Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
Christian Rebischke
infrastructure
Commits
dc52ca8e
Commit
dc52ca8e
authored
Jan 19, 2019
by
Jelle van der Waa
🚧
Browse files
planet: add CSP headers
parent
6c35b76a
Changes
8
Hide whitespace changes
Inline
Side-by-side
roles/nginx/tasks/main.yml
View file @
dc52ca8e
...
...
@@ -19,6 +19,7 @@
with_items
:
-
letsencrypt.conf
-
sslsettings.conf
-
headers.conf
notify
:
-
reload nginx
...
...
roles/nginx/templates/headers.conf
0 → 100644
View file @
dc52ca8e
map
$
scheme
$
hsts_header
{
https
"max-age=31536000; includeSubdomains; preload"
;
}
add_header
Strict
-
Transport
-
Security
$
hsts_header
;
roles/nginx/templates/nginx.conf.j2
View file @
dc52ca8e
...
...
@@ -68,6 +68,7 @@ http {
access_log syslog:server=unix:/dev/log,nohostname,tag=nginx_http main;
include snippets/sslsettings.conf;
include snippets/headers.conf;
include nginx.d/*.conf;
}
roles/nginx/templates/secureheaders.conf
0 → 100644
View file @
dc52ca8e
map
$
scheme
$
hsts_header
{
https
"max-age=31536000; includeSubdomains; preload"
;
}
add_header
Strict
-
Transport
-
Security
$
hsts_header
;
add_header
X
-
Frame
-
Options
"SAMEORIGIN"
;
add_header
X
-
Content
-
Type
-
Options
"nosniff"
;
add_header
x
-
xss
-
protection
"1; mode=block"
;
roles/nginx/templates/sslsettings.conf
View file @
dc52ca8e
...
...
@@ -11,9 +11,3 @@ ssl_session_tickets off;
ssl_stapling
on
;
ssl_stapling_verify
on
;
map
$
scheme
$
hsts_header
{
https
"max-age=31536000; includeSubdomains; preload"
;
}
add_header
Strict
-
Transport
-
Security
$
hsts_header
;
roles/planet/tasks/main.yml
View file @
dc52ca8e
...
...
@@ -3,6 +3,9 @@
-
name
:
install git, python2, libxslt
pacman
:
name=git,python2,libxslt state=present
-
name
:
copy nginx header snipper
template
:
src=headers.conf dest=/etc/nginx/snippets/planet_headers.conf owner=root group=root mode=0644
-
name
:
set up nginx
template
:
src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/planet.conf owner=root group=root mode=0644
notify
:
...
...
roles/planet/templates/headers.conf
0 → 100644
View file @
dc52ca8e
add_header
X
-
Frame
-
Options
"SAMEORIGIN"
;
add_header
X
-
Content
-
Type
-
Options
"nosniff"
;
add_header
x
-
xss
-
protection
"1; mode=block"
;
add_header
content
-
security
-
policy
"script-src 'none'; style-src 'unsafe-inline' www.archlinux.org;"
;
roles/planet/templates/nginx.d.conf.j2
View file @
dc52ca8e
...
...
@@ -7,6 +7,8 @@ server {
error_log /var/log/nginx/{{ planet_domain }}/error.log;
include snippets/letsencrypt.conf;
include snippets/headers.conf;
include snippets/planet_headers.conf;
location / {
access_log off;
...
...
@@ -19,6 +21,9 @@ server {
listen [::]:443 ssl http2;
server_name {{ planet_domain }};
include snippets/headers.conf;
include snippets/planet_headers.conf;
access_log /var/log/nginx/{{ planet_domain }}/access.log reduced;
error_log /var/log/nginx/{{ planet_domain }}/error.log;
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment