fix: ngix security headers

2026-02-14 21:15:08 +01:00
parent f575c4f0d9
commit f3c441db2b
4 changed files with 49 additions and 20 deletions
--- a/.gitea/workflows/ci.yaml
+++ b/.gitea/workflows/ci.yaml
@@ -11,3 +11,13 @@ jobs:
    steps:
      - name: Show env
        run: env | sort
+
+  build:
+    runs-on: linux
+    steps:
+      - name: Build tarball
+        run: make tarball
+      - name: Build rpm package
+        run: rpmbuild -ba netoik-rp.spec
+      - name: Upload rpm package
+        run: make upload
--- a/30
+++ b/30
@@ -1,7 +1,11 @@
 NAME = $(shell basename $(PWD))
 VERSION = $(shell git describe | sed 's/-/./g')
+RELEASE = 0
 BRANCH = $(shell git branch --show-current)
+BUILD_ARCH = noarch
+RPM_BUILD_PATH = $(RPM_RPMDIR)/$(BUILD_ARCH)/$(NAME)-$(VERSION)-$(RELEASE).$(BUILD_ARCH).rpm

+RPM_RPMDIR = $(shell rpm --eval '%{_rpmdir}')
 RPM_SBINDIR = $(shell rpm --eval '%{_sbindir}')
 RPM_SOURCEDIR = $(shell rpm --eval '%{_sourcedir}')
 RPM_SYSCONFDIR = $(shell rpm --eval '%{_sysconfdir}')
@@ -16,6 +20,22 @@ name:
 version:
 	@echo "$(VERSION)"

+.PHONY: release
+release:
+	@echo "$(RELEASE)"
+
+.PHONY: build_arch
+build_arch:
+	@echo "$(BUILD_ARCH)"
+
+.PHONY: install
+install:
+	install --directory $(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d $(DESTDIR)$(RPM_SYSCONFDIR)/certbot $(DESTDIR)$(RPM_UNITDIR) $(DESTDIR)$(RPM_SBINDIR)
+	install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d files/nginx/0_security.conf files/nginx/default.conf
+	install --mode=600 --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/certbot files/certbot/ovh.ini
+	install --mode=644 --target-directory=$(DESTDIR)$(RPM_UNITDIR) files/systemd/certbot-renew.service files/systemd/certbot-renew.timer
+	install --mode=755 --target-directory=$(DESTDIR)$(RPM_SBINDIR) files/sbin/certbot_renew
+
 $(RPM_TARBALL_PATH): *
 	git archive --format=tar.gz \
 	            --output="$@" \
@@ -26,10 +46,6 @@ $(RPM_TARBALL_PATH): *
 .PHONY: tarball
 tarball: $(RPM_TARBALL_PATH)

-.PHONY: install
-install:
-	install --directory $(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d $(DESTDIR)$(RPM_SYSCONFDIR)/certbot $(DESTDIR)$(RPM_UNITDIR) $(DESTDIR)$(RPM_SBINDIR)
-	install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d files/nginx/0_security.conf files/nginx/default.conf
-	install --mode=600 --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/certbot files/certbot/ovh.ini
-	install --mode=644 --target-directory=$(DESTDIR)$(RPM_UNITDIR) files/systemd/certbot-renew.service files/systemd/certbot-renew.timer
-	install --mode=755 --target-directory=$(DESTDIR)$(RPM_SBINDIR) files/sbin/certbot_renew
+.PHONY: upload
+upload:
+	curl --upload-file "$(RPM_BUILD_PATH)" https://git.netoik.io/api/packages/samuel/rpm/upload
--- a/files/nginx/0_security.conf
+++ b/files/nginx/0_security.conf
@@ -14,12 +14,15 @@ resolver                     127.0.0.1;

 # Add some basic security headers from OWASP
 # see: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
+# And Nextcloud doc
+# see: https://docs.nextcloud.com/server/31/admin_manual/installation/harden_server.html
 add_header                   Strict-Transport-Security            "max-age=63072000; includeSubDomains; preload;"                                      always;
-add_header                   X-Frame-Options                "DENY"                                                               always;
-add_header                   X-XSS-Protection               "0"                                                                  always;
+add_header                   X-Frame-Options                      "sameorigin"                                                                         always;
+add_header                   X-XSS-Protection                     "1;mode=block"                                                                       always;
 add_header                   X-Content-Type-Options               "nosniff"                                                                            always;
+add_header                   X-Permitted-Cross-Domain-Policies    "none"                                                                               always;
 add_header                   Referrer-Policy                      "strict-origin-when-cross-origin"                                                    always;
-add_header                   Content-Security-Policy        "default-src 'self'; frame-ancestors 'self'; form-action 'self';"    always;
+add_header                   Content-Security-Policy              "default-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self';"    always;
 add_header                   Cross-Origin-Opener-Policy           "same-origin"                                                                        always;
 add_header                   Cross-Origin-Resource-Policy         "same-site"                                                                          always;
 add_header                   Permissions-Policy                   "geolocation=(), camera=(), microphone=()"                                           always;
--- a/netoik-rp.spec
+++ b/netoik-rp.spec
@@ -2,13 +2,13 @@

 Name:           %(make name)
 Version:        %(make version)
-Release:        1%{?dist}
+Release:        %(make release)
 Summary:        Netoik Reverse Proxy
 License:        MIT
 URL:            https://git.netoik.io/samuel/netoik-rp

 Source0:        %{name}-%{version}.tar.gz
-Buildarch:      noarch
+Buildarch:      %(make build_arch)
 BuildRequires:  make
 Requires:       nginx python3 python-devel (augeas-devel or augeas-libs) gcc openssl