CORS/CSP hardening & centralization

- Add reusable Nginx include: roles/sys-svc-proxy/templates/headers/access_control_allow.conf.j2 (dynamic ACAO/credentials/methods/headers via role vars) - Set global 'Vary: Origin' in nginx.conf.j2 to prevent cache poisoning - CSP: allow Simple Icons via connect-src when feature is enabled - Front proxy: rename vars to lowercase + flush handlers after config deploy - Desktop: gate & load Simple Icons role; inject brand logos when enabled - Bluesky + Logout: replace inline CORS with centralized include - Simpleicons: public CORS (ACAO='*', no credentials), keep GET/OPTIONS, allow headers - Taiga: adjust canonical domain to taiga.kanban.{{ PRIMARY_DOMAIN }} - LibreTranslate: remove unused images/versions keys Fixes: https://open.project.infinito.nexus/projects/cymais/work_packages/342/activity Discussion: https://chatgpt.com/share/68da5e27-ffd4-800f-91a3-0ef103058d44
2025-10-10 10:48:10 +02:00 · 2025-09-29 12:23:58 +02:00
parent c06d1c4d17
commit aa19a97ed6
15 changed files with 89 additions and 48 deletions
--- a/roles/web-svc-logout/tasks/01_core.yml
+++ b/roles/web-svc-logout/tasks/01_core.yml
@@ -21,6 +21,11 @@
 - name: "load docker, proxy for '{{ application_id }}'"
  include_role:
    name: sys-stk-full-stateless
+  vars:
+      aca_origin:       "'{{ domains | get_url('web-svc-logout', WEB_PROTOCOL) }}' always"
+      aca_credentials:  "'true' always"
+      aca_methods:      "'GET, OPTIONS' always"
+      aca_headers:      "'Accept, Authorization' always"

 - name: Create symbolic link from .env file to repository
  file:
--- a/roles/web-svc-logout/templates/logout-proxy.conf.j2
+++ b/roles/web-svc-logout/templates/logout-proxy.conf.j2
@@ -1,5 +1,5 @@
 location = /logout {
-    # Proxy to the logout service
+    {# Proxy to the logout service #}
    proxy_pass         http://127.0.0.1:{{ ports.localhost.http['web-svc-logout'] }}/logout;
    proxy_set_header   Host              $host;
    proxy_set_header   X-Real-IP         $remote_addr;
@@ -7,18 +7,15 @@ location = /logout {
    proxy_set_header   X-Forwarded-Proto $scheme;
    proxy_http_version 1.1;

-    # CORS headers – allow your central page to call this
-    add_header 'Access-Control-Allow-Origin'  '{{ domains | get_url('web-svc-logout', WEB_PROTOCOL) }}' always;
-    add_header 'Access-Control-Allow-Credentials' 'true'                                                always;
-    add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS'                                            always;
-    add_header 'Access-Control-Allow-Headers' 'Accept, Authorization'                                   always;
+    {# CORS headers – allow your central page to call this #}
+    {% include 'roles/sys-svc-proxy/templates/headers/access_control_allow.conf.j2' %}

-    # Disable caching absolutely
+    {# Disable caching absolutely #}
    add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0" always;
    add_header Pragma "no-cache" always;
    add_header Expires "0" always;

-    # Handle preflight
+    {# Handle preflight #}
    if ($request_method = OPTIONS) {
      return 204;
    }