rework security header
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
4a78bf2e3a
commit
701d2282a8
@ -90,6 +90,7 @@ nginx_csp_enabled: False
|
|||||||
|
|
||||||
nginx_xxxsp_enabled: True
|
nginx_xxxsp_enabled: True
|
||||||
nginx_xxxsp_parameters:
|
nginx_xxxsp_parameters:
|
||||||
|
- 1
|
||||||
- mode=block
|
- mode=block
|
||||||
|
|
||||||
nginx_maps: []
|
nginx_maps: []
|
||||||
@ -162,13 +163,16 @@ nginx_vhosts_default:
|
|||||||
# - match: /
|
# - match: /
|
||||||
# root: /var/www/vhosts/default
|
# root: /var/www/vhosts/default
|
||||||
# index: index.html
|
# index: index.html
|
||||||
|
# add_headers: []
|
||||||
# proxy_pass:
|
# proxy_pass:
|
||||||
# proxy_http_version: "1.1"
|
# proxy_http_version: "1.1"
|
||||||
# proxy_buffering: "off"
|
# proxy_buffering: "off"
|
||||||
# proxy_connect_timeout: 3600s
|
# proxy_connect_timeout: 3600s
|
||||||
# proxy_read_timeout: 3600s
|
# proxy_read_timeout: 3600s
|
||||||
# proxy_send_timeout: 3600s
|
# proxy_send_timeout: 3600s
|
||||||
# proxy_headers: []
|
# proxy_set_headers: []
|
||||||
|
# proxy_hide_headers: []
|
||||||
|
# proxy_ignore_headers: []
|
||||||
# proxy_intercept_errors: "off"
|
# proxy_intercept_errors: "off"
|
||||||
# custom_options:
|
# custom_options:
|
||||||
# custom_options:
|
# custom_options:
|
||||||
|
@ -2,28 +2,28 @@
|
|||||||
{{ ansible_managed | comment }}
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
# protect against protocol downgrading and cookie hijacking
|
# protect against protocol downgrading and cookie hijacking
|
||||||
# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#hsts
|
# https://owasp.org/www-project-secure-headers/#http-strict-transport-security
|
||||||
{% if nginx_tls_hsts_enabled and nginx_hsts_options is defined%}
|
{% if nginx_tls_hsts_enabled and nginx_hsts_options is defined%}
|
||||||
add_header Strict-Transport-Security "{{ nginx_hsts_options | join('; ') }}";
|
add_header Strict-Transport-Security "{{ nginx_hsts_options | join('; ') }}" always;
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
# improve the protection against Clickjacking
|
# improve the protection against Clickjacking
|
||||||
# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xfo
|
# https://owasp.org/www-project-secure-headers/#x-frame-options
|
||||||
{% if nginx_xfo_enabled %}
|
{% if nginx_xfo_enabled %}
|
||||||
add_header X-Frame-Options {{ nginx_xfo_policy }};
|
add_header X-Frame-Options {{ nginx_xfo_policy }} always;
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if nginx_csp_enabled and nginx_csp_options is defined %}
|
{% if nginx_csp_enabled and nginx_csp_options is defined %}
|
||||||
add_header Content-Security-Policy "{% for item in nginx_csp_options %}{{ item.directive }} {{ item.parameters | join(' ') }};{% endfor %}";
|
add_header Content-Security-Policy "{% for item in nginx_csp_options %}{{ item.directive }} {{ item.parameters | join(' ') }};{% endfor %}" always;
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
# prevent from interpreting files as something else than declared by the content type in HTTP headers
|
# prevent from interpreting files as something else than declared by the content type in HTTP headers
|
||||||
# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xcto
|
# https://owasp.org/www-project-secure-headers/#x-content-type-options
|
||||||
{% if nginx_xcto_enabled %}
|
{% if nginx_xcto_enabled %}
|
||||||
add_header X-Content-Type-Options nosniff;
|
add_header X-Content-Type-Options nosniff always;
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
# enables the cross-site scripting (XSS) filter of the browsers
|
# enables the cross-site scripting (XSS) filter of the browsers
|
||||||
# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xxxsp
|
# https://owasp.org/www-project-secure-headers/#x-xss-protection
|
||||||
{% if nginx_xxxsp_enabled %}
|
{% if nginx_xxxsp_enabled %}
|
||||||
add_header X-XSS-Protection "1; {{ nginx_xxxsp_parameters | default([])|join(' ; ') }}";
|
add_header X-XSS-Protection "{{ nginx_xxxsp_parameters | default([]) |join(' ; ') }}" always;
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
@ -52,6 +52,14 @@ server {
|
|||||||
{% if location.index is defined and location.index %}
|
{% if location.index is defined and location.index %}
|
||||||
index {{ location.index }};
|
index {{ location.index }};
|
||||||
|
|
||||||
|
{% endif %}
|
||||||
|
{% if location.add_headers is defined and location.add_headers %}
|
||||||
|
|
||||||
|
include /etc/nginx/conf.d/header.conf;
|
||||||
|
{% for add in location.add_headers %}
|
||||||
|
add_header {{ add }};
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if location.proxy_pass is defined and location.proxy_pass %}
|
{% if location.proxy_pass is defined and location.proxy_pass %}
|
||||||
proxy_pass {{ location.proxy_pass }};
|
proxy_pass {{ location.proxy_pass }};
|
||||||
@ -73,10 +81,22 @@ server {
|
|||||||
{% if location.proxy_intercept_errors is defined and location.proxy_intercept_errors %}
|
{% if location.proxy_intercept_errors is defined and location.proxy_intercept_errors %}
|
||||||
proxy_intercept_errors {{ location.proxy_intercept_errors }};
|
proxy_intercept_errors {{ location.proxy_intercept_errors }};
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if location.proxy_headers is defined and location.proxy_headers %}
|
{% if location.proxy_set_headers is defined and location.proxy_set_headers %}
|
||||||
|
|
||||||
{% for pheader in location.proxy_headers %}
|
{% for set in location.proxy_set_headers %}
|
||||||
proxy_set_header {{ pheader }};
|
proxy_set_header {{ set }};
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
{% if location.proxy_hide_headers is defined and location.proxy_hide_headers %}
|
||||||
|
|
||||||
|
{% for hide in location.proxy_hide_headers %}
|
||||||
|
proxy_hide_header {{ hide }};
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
{% if location.proxy_ignore_headers is defined and location.proxy_ignore_headers %}
|
||||||
|
|
||||||
|
{% for ignore in location.proxy_ignore_headers %}
|
||||||
|
proxy_ignore_header {{ ignore }};
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
Loading…
Reference in New Issue
Block a user