From 54261953e711e67e4ee28f788ea35bcab0e86654 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 30 Mar 2016 21:45:43 +0300 Subject: Set HTTP security headers. See https://securityheaders.io . --- roles/common-web/files/etc/nginx/sites-available/default | 1 + roles/common-web/files/etc/nginx/snippets/headers.conf | 4 ++++ roles/common-web/tasks/main.yml | 1 + roles/git/files/etc/nginx/sites-available/git | 2 ++ roles/lists/files/etc/nginx/sites-available/sympa | 2 ++ roles/munin-master/files/etc/nginx/sites-available/munin | 2 ++ roles/webmail/files/etc/nginx/sites-available/roundcube | 2 ++ roles/wiki/files/etc/nginx/sites-available/website | 2 ++ roles/wiki/files/etc/nginx/sites-available/wiki | 2 ++ 9 files changed, 18 insertions(+) create mode 100644 roles/common-web/files/etc/nginx/snippets/headers.conf (limited to 'roles') diff --git a/roles/common-web/files/etc/nginx/sites-available/default b/roles/common-web/files/etc/nginx/sites-available/default index 6df1615..6cbea18 100644 --- a/roles/common-web/files/etc/nginx/sites-available/default +++ b/roles/common-web/files/etc/nginx/sites-available/default @@ -8,4 +8,5 @@ server { # serve ACME challenges on all virtual hosts # /!\ need to be served individually for each explicit virtual host as well! include snippets/acme-challenge.conf; + include snippets/headers.conf; } diff --git a/roles/common-web/files/etc/nginx/snippets/headers.conf b/roles/common-web/files/etc/nginx/snippets/headers.conf new file mode 100644 index 0000000..60e5ace --- /dev/null +++ b/roles/common-web/files/etc/nginx/snippets/headers.conf @@ -0,0 +1,4 @@ +# https://securityheaders.io/ +add_header X-Frame-Options "SAMEORIGIN"; +add_header X-Content-Type-Options nosniff; +add_header X-XSS-Protection "1; mode=block"; diff --git a/roles/common-web/tasks/main.yml b/roles/common-web/tasks/main.yml index fb6bb2d..02b7134 100644 --- a/roles/common-web/tasks/main.yml +++ b/roles/common-web/tasks/main.yml @@ -19,6 +19,7 @@ - fastcgi-php.conf - fastcgi-php-ssl.conf - ssl.conf + - headers.conf - acme-challenge.conf notify: - Restart Nginx diff --git a/roles/git/files/etc/nginx/sites-available/git b/roles/git/files/etc/nginx/sites-available/git index a78ef3f..fbbbb48 100644 --- a/roles/git/files/etc/nginx/sites-available/git +++ b/roles/git/files/etc/nginx/sites-available/git @@ -5,6 +5,7 @@ server { server_name git.fripost.org; include snippets/acme-challenge.conf; + include snippets/headers.conf; access_log /var/log/nginx/git.access.log; error_log /var/log/nginx/git.error.log info; @@ -22,6 +23,7 @@ server { server_name git.fripost.org; include snippets/ssl.conf; + include snippets/headers.conf; ssl_certificate /etc/nginx/ssl/git.fripost.org.pem; ssl_certificate_key /etc/nginx/ssl/git.fripost.org.key; diff --git a/roles/lists/files/etc/nginx/sites-available/sympa b/roles/lists/files/etc/nginx/sites-available/sympa index bcf1d22..7684867 100644 --- a/roles/lists/files/etc/nginx/sites-available/sympa +++ b/roles/lists/files/etc/nginx/sites-available/sympa @@ -5,6 +5,7 @@ server { server_name lists.fripost.org; include snippets/acme-challenge.conf; + include snippets/headers.conf; access_log /var/log/nginx/lists.access.log; error_log /var/log/nginx/lists.error.log info; @@ -25,6 +26,7 @@ server { error_log /var/log/nginx/lists.error.log info; include snippets/ssl.conf; + include snippets/headers.conf; ssl_certificate /etc/nginx/ssl/lists.fripost.org.pem; ssl_certificate_key /etc/nginx/ssl/lists.fripost.org.key; diff --git a/roles/munin-master/files/etc/nginx/sites-available/munin b/roles/munin-master/files/etc/nginx/sites-available/munin index d1cbda0..7b0b789 100644 --- a/roles/munin-master/files/etc/nginx/sites-available/munin +++ b/roles/munin-master/files/etc/nginx/sites-available/munin @@ -11,6 +11,8 @@ server { access_log /var/log/nginx/munin.access.log; error_log /var/log/nginx/munin.error.log info; + include snippets/headers.conf; + location = / { return 302 /munin$args; } diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube index 304b05d..ee6ff20 100644 --- a/roles/webmail/files/etc/nginx/sites-available/roundcube +++ b/roles/webmail/files/etc/nginx/sites-available/roundcube @@ -7,6 +7,7 @@ server { server_name webmail.fripost.org; include snippets/acme-challenge.conf; + include snippets/headers.conf; access_log /var/log/nginx/roundcube.access.log; error_log /var/log/nginx/roundcube.error.log info; @@ -27,6 +28,7 @@ server { root /var/lib/roundcube; include snippets/ssl.conf; + include snippets/headers.conf; ssl_certificate /etc/nginx/ssl/mail.fripost.org.pem; ssl_certificate_key /etc/nginx/ssl/mail.fripost.org.key; diff --git a/roles/wiki/files/etc/nginx/sites-available/website b/roles/wiki/files/etc/nginx/sites-available/website index 5d382ec..43cdd05 100644 --- a/roles/wiki/files/etc/nginx/sites-available/website +++ b/roles/wiki/files/etc/nginx/sites-available/website @@ -6,6 +6,7 @@ server { server_name www.fripost.org; include snippets/acme-challenge.conf; + include snippets/headers.conf; access_log /var/log/nginx/www.access.log; error_log /var/log/nginx/www.error.log info; @@ -24,6 +25,7 @@ server { server_name www.fripost.org; include snippets/ssl.conf; + include snippets/headers.conf; ssl_certificate /etc/nginx/ssl/www.fripost.org.pem; ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key; diff --git a/roles/wiki/files/etc/nginx/sites-available/wiki b/roles/wiki/files/etc/nginx/sites-available/wiki index d61ff28..d2be8db 100644 --- a/roles/wiki/files/etc/nginx/sites-available/wiki +++ b/roles/wiki/files/etc/nginx/sites-available/wiki @@ -5,6 +5,7 @@ server { server_name wiki.fripost.org; include snippets/acme-challenge.conf; + include snippets/headers.conf; access_log /var/log/nginx/wiki.access.log; error_log /var/log/nginx/wiki.error.log info; @@ -23,6 +24,7 @@ server { server_name wiki.fripost.org; include snippets/ssl.conf; + include snippets/headers.conf; ssl_certificate /etc/nginx/ssl/www.fripost.org.pem; ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key; -- cgit v1.2.3