kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-08-29 15:06:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

Solved certreap bugs, implemented caching for pictures, optimized CSP policies (stricter), optimized recaptcha implementation for keycloak, solved mariadb wait bug, solved nextcloud plugin bugs, optimized ignore handling of tasks

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach
2025-05-08 09:51:38 +02:00
parent f71c9e4b31
commit d5f194b2c0
19 changed files with 162 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
roles/nginx-docker-reverse-proxy/templates/headers/content_security_policy.conf.j2
View File

@@ -3,6 +3,13 @@
{# default-src: Fallback for all other directives if not explicitly defined #}
{%- set csp_parts = csp_parts + ["default-src 'self';"] %}
{# connect-src: Controls where fetch(), XHR, WebSocket etc. can connect to #}
{%- set connect_src = "connect-src 'self' https://ka-f.fontawesome.com" %}
{%- if applications | is_feature_enabled('matomo', application_id) | bool %}
{%- set connect_src = connect_src + " " + web_protocol + "://" + domains.matomo %}
{%- endif %}
{%- set csp_parts = csp_parts + [connect_src + ";"] %}
{# frame-ancestors: Restricts which origins can embed this site in a frame or iframe #}
{%- set frame_ancestors = "frame-ancestors 'self'" %}
{%- if applications | is_feature_enabled('iframe', application_id) | bool %}
@@ -13,21 +20,22 @@
{# frame-src: Controls which URLs can be embedded as iframes #}
{%- set frame_src = "frame-src 'self'" %}
{%- if applications | is_feature_enabled('recaptcha', application_id) | bool %}
{%- set frame_src = frame_src + " https://www.google.com https://www.recaptcha.net" %}
{%- set frame_src = frame_src + " https://www.google.com" %}
{%- endif %}
{%- set csp_parts = csp_parts + [frame_src + ";"] %}
{# img-src: Allow images from own domain and files deliverer. Also from Matomo if enabled. #}
{%- set img_src = "img-src 'self' " + web_protocol + "://" + domains.file_server %}
{%- if applications | is_feature_enabled('matomo', application_id) | bool %}
{%- set img_src = img_src + " " + web_protocol + "://" + domains.matomo %}
{%- endif %}
{# img-src: Allow images. Prevent tracking by caching on server and client side. #}
{%- set img_src = "img-src * data: blob:"%}
{%- set csp_parts = csp_parts + [img_src + ";"] %}
{# script-src: Allow JavaScript from self, FontAwesome, jsDelivr, and Matomo if enabled #}
{%- set script_src = "script-src 'self' 'unsafe-inline'" %}
{# unsafe eval is set for sphinx #}
{%- set script_src = "script-src 'self' 'unsafe-eval' 'unsafe-inline'" %}
{%- if applications | is_feature_enabled('matomo', application_id) | bool %}
{%- set script_src = script_src + " " + domains.matomo %}
{%- set script_src = script_src + " " + web_protocol + "://" + domains.matomo %}
{%- endif %}
{%- if applications | is_feature_enabled('recaptcha', application_id) | bool %}
{%- set script_src = script_src + " https://www.google.com" %}
{%- endif %}
{%- set script_src = script_src + " https://kit.fontawesome.com https://cdn.jsdelivr.net" %}
{%- set csp_parts = csp_parts + [script_src + ";"] %}
@@ -36,4 +44,10 @@
{%- set style_src = "style-src 'self' 'unsafe-inline' https://kit.fontawesome.com https://cdn.jsdelivr.net" %}
{%- set csp_parts = csp_parts + [style_src + ";"] %}
{# font-src: Allow font-src from self, FontAwesome, jsDelivr and inline styles #}
{%- set font_src = "font-src 'self' https://kit.fontawesome.com https://cdn.jsdelivr.net" %}
{%- set csp_parts = csp_parts + [font_src + ";"] %}
add_header Content-Security-Policy "{{ csp_parts | join(' ') }}" always;
# Oppress header send by proxied application
proxy_hide_header Content-Security-Policy;

3
roles/nginx-docker-reverse-proxy/templates/location/proxy_basic.conf.j2
View File

@@ -31,3 +31,6 @@ location {{location | default("/")}}
proxy_read_timeout 900s;
send_timeout 900s;
}
# Load caching
{% include 'roles/nginx-docker-reverse-proxy/templates/location/proxy_cache.conf.j2' %}

18
roles/nginx-docker-reverse-proxy/templates/location/proxy_cache.conf.j2 Normal file
View File

@@ -0,0 +1,18 @@
proxy_cache_path {{ nginx.directories.cache }} levels=1:2 keys_zone=imgcache:10m inactive=60m use_temp_path=off;
{%- if location is defined %}
location ~* ^{{ location }}.*\.(jpg|jpeg|png|gif|webp|ico|svg)$ {
{%- else %}
location ~* \.(jpg|jpeg|png|gif|webp|ico|svg)$ {
{%- endif %}
# Cache in browser
expires 30d;
add_header Cache-Control "public, max-age=2592000, immutable";
# Cache on reverse proxy side
proxy_pass http://127.0.0.1:{{http_port}}{{location | default("/")}};
proxy_cache imgcache;
proxy_cache_valid 200 302 60m;
proxy_cache_valid 404 1m;
add_header X-Proxy-Cache $upstream_cache_status;
}