From 0611ddda116d1c096264fd4b87ac115533429ca4 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Thu, 20 Mar 2025 04:31:02 +0100 Subject: [PATCH] Changed iframe options --- group_vars/all/07_applications.yml | 2 +- roles/docker-nextcloud/templates/nginx/docker.conf.j2 | 1 + roles/docker-peertube/templates/peertube.conf.j2 | 3 +++ roles/nginx-docker-reverse-proxy/templates/iframe.conf.j2 | 4 ++-- roles/nginx-serve-assets/README.md | 8 ++------ roles/nginx-serve-files/README.md | 7 ++----- roles/nginx-serve-files/templates/nginx.conf.j2 | 2 ++ roles/nginx-serve-html/templates/nginx.conf.j2 | 2 ++ 8 files changed, 15 insertions(+), 14 deletions(-) diff --git a/group_vars/all/07_applications.yml b/group_vars/all/07_applications.yml index e4e8956e..0f381ba4 100644 --- a/group_vars/all/07_applications.yml +++ b/group_vars/all/07_applications.yml @@ -182,7 +182,7 @@ defaults_applications: # administrator_password: # Needs to be defined in inventory file matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe + landingpage_iframe_enabled: false # Disabled by default, because it leads to authentification problems ## LDAP ldap: diff --git a/roles/docker-nextcloud/templates/nginx/docker.conf.j2 b/roles/docker-nextcloud/templates/nginx/docker.conf.j2 index bec1e7b6..9b1f7340 100644 --- a/roles/docker-nextcloud/templates/nginx/docker.conf.j2 +++ b/roles/docker-nextcloud/templates/nginx/docker.conf.j2 @@ -74,6 +74,7 @@ http { add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "noindex, nofollow" always; add_header X-XSS-Protection "1; mode=block" always; + add_header X-Frame-Options "SAMEORIGIN" always; {% include 'roles/nginx-docker-reverse-proxy/templates/iframe.conf.j2' %} # Remove X-Powered-By, which is an information leak diff --git a/roles/docker-peertube/templates/peertube.conf.j2 b/roles/docker-peertube/templates/peertube.conf.j2 index e26df8a9..c274e7a5 100644 --- a/roles/docker-peertube/templates/peertube.conf.j2 +++ b/roles/docker-peertube/templates/peertube.conf.j2 @@ -4,6 +4,9 @@ server { {% include 'roles/letsencrypt/templates/ssl_header.j2' %} {% include 'roles/nginx-modifier-all/templates/global.includes.conf.j2'%} + + {% include 'roles/nginx-docker-reverse-proxy/templates/iframe.conf.j2' %} + ## # Application ## diff --git a/roles/nginx-docker-reverse-proxy/templates/iframe.conf.j2 b/roles/nginx-docker-reverse-proxy/templates/iframe.conf.j2 index 8d309775..95bee773 100644 --- a/roles/nginx-docker-reverse-proxy/templates/iframe.conf.j2 +++ b/roles/nginx-docker-reverse-proxy/templates/iframe.conf.j2 @@ -1,4 +1,4 @@ -add_header X-Frame-Options "SAMEORIGIN" always; # Allow iframe embedding only from the same origin {% if landingpage_iframe_enabled | default(applications.get(application_id).get('landingpage_iframe_enabled')) | bool %} - add_header Content-Security-Policy "frame-ancestors {{primary_domain}};" always; # Restrict embedding to the specified primary domain +add_header X-Frame-Options "SAMEORIGIN" always; +add_header Content-Security-Policy "frame-ancestors 'self' {{primary_domain}};" always; {% endif %} diff --git a/roles/nginx-serve-assets/README.md b/roles/nginx-serve-assets/README.md index 1a752fa0..bcd7a5f2 100644 --- a/roles/nginx-serve-assets/README.md +++ b/roles/nginx-serve-assets/README.md @@ -1,6 +1,2 @@ -# Nginx Homepage Role - -This Ansible role configures an Nginx server to serve a static homepage. It handles domain configuration, SSL certificate retrieval with Let's Encrypt. - -## Author Information -This role was created in 2023 by [Kevin Veen Birkenbach](https://www.veen.world/). \ No newline at end of file +# Assets Server +This role provides assets \ No newline at end of file diff --git a/roles/nginx-serve-files/README.md b/roles/nginx-serve-files/README.md index 6e3e634d..dbd7cc1d 100644 --- a/roles/nginx-serve-files/README.md +++ b/roles/nginx-serve-files/README.md @@ -1,6 +1,3 @@ -# Nginx Homepage Role +# Nginx File Server -This Ansible role configures an Nginx server to serve files. It handles domain configuration, SSL certificate retrieval with Let's Encrypt. - -## Author Information -This role was created in 2023 by [Kevin Veen Birkenbach](https://www.veen.world/). \ No newline at end of file +This Ansible role configures an Nginx server to serve files. \ No newline at end of file diff --git a/roles/nginx-serve-files/templates/nginx.conf.j2 b/roles/nginx-serve-files/templates/nginx.conf.j2 index c4d8c9c8..744eda4f 100644 --- a/roles/nginx-serve-files/templates/nginx.conf.j2 +++ b/roles/nginx-serve-files/templates/nginx.conf.j2 @@ -5,6 +5,8 @@ server {% include 'roles/letsencrypt/templates/ssl_header.j2' %} {% include 'roles/nginx-modifier-all/templates/global.includes.conf.j2'%} + + {% include 'roles/nginx-docker-reverse-proxy/templates/iframe.conf.j2' %} charset utf-8; location / diff --git a/roles/nginx-serve-html/templates/nginx.conf.j2 b/roles/nginx-serve-html/templates/nginx.conf.j2 index 1f69d128..7293cbb7 100644 --- a/roles/nginx-serve-html/templates/nginx.conf.j2 +++ b/roles/nginx-serve-html/templates/nginx.conf.j2 @@ -5,6 +5,8 @@ server {% include 'roles/letsencrypt/templates/ssl_header.j2' %} {% include 'roles/nginx-modifier-all/templates/global.includes.conf.j2'%} + + {% include 'roles/nginx-docker-reverse-proxy/templates/iframe.conf.j2' %} charset utf-8; location /