From ad9dbb8e6107db4a8f294aab0e33366932ba556f Mon Sep 17 00:00:00 2001 From: Felix Stupp Date: Thu, 3 Sep 2020 01:12:00 +0200 Subject: [PATCH] Update nextcloud server configuration to be more strict --- roles/nginx/application/templates/global.conf | 6 +- roles/nginx/application/templates/https.conf | 2 +- roles/server/nextcloud/meta/main.yml | 58 +++++++++---------- 3 files changed, 31 insertions(+), 35 deletions(-) diff --git a/roles/nginx/application/templates/global.conf b/roles/nginx/application/templates/global.conf index cb42e55..02c422b 100644 --- a/roles/nginx/application/templates/global.conf +++ b/roles/nginx/application/templates/global.conf @@ -6,8 +6,8 @@ location = /robots.txt { access_log off; } -add_header X-Content-Type-Options nosniff; -add_header X-Frame-Options SAMEORIGIN; -add_header X-XSS-Protection "1; mode=block"; +add_header X-Content-Type-Options "nosniff" always; +add_header X-Frame-Options "SAMEORIGIN" always; +add_header X-XSS-Protection "1; mode=block" always; include {{ nginx_snippets_directory }}/resolver.conf; diff --git a/roles/nginx/application/templates/https.conf b/roles/nginx/application/templates/https.conf index 16e4aaa..ec44208 100644 --- a/roles/nginx/application/templates/https.conf +++ b/roles/nginx/application/templates/https.conf @@ -1,3 +1,3 @@ include {{ nginx_snippets_directory }}/ssl; add_header Strict-Transport-Security 'max-age=63115200; includeSubDomains; preload'; -add_header 'Referrer-Policy' 'strict-origin'; +add_header 'Referrer-Policy' 'strict-origin' always; diff --git a/roles/server/nextcloud/meta/main.yml b/roles/server/nextcloud/meta/main.yml index 0e47763..44c29e5 100644 --- a/roles/server/nextcloud/meta/main.yml +++ b/roles/server/nextcloud/meta/main.yml @@ -24,55 +24,38 @@ dependencies: # user_directory - role: nginx/server directives: | - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Download-Options "noopen" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; fastcgi_hide_header X-Powered-By; root {{ nextcloud_installation_directory }}; location = /.well-known/carddav { - return 301 $scheme://$host/remote.php/dav; + return 301 $scheme://$host:$server_port/remote.php/dav; } location = /.well-known/caldav { - return 301 $scheme://$host/remote.php/dav; + return 301 $scheme://$host:$server_port/remote.php/dav; } - rewrite ^/.well-known/webfinger /public.php?service=webfinger last; rewrite ^/.well-known/host-meta /public.php?service=host-meta last; rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + rewrite ^/.well-known/webfinger /public.php?service=webfinger last; client_max_body_size 10240M; #fastcgi_buffers 64 4K; location / { rewrite ^ /index.php; } - location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ { + location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { deny all; } - location ~ ^/(?:\.(?!well-known)|autotest|occ|issue|indie|db_|console) { + location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { deny all; } - #location ~ \.(?:flv|mp4|mov|m4a)$ { - # mp4; - # mp4_buffer_size 100M; - # mp4_max_buffer_size 1024M; - # fastcgi_split_path_info ^(.+?\.php)(/.*)$; - # try_files $uri =404; - # fastcgi_index index.php; - # include {{ global_nginx_installation_directory }}/fastcgi_params; - # fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - # fastcgi_param PATH_INFO $fastcgi_path_info; - # fastcgi_param HTTPS on; - # fastcgi_param modHeadersAvailable true; - # fastcgi_param front_controller_active true; - # fastcgi_pass {{ pool_name }}; - # fastcgi_intercept_errors on; - # fastcgi_request_buffering off; - #} - location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { - fastcgi_split_path_info ^(.+?\.php)(/.*)$; + location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy)\.php(?:$|\/) { + fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; + set $path_info $fastcgi_path_info; try_files $fastcgi_script_name =404; - fastcgi_index index.php; include {{ global_nginx_installation_directory }}/fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param PATH_INFO $path_info; fastcgi_param HTTPS on; fastcgi_param modHeadersAvailable true; fastcgi_param front_controller_active true; @@ -80,11 +63,24 @@ dependencies: fastcgi_intercept_errors on; fastcgi_request_buffering off; } - location ~ ^/(?:updater|ocs-provider)(?:$|/) { + location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { try_files $uri/ =404; index index.php; } - location ~ \.(?:css|js|woff2?|svg|gif|png|html|ttf|ico|jpg|jpeg)$ { + location ~ \.(?:css|js|woff2?|svg|gif|map)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463"; + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + access_log off; + } + + location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ { try_files $uri /index.php$request_uri; access_log off; }