2020-09-01 00:05:28 +02:00
|
|
|
server {
|
2021-08-30 09:29:53 +02:00
|
|
|
include sourcehut.conf;
|
2021-08-30 09:22:32 +02:00
|
|
|
include port80.conf;
|
2021-12-06 09:42:49 +01:00
|
|
|
server_name sr.ht;
|
2020-09-01 00:05:28 +02:00
|
|
|
|
2021-08-30 09:22:32 +02:00
|
|
|
# Redirect for legacy.sr.ht
|
2020-09-01 00:05:28 +02:00
|
|
|
location ~ ^/[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$ {
|
|
|
|
return 302 https://l.sr.ht$request_uri;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
server {
|
2021-08-30 09:29:53 +02:00
|
|
|
include sourcehut.conf;
|
2021-08-30 09:22:32 +02:00
|
|
|
include port443.conf;
|
2021-08-30 10:02:35 +02:00
|
|
|
include hub-ssl.conf;
|
2021-12-06 09:42:49 +01:00
|
|
|
server_name sr.ht;
|
Add Content-Security-Policy header
This commit adds a CSP policy to all sr.ht domains.
Every domain has the following permissions:
- Pages can load CSS files hosted on the same domain.
- Pages can use inline CSS (style attributes).
- Pages can load images hosted on the same domain.
- Pages can load images 'hosted' using the data: URI.
- Pages can load JavaScript files hosted on the same domain.
Domains that host user-generated markdown (git, hg, todo, man, and paste),
have the following additional permissions:
- Pages can load images hosted anywhere on the Internet.
All other content and/or sources are blocked, including:
- Audio or video displayed via the <audio> and <video> tags.
- Plugin-based content embedded via the <object>, <embed>, and <applet> tags.
- Network traffic such as XMLHttpRequest, WebRTC, and WebSocket.
- Third-party fonts displayed via @font-face.
- Pages displayed inside the <frame> and <iframe> tags.
Issue: https://todo.sr.ht/~sircmpwn/sr.ht/93
2020-09-01 19:15:23 +02:00
|
|
|
|
2020-09-01 00:05:28 +02:00
|
|
|
location / {
|
|
|
|
proxy_pass http://127.0.0.1:5014;
|
2022-03-14 19:20:26 +01:00
|
|
|
include headers.conf;
|
2023-09-14 14:13:53 +02:00
|
|
|
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self'; frame-ancestors 'none'" always;
|
2021-08-30 09:22:32 +02:00
|
|
|
include web.conf;
|
2020-09-01 00:05:28 +02:00
|
|
|
}
|
|
|
|
|
2022-11-02 11:57:04 +01:00
|
|
|
location /query {
|
|
|
|
proxy_pass http://127.0.0.1:5114;
|
|
|
|
include graphql.conf;
|
|
|
|
}
|
|
|
|
|
2020-09-01 00:05:28 +02:00
|
|
|
location /static {
|
2021-08-30 09:22:32 +02:00
|
|
|
root /usr/lib/$python/site-packages/hubsrht;
|
2020-09-01 00:05:28 +02:00
|
|
|
expires 30d;
|
|
|
|
}
|
|
|
|
|
2021-08-30 09:22:32 +02:00
|
|
|
# Redirect for legacy.sr.ht
|
2020-09-01 00:05:28 +02:00
|
|
|
location ~ ^/[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$ {
|
|
|
|
return 302 https://l.sr.ht$request_uri;
|
|
|
|
}
|
|
|
|
}
|
2021-12-06 09:42:49 +01:00
|
|
|
|
|
|
|
# The project hub initially ran at hub.sr.ht for early testing and development
|
|
|
|
# before being moved to the top-level domain.
|
|
|
|
server {
|
|
|
|
include sourcehut.conf;
|
|
|
|
include port80.conf;
|
|
|
|
server_name hub.sr.ht;
|
|
|
|
}
|
|
|
|
|
|
|
|
server {
|
|
|
|
include sourcehut.conf;
|
|
|
|
include port443.conf;
|
|
|
|
include hub-ssl.conf;
|
|
|
|
server_name hub.sr.ht;
|
|
|
|
|
|
|
|
location / {
|
|
|
|
return 302 https://sr.ht$request_uri;
|
|
|
|
}
|
|
|
|
}
|