planet: add CSP headers

dc52ca8e · Jelle van der Waa · 6c35b76a · dc52ca8e · dc52ca8e · dc52ca8e
Commit dc52ca8e authored Jan 19, 2019 by Jelle van der Waa 🚧
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -19,6 +19,7 @@
  with_items:
    - letsencrypt.conf
    - sslsettings.conf
+    - headers.conf
  notify:
    - reload nginx


--- a/roles/nginx/templates/headers.conf
+++ b/roles/nginx/templates/headers.conf
+map $scheme $hsts_header {
+    https   "max-age=31536000; includeSubdomains; preload";
+}
+
+add_header Strict-Transport-Security $hsts_header;
--- a/roles/nginx/templates/nginx.conf.j2
+++ b/roles/nginx/templates/nginx.conf.j2
@@ -68,6 +68,7 @@ http {
    access_log syslog:server=unix:/dev/log,nohostname,tag=nginx_http main;

    include snippets/sslsettings.conf;
+    include snippets/headers.conf;

    include nginx.d/*.conf;
 }
--- a/roles/nginx/templates/secureheaders.conf
+++ b/roles/nginx/templates/secureheaders.conf
+map $scheme $hsts_header {
+    https   "max-age=31536000; includeSubdomains; preload";
+}
+
+add_header Strict-Transport-Security $hsts_header;
+add_header X-Frame-Options "SAMEORIGIN";
+add_header X-Content-Type-Options "nosniff";
+add_header x-xss-protection "1; mode=block";
--- a/roles/nginx/templates/sslsettings.conf
+++ b/roles/nginx/templates/sslsettings.conf
@@ -11,9 +11,3 @@ ssl_session_tickets off;

 ssl_stapling on;
 ssl_stapling_verify on;
-
-map $scheme $hsts_header {
-    https   "max-age=31536000; includeSubdomains; preload";
-}
-
-add_header Strict-Transport-Security $hsts_header;
--- a/roles/planet/tasks/main.yml
+++ b/roles/planet/tasks/main.yml
@@ -3,6 +3,9 @@
 - name: install git, python2, libxslt
  pacman: name=git,python2,libxslt state=present

+- name: copy nginx header snipper
+  template: src=headers.conf dest=/etc/nginx/snippets/planet_headers.conf owner=root group=root mode=0644
+
 - name: set up nginx
  template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/planet.conf owner=root group=root mode=0644
  notify:

--- a/roles/planet/templates/headers.conf
+++ b/roles/planet/templates/headers.conf
+add_header X-Frame-Options "SAMEORIGIN";
+add_header X-Content-Type-Options "nosniff";
+add_header x-xss-protection "1; mode=block";
+add_header content-security-policy "script-src 'none'; style-src 'unsafe-inline' www.archlinux.org;";
--- a/roles/planet/templates/nginx.d.conf.j2
+++ b/roles/planet/templates/nginx.d.conf.j2
@@ -7,6 +7,8 @@ server {
    error_log    /var/log/nginx/{{ planet_domain }}/error.log;

    include snippets/letsencrypt.conf;
+    include snippets/headers.conf;
+    include snippets/planet_headers.conf;

    location / {
        access_log off;
@@ -19,6 +21,9 @@ server {
    listen       [::]:443 ssl http2;
    server_name  {{ planet_domain }};

+    include snippets/headers.conf;
+    include snippets/planet_headers.conf;
+
    access_log   /var/log/nginx/{{ planet_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ planet_domain }}/error.log;