx/sites-available/website b/roles/wiki/files/etc/nginx/sites-available/website
index 5d382ec..43cdd05 100644
--- a/roles/wiki/files/etc/nginx/sites-available/website
+++ b/roles/wiki/files/etc/nginx/sites-available/website
@@ -6,6 +6,7 @@ server {
server_name www.fripost.org;
include snippets/acme-challenge.conf;
+ include snippets/headers.conf;
access_log /var/log/nginx/www.access.log;
error_log /var/log/nginx/www.error.log info;
@@ -24,6 +25,7 @@ server {
server_name www.fripost.org;
include snippets/ssl.conf;
+ include snippets/headers.conf;
ssl_certificate /etc/nginx/ssl/www.fripost.org.pem;
ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key;
diff --git a/roles/wiki/files/etc/nginx/sites-available/wiki b/roles/wiki/files/etc/nginx/sites-available/wiki
index d61ff28..d2be8db 100644
--- a/roles/wiki/files/etc/nginx/sites-available/wiki
+++ b/roles/wiki/files/etc/nginx/sites-available/wiki
@@ -5,6 +5,7 @@ server {
server_name wiki.fripost.org;
include snippets/acme-challenge.conf;
+ include snippets/headers.conf;
access_log /var/log/nginx/wiki.access.log;
error_log /var/log/nginx/wiki.error.log info;
@@ -23,6 +24,7 @@ server {
server_name wiki.fripost.org;
include snippets/ssl.conf;
+ include snippets/headers.conf;
ssl_certificate /etc/nginx/ssl/www.fripost.org.pem;
ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key;