YunoHost/yunohost
1
0
Fork 0
mirror of https://github.com/YunoHost/yunohost.git synced 2024-09-03 20:06:10 +02:00
Code Issues Projects Releases Packages Wiki Activity

Better Configuration of nginx (#564)

Browse source 
* path-traversal

* [fix] try a patch for path-traversal

* Use more_set_headers insta
This commit is contained in:
frju365 2018-11-28 01:21:28 +01:00 committed by Alexandre Aubin
parent 1906692289
commit 8cb029a55e
2 changed files with 10 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
data/templates/nginx/server.tpl.conf
View file

@ -11,7 +11,7 @@ server {
return 301 https://$http_host$request_uri; return 301 https://$http_host$request_uri;
} }
location /.well-known/autoconfig/mail { location /.well-known/autoconfig/mail/ {
alias /var/www/.well-known/{{ domain }}/autoconfig/mail; alias /var/www/.well-known/{{ domain }}/autoconfig/mail;
} }
@ -51,14 +51,14 @@ server {
# Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners # Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners
# https://wiki.mozilla.org/Security/Guidelines/Web_Security # https://wiki.mozilla.org/Security/Guidelines/Web_Security
# https://observatory.mozilla.org/ # https://observatory.mozilla.org/
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload";
add_header Content-Security-Policy "upgrade-insecure-requests"; more_set_headers "Content-Security-Policy : upgrade-insecure-requests";
add_header Content-Security-Policy-Report-Only "default-src https: data: 'unsafe-inline' 'unsafe-eval'"; more_set_headers "Content-Security-Policy-Report-Only : default-src https: data: 'unsafe-inline' 'unsafe-eval'";
add_header X-Content-Type-Options nosniff; more_set_headers "X-Content-Type-Options : nosniff";
add_header X-XSS-Protection "1; mode=block"; more_set_headers "X-XSS-Protection : 1; mode=block";
add_header X-Download-Options noopen; more_set_headers "X-Download-Options : noopen";
add_header X-Permitted-Cross-Domain-Policies none; more_set_headers "X-Permitted-Cross-Domain-Policies : none";
add_header X-Frame-Options "SAMEORIGIN"; more_set_headers "X-Frame-Options : SAMEORIGIN";
{% if domain_cert_ca == "Let's Encrypt" %} {% if domain_cert_ca == "Let's Encrypt" %}
# OCSP settings # OCSP settings

2
src/yunohost/certificate.py
View file

@ -466,7 +466,7 @@ def _configure_for_acme_challenge(auth, domain):
nginx_conf_file = "%s/000-acmechallenge.conf" % nginx_conf_folder nginx_conf_file = "%s/000-acmechallenge.conf" % nginx_conf_folder
nginx_configuration = ''' nginx_configuration = '''
location ^~ '/.well-known/acme-challenge' location ^~ '/.well-known/acme-challenge/'
{ {
default_type "text/plain"; default_type "text/plain";
alias %s; alias %s;