From f3c441db2b6e8e0de59c2f5326b5d78dd0cf66a0 Mon Sep 17 00:00:00 2001 From: samuel Date: Sat, 14 Feb 2026 21:15:08 +0100 Subject: [PATCH] fix: ngix security headers --- .gitea/workflows/ci.yaml | 10 ++++++++++ Makefile | 30 +++++++++++++++++++++++------- files/nginx/0_security.conf | 25 ++++++++++++++----------- netoik-rp.spec | 4 ++-- 4 files changed, 49 insertions(+), 20 deletions(-) diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml index b1dadf6..f4e002e 100644 --- a/.gitea/workflows/ci.yaml +++ b/.gitea/workflows/ci.yaml @@ -11,3 +11,13 @@ jobs: steps: - name: Show env run: env | sort + + build: + runs-on: linux + steps: + - name: Build tarball + run: make tarball + - name: Build rpm package + run: rpmbuild -ba netoik-rp.spec + - name: Upload rpm package + run: make upload diff --git a/Makefile b/Makefile index 80e3a11..3718577 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,11 @@ NAME = $(shell basename $(PWD)) VERSION = $(shell git describe | sed 's/-/./g') +RELEASE = 0 BRANCH = $(shell git branch --show-current) +BUILD_ARCH = noarch +RPM_BUILD_PATH = $(RPM_RPMDIR)/$(BUILD_ARCH)/$(NAME)-$(VERSION)-$(RELEASE).$(BUILD_ARCH).rpm +RPM_RPMDIR = $(shell rpm --eval '%{_rpmdir}') RPM_SBINDIR = $(shell rpm --eval '%{_sbindir}') RPM_SOURCEDIR = $(shell rpm --eval '%{_sourcedir}') RPM_SYSCONFDIR = $(shell rpm --eval '%{_sysconfdir}') @@ -16,6 +20,22 @@ name: version: @echo "$(VERSION)" +.PHONY: release +release: + @echo "$(RELEASE)" + +.PHONY: build_arch +build_arch: + @echo "$(BUILD_ARCH)" + +.PHONY: install +install: + install --directory $(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d $(DESTDIR)$(RPM_SYSCONFDIR)/certbot $(DESTDIR)$(RPM_UNITDIR) $(DESTDIR)$(RPM_SBINDIR) + install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d files/nginx/0_security.conf files/nginx/default.conf + install --mode=600 --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/certbot files/certbot/ovh.ini + install --mode=644 --target-directory=$(DESTDIR)$(RPM_UNITDIR) files/systemd/certbot-renew.service files/systemd/certbot-renew.timer + install --mode=755 --target-directory=$(DESTDIR)$(RPM_SBINDIR) files/sbin/certbot_renew + $(RPM_TARBALL_PATH): * git archive --format=tar.gz \ --output="$@" \ @@ -26,10 +46,6 @@ $(RPM_TARBALL_PATH): * .PHONY: tarball tarball: $(RPM_TARBALL_PATH) -.PHONY: install -install: - install --directory $(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d $(DESTDIR)$(RPM_SYSCONFDIR)/certbot $(DESTDIR)$(RPM_UNITDIR) $(DESTDIR)$(RPM_SBINDIR) - install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d files/nginx/0_security.conf files/nginx/default.conf - install --mode=600 --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/certbot files/certbot/ovh.ini - install --mode=644 --target-directory=$(DESTDIR)$(RPM_UNITDIR) files/systemd/certbot-renew.service files/systemd/certbot-renew.timer - install --mode=755 --target-directory=$(DESTDIR)$(RPM_SBINDIR) files/sbin/certbot_renew +.PHONY: upload +upload: + curl --upload-file "$(RPM_BUILD_PATH)" https://git.netoik.io/api/packages/samuel/rpm/upload diff --git a/files/nginx/0_security.conf b/files/nginx/0_security.conf index ba16602..bb7742e 100644 --- a/files/nginx/0_security.conf +++ b/files/nginx/0_security.conf @@ -14,14 +14,17 @@ resolver 127.0.0.1; # Add some basic security headers from OWASP # see: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html -add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;" always; -add_header X-Frame-Options "DENY" always; -add_header X-XSS-Protection "0" always; -add_header X-Content-Type-Options "nosniff" always; -add_header Referrer-Policy "strict-origin-when-cross-origin" always; -add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'self'; form-action 'self';" always; -add_header Cross-Origin-Opener-Policy "same-origin" always; -add_header Cross-Origin-Resource-Policy "same-site" always; -add_header Permissions-Policy "geolocation=(), camera=(), microphone=()" always; -add_header Server "webserver" always; -add_header X-Robots-Tag "noindex, nofollow" always; +# And Nextcloud doc +# see: https://docs.nextcloud.com/server/31/admin_manual/installation/harden_server.html +add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;" always; +add_header X-Frame-Options "sameorigin" always; +add_header X-XSS-Protection "1;mode=block" always; +add_header X-Content-Type-Options "nosniff" always; +add_header X-Permitted-Cross-Domain-Policies "none" always; +add_header Referrer-Policy "strict-origin-when-cross-origin" always; +add_header Content-Security-Policy "default-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self';" always; +add_header Cross-Origin-Opener-Policy "same-origin" always; +add_header Cross-Origin-Resource-Policy "same-site" always; +add_header Permissions-Policy "geolocation=(), camera=(), microphone=()" always; +add_header Server "webserver" always; +add_header X-Robots-Tag "noindex, nofollow" always; diff --git a/netoik-rp.spec b/netoik-rp.spec index c19e5f6..2b3735d 100644 --- a/netoik-rp.spec +++ b/netoik-rp.spec @@ -2,13 +2,13 @@ Name: %(make name) Version: %(make version) -Release: 1%{?dist} +Release: %(make release) Summary: Netoik Reverse Proxy License: MIT URL: https://git.netoik.io/samuel/netoik-rp Source0: %{name}-%{version}.tar.gz -Buildarch: noarch +Buildarch: %(make build_arch) BuildRequires: make Requires: nginx python3 python-devel (augeas-devel or augeas-libs) gcc openssl