sourcehut
/
sr.ht-nginx
mirror of https://git.sr.ht/~sircmpwn/sr.ht-nginx
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
73 Commits 1 Branch 0 Tags 95 KiB
Commit Graph

17 Commits

Author SHA1 Message Date
Ludovic Chabant 47015e997a Add https cloning config to hg.sr.ht 
It was mentioned in man.sr.ht, before sr.ht-nginx existed.
 2024-01-21 20:33:20 +01:00
Drew DeVault 9af0afe04a *.conf: update CSP 2023-09-14 14:13:53 +02:00
Conrad Hoffmann 5300cf2efa Include common headers from separate file 
This commit brings back all headers previously defined in port443.conf.
The current setup has been missing them since the `add_header` directive
was added to the individual `location` blocks (for CSP). The nginx
manual states:

> These directives are inherited from the previous configuration level
> if and only if there are no add_header directives defined on the
> current level

http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header

None of the headers are important enough that they would have to be
added to all possible `location` blocks. Adding them to the root block
for each site will be sufficient.
 2022-03-15 12:34:20 +01:00
Drew DeVault c0d79e6618 hg.sr.ht.conf: remove unused authorize route 2021-11-16 21:48:25 +01:00
Drew DeVault c06fbfbad1 hg.sr.ht.conf: fix /authorize port 2021-10-27 10:35:26 +02:00
Drew DeVault 529ae6e539 hg.sr.ht.conf: update CSP for GQL sandbox 2021-10-27 10:17:52 +02:00
Drew DeVault 081fce4019 all: remove variables in server_name 
This doesn't actually work, it just pretends to work. Fuck you nginx
 2021-08-31 08:25:08 +02:00
Drew DeVault cb3972376c all: add correct CSP headers 2021-08-30 10:53:05 +02:00
Drew DeVault f75b6ca38f fuckings to nginx 
Every variable is unwrapped at runtime and only accounted for in some
commands, which does not include ssl_certificate. Anyone who complains
about this is made fun of. Assholes.
 2021-08-30 10:02:35 +02:00
Drew DeVault 2cd31be8da all: move domains.conf => sourcehut.conf 2021-08-30 09:29:53 +02:00
Drew DeVault d1599dd5e0 all: refactor common config options into includes 2021-08-30 09:22:32 +02:00
Drew DeVault 7151e98dba all: update python paths 2021-08-05 09:35:39 +02:00
Drew DeVault 6bca57a2da all: opt out of FLoC 
Eat shit, Google
 2021-04-15 10:44:09 -04:00
Drew DeVault bc245715a4 all: allow data: URIs in CSP 2021-02-26 09:18:49 -05:00
Mark Dain 7d7e3f5560 Add Strict-Transport-Security header 
This commit introduces a Strict-Transport-Security header that requires TLS
for the entire sr.ht domain. It expires after 1 year.

SourceHut can be preloaded by submitting `sr.ht' on https://hstspreload.org
once this header has been applied to the root domain.

Issue: https://todo.sr.ht/~sircmpwn/sr.ht/175
 2020-09-02 10:35:59 -04:00
Mark Dain a929c42896 Add Content-Security-Policy header 
This commit adds a CSP policy to all sr.ht domains.

Every domain has the following permissions:

 - Pages can load CSS files hosted on the same domain.
 - Pages can use inline CSS (style attributes).
 - Pages can load images hosted on the same domain.
 - Pages can load images 'hosted' using the data: URI.
 - Pages can load JavaScript files hosted on the same domain.

Domains that host user-generated markdown (git, hg, todo, man, and paste),
have the following additional permissions:

 - Pages can load images hosted anywhere on the Internet.

All other content and/or sources are blocked, including:

 - Audio or video displayed via the <audio> and <video> tags.
 - Plugin-based content embedded via the <object>, <embed>, and <applet> tags.
 - Network traffic such as XMLHttpRequest, WebRTC, and WebSocket.
 - Third-party fonts displayed via @font-face.
 - Pages displayed inside the <frame> and <iframe> tags.

Issue: https://todo.sr.ht/~sircmpwn/sr.ht/93
 2020-09-01 17:28:56 -04:00
Drew DeVault a1e5258320 Initial commit 2020-08-31 18:05:28 -04:00