snippet update

2021-08-08 06:51:55 +00:00
parent 8c5e3f9362
commit a02e65700c
6 changed files with 31 additions and 11 deletions
--- a/conf/default.conf
+++ b/conf/default.conf
@@ -5,14 +5,12 @@ server {

 # Dieser Server ist der Zugang zur "Nginx config und wird im 2. Openresty Server genutzt"
 server {
-    listen 8080;
+    listen 443 ssl;
    set $proxy_host theiaconf;
    set $proxy_port 3000;
    include ldap.conf;
-    include secure.conf;
-    add_header content-security-policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'";
-    add_header content-security-policy-report-only "default-src 'self' 'unsafe-inline' ";
-    include default_proxy.conf;
+    include ssl.conf;
+    include internal_proxy.conf;
 }


--- a/snippets/default_proxy.conf
+++ b/snippets/default_proxy.conf
@@ -1,5 +1,6 @@
 location / {
    include proxy.conf;
+    include secure.conf;
    proxy_buffering off;
    proxy_pass http://$proxy_host:$proxy_port;
 }
--- a/snippets/internal_proxy.conf
+++ b/snippets/internal_proxy.conf
@@ -0,0 +1,6 @@
+location / {
+    include proxy.conf;
+    include ldap.conf;
+    proxy_buffering off;
+    proxy_pass http://$proxy_host:$proxy_port;
+}
--- a/snippets/internal_sub_proxy.conf
+++ b/snippets/internal_sub_proxy.conf
@@ -0,0 +1,9 @@
+location /$proxy_location {
+    include ldap.conf;
+    rewrite_log on;
+    rewrite /$proxy_location/(.*) /$1 break;
+    rewrite ^/$proxy_location$ /$proxy_location/ permanent;
+    include proxy.conf;
+    proxy_buffering off;
+    proxy_pass http://$proxy_host:$proxy_port;
+}
--- a/snippets/secure.conf
+++ b/snippets/secure.conf
@@ -1,6 +1,10 @@

-        add_header Content-Security-Policy "default-src 'self' 'unsafe-inline'";
-        add_header X-Content-Type-Options nosniff;
-        add_header X-XSS-Protection "1; mode=block";
-        add_header Referrer-Policy "strict-origin";
-        add_header Strict-Transport-Security "max-age=31536000" always;
+add_header Content-Security-Policy "default-src 'none'; img-src 'self'; \
+    script-src 'self'; style-src 'self' 'unsafe-inline'; \
+    font-src 'self'; base-uri 'self'; form-action 'self';\
+     connect-src 'self'; frame-ancestors 'none'";
+add_header X-Content-Type-Options nosniff;
+add_header X-Frame-Options DENY;
+add_header X-XSS-Protection "1; mode=block" always;
+add_header Referrer-Policy "strict-origin";
+add_header Strict-Transport-Security "max-age=31536000" always;
--- a/snippets/ssl.conf
+++ b/snippets/ssl.conf
@@ -11,4 +11,6 @@ ssl_certificate_by_lua_block {
    #   -keyout /etc/ssl/resty-auto-ssl-fallback.key \
    #   -out /etc/ssl/resty-auto-ssl-fallback.crt
 ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
-ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;
+ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;
+ssl_protocols TLSv1.2 TLSv1.3;
+add_header Strict-Transport-Security "max-age=31536000" always;