diff --git a/roles/reverse-proxy/files/ssl-headers.conf b/roles/reverse-proxy/files/ssl-headers.conf new file mode 100644 index 0000000..a84a1ba --- /dev/null +++ b/roles/reverse-proxy/files/ssl-headers.conf @@ -0,0 +1,3 @@ +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; +# add_header X-Robots-Tag "noindex, nofollow" always; +add_header Set-Cookie "Path=/; HttpOnly; Secure"; diff --git a/roles/reverse-proxy/tasks/main.yml b/roles/reverse-proxy/tasks/main.yml index a8dbe62..c901201 100644 --- a/roles/reverse-proxy/tasks/main.yml +++ b/roles/reverse-proxy/tasks/main.yml @@ -22,6 +22,15 @@ group: root mode: '644' register: nginx_template_reverse_proxy_conf_result + + - name: Copy ssl-headers.conf to /etc/nginx/conf.d/ssl-headers.conf + copy: + src: files/ssl-headers.conf + dest: /etc/nginx/conf.d/ssl-headers.conf + owner: root + group: root + mode: '644' + register: nginx_copy_ssl_headers_conf_result - name: Remove all enabled NGINX sites file: @@ -66,5 +75,5 @@ service: name: nginx # Reload if conf changed, if not make sure it is started - state: "{{ (nginx_template_nginx_conf_result['changed'] or nginx_template_reverse_proxy_conf_result['changed']) | ternary('reloaded', 'started') }}" + state: "{{ (nginx_template_nginx_conf_result['changed'] or nginx_template_reverse_proxy_conf_result['changed'] or nginx_copy_ssl_headers_conf_result['changed']) | ternary('reloaded', 'started') }}" enabled: yes diff --git a/roles/reverse-proxy/templates/nginx.conf b/roles/reverse-proxy/templates/nginx.conf index 2714ab2..8155e72 100644 --- a/roles/reverse-proxy/templates/nginx.conf +++ b/roles/reverse-proxy/templates/nginx.conf @@ -19,15 +19,10 @@ http { tcp_nodelay on; gzip off; - types_hash_max_size 2048; server_tokens off; keepalive_timeout 30; - # server_names_hash_bucket_size 64; - # server_name_in_redirect off; - include /etc/nginx/mime.types; - default_type application/octet-stream; ## # SSL Settings @@ -64,10 +59,6 @@ http { resolver {{ reverse_proxy['resolver'] }}; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - # add_header X-Robots-Tag "noindex, nofollow" always; - add_header Set-Cookie "Path=/; HttpOnly; Secure"; - proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Port $server_port; diff --git a/roles/reverse-proxy/templates/reverse-proxy.conf b/roles/reverse-proxy/templates/reverse-proxy.conf index 3bda6af..962ba52 100644 --- a/roles/reverse-proxy/templates/reverse-proxy.conf +++ b/roles/reverse-proxy/templates/reverse-proxy.conf @@ -30,12 +30,16 @@ server { location = /.well-known/matrix/server { default_type application/json; + return 200 '{ "m.server": "matrix.{{ domain }}:443" }'; } location = /.well-known/matrix/client { default_type application/json; + + include /etc/nginx/conf.d/ssl-headers.conf; add_header Access-Control-Allow-Origin '*'; + return 200 '{ "m.homeserver": { "base_url": "https://matrix.{{ domain }}" } }'; } @@ -67,13 +71,11 @@ server { location / { proxy_pass http://127.0.0.1:{{ ports['element'] }}; + include /etc/nginx/conf.d/ssl-headers.conf; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Content-Security-Policy "frame-ancestors 'none'"; - - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - add_header Set-Cookie "Path=/; HttpOnly; Secure"; } } @@ -121,8 +123,7 @@ server { location / { proxy_pass http://127.0.0.1:{{ ports['searxng'] }}; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - add_header Set-Cookie "Path=/; HttpOnly; Secure"; + include /etc/nginx/conf.d/ssl-headers.conf; add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"; } } @@ -188,7 +189,5 @@ server { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; - - client_max_body_size 525M; } }