sourcehut
/
sr.ht-nginx
mirror of https://git.sr.ht/~sircmpwn/sr.ht-nginx
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
73 Commits 1 Branch 0 Tags 95 KiB
Commit Graph

16 Commits

Author SHA1 Message Date
Drew DeVault 9af0afe04a *.conf: update CSP 2023-09-14 14:13:53 +02:00
Conrad Hoffmann 5300cf2efa Include common headers from separate file 
This commit brings back all headers previously defined in port443.conf.
The current setup has been missing them since the `add_header` directive
was added to the individual `location` blocks (for CSP). The nginx
manual states:

> These directives are inherited from the previous configuration level
> if and only if there are no add_header directives defined on the
> current level

http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header

None of the headers are important enough that they would have to be
added to all possible `location` blocks. Adding them to the root block
for each site will be sufficient.
 2022-03-15 12:34:20 +01:00
Drew DeVault 99a7dda1e0 Unblock TTRSS 
This doesn't work with nginx for some reason despite being exactly in
accordance with the official docs on conditional statements. Hooray!

This reverts commit 54a9c41f67.
 2021-11-25 10:43:28 +01:00
Drew DeVault 54a9c41f67 git.sr.ht: block TTRSS 
They keep requesting data URIs.
 2021-11-25 10:32:58 +01:00
Drew DeVault 081fce4019 all: remove variables in server_name 
This doesn't actually work, it just pretends to work. Fuck you nginx
 2021-08-31 08:25:08 +02:00
Drew DeVault cb3972376c all: add correct CSP headers 2021-08-30 10:53:05 +02:00
Drew DeVault f75b6ca38f fuckings to nginx 
Every variable is unwrapped at runtime and only accounted for in some
commands, which does not include ssl_certificate. Anyone who complains
about this is made fun of. Assholes.
 2021-08-30 10:02:35 +02:00
Drew DeVault 2cd31be8da all: move domains.conf => sourcehut.conf 2021-08-30 09:29:53 +02:00
Drew DeVault d1599dd5e0 all: refactor common config options into includes 2021-08-30 09:22:32 +02:00
Drew DeVault 7151e98dba all: update python paths 2021-08-05 09:35:39 +02:00
Drew DeVault 6bca57a2da all: opt out of FLoC 
Eat shit, Google
 2021-04-15 10:44:09 -04:00
Drew DeVault bc245715a4 all: allow data: URIs in CSP 2021-02-26 09:18:49 -05:00
Drew DeVault 34e4b5dbaf git.sr.ht: add unsafe-inline scripts to CSP 2021-02-26 09:06:20 -05:00
Mark Dain 7d7e3f5560 Add Strict-Transport-Security header 
This commit introduces a Strict-Transport-Security header that requires TLS
for the entire sr.ht domain. It expires after 1 year.

SourceHut can be preloaded by submitting `sr.ht' on https://hstspreload.org
once this header has been applied to the root domain.

Issue: https://todo.sr.ht/~sircmpwn/sr.ht/175
 2020-09-02 10:35:59 -04:00
Mark Dain a929c42896 Add Content-Security-Policy header 
This commit adds a CSP policy to all sr.ht domains.

Every domain has the following permissions:

 - Pages can load CSS files hosted on the same domain.
 - Pages can use inline CSS (style attributes).
 - Pages can load images hosted on the same domain.
 - Pages can load images 'hosted' using the data: URI.
 - Pages can load JavaScript files hosted on the same domain.

Domains that host user-generated markdown (git, hg, todo, man, and paste),
have the following additional permissions:

 - Pages can load images hosted anywhere on the Internet.

All other content and/or sources are blocked, including:

 - Audio or video displayed via the <audio> and <video> tags.
 - Plugin-based content embedded via the <object>, <embed>, and <applet> tags.
 - Network traffic such as XMLHttpRequest, WebRTC, and WebSocket.
 - Third-party fonts displayed via @font-face.
 - Pages displayed inside the <frame> and <iframe> tags.

Issue: https://todo.sr.ht/~sircmpwn/sr.ht/93
 2020-09-01 17:28:56 -04:00
Drew DeVault a1e5258320 Initial commit 2020-08-31 18:05:28 -04:00