Include common headers from separate file

This commit brings back all headers previously defined in port443.conf. The current setup has been missing them since the `add_header` directive was added to the individual `location` blocks (for CSP). The nginx manual states: > These directives are inherited from the previous configuration level > if and only if there are no add_header directives defined on the > current level http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header None of the headers are important enough that they would have to be added to all possible `location` blocks. Adding them to the root block for each site will be sufficient.
2022-03-14 19:20:26 +01:00 · 2022-03-14 19:20:26 +01:00 · 5300cf2efa
parent 305e2a56cf
commit 5300cf2efa
13 changed files with 15 additions and 5 deletions
--- a/builds.sr.ht.conf
+++ b/builds.sr.ht.conf
@ -14,6 +14,7 @@ server {

 	location / {
 		proxy_pass http://127.0.0.1:5002;
+		include headers.conf;
 		add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'" always;
 		include web.conf;
 	}
--- a/chat.sr.ht.conf
+++ b/chat.sr.ht.conf
@ -19,6 +19,7 @@ server {
 		}

 		root /usr/share/webapps/gamja;
+		include headers.conf;
 		# We have to use a weird connect-src because of a Safari bug
 		# https://bugs.webkit.org/show_bug.cgi?id=201591
 		add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; connect-src wss://chat.sr.ht https://chat.sr.ht" always;
--- a/dispatch.sr.ht.conf
+++ b/dispatch.sr.ht.conf
@ -12,6 +12,7 @@ server {

 	location / {
 		proxy_pass http://127.0.0.1:5005;
+		include headers.conf;
 		add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self'" always;
 		include web.conf;
 	}
--- a/git.sr.ht.conf
+++ b/git.sr.ht.conf
@ -14,6 +14,7 @@ server {

 	location / {
 		proxy_pass http://127.0.0.1:5001;
+		include headers.conf;
 		add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'" always;
 		include web.conf;
 	}
--- a/headers.conf
+++ b/headers.conf
@ -0,0 +1,4 @@
+add_header X-Clacks-Overhead "GNU Terry Pratchett";
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+# Fuck you, Google, I don't spy on my users
+add_header Permissions-Policy interest-cohort=();
--- a/hg.sr.ht.conf
+++ b/hg.sr.ht.conf
@ -14,6 +14,7 @@ server {

 	location / {
 		proxy_pass http://127.0.0.1:5010;
+		include headers.conf;
 		add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'" always;
 		include web.conf;
 	}
--- a/hub.sr.ht.conf
+++ b/hub.sr.ht.conf
@ -17,6 +17,7 @@ server {

 	location / {
 		proxy_pass http://127.0.0.1:5014;
+		include headers.conf;
 		add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self'" always;
 		include web.conf;
 	}
--- a/lists.sr.ht.conf
+++ b/lists.sr.ht.conf
@ -13,6 +13,7 @@ server {

 	location / {
 		proxy_pass http://127.0.0.1:5006;
+		include headers.conf;
 		add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'";
 		include web.conf;
 	}
--- a/man.sr.ht.conf
+++ b/man.sr.ht.conf
@ -14,6 +14,7 @@ server {

 	location / {
 		proxy_pass http://127.0.0.1:5004;
+		include headers.conf;
 		add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self'" always;
 		include web.conf;
 	}
--- a/meta.sr.ht.conf
+++ b/meta.sr.ht.conf
@ -12,6 +12,7 @@ server {

 	location / {
 		proxy_pass http://127.0.0.1:5000;
+		include headers.conf;
 		add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline' *.stripe.com *.stripe.network; frame-src *.stripe.com *.stripe.network" always;
 		include web.conf;
 	}
--- a/paste.sr.ht.conf
+++ b/paste.sr.ht.conf
@ -14,6 +14,7 @@ server {

 	location / {
 		proxy_pass http://127.0.0.1:5011;
+		include headers.conf;
 		add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'" always;
 		include web.conf;
 	}
--- a/port443.conf
+++ b/port443.conf
@ -1,11 +1,6 @@
 listen 443 ssl http2;
 listen [::]:443 ssl http2;

-add_header X-Clacks-Overhead "GNU Terry Pratchett";
-add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
-# Fuck you, Google, I don't spy on my users
-add_header Permissions-Policy interest-cohort=();
-
 gzip on;
 gzip_types text/css text/html;

--- a/todo.sr.ht.conf
+++ b/todo.sr.ht.conf
@ -14,6 +14,7 @@ server {

 	location / {
 		proxy_pass http://127.0.0.1:5003;
+		include headers.conf;
 		add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'" always;
 		include web.conf;
 	}