Skip to content
Snippets Groups Projects
Commit f74dd456 authored by Agate's avatar Agate :speech_balloon:
Browse files

Merge branch 'csp' into 'master' 

Added CSP configuration

See merge request !14
parents 0adc46cb 3d636301
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
README.md
+ 1
0
View file @ f74dd456
...@@ -120,6 +120,7 @@ Role Variables ...@@ -120,6 +120,7 @@ Role Variables
| `funkwhale_api_ip` | `127.0.0.1` | IP address with which to bind the Funkwhale server | | `funkwhale_api_ip` | `127.0.0.1` | IP address with which to bind the Funkwhale server |
| `funkwhale_api_port` | `5000` | Port with which to bind the Funkwhale server | | `funkwhale_api_port` | `5000` | Port with which to bind the Funkwhale server |
| `funkwhale_config_path` | `/srv/funkwhale/config` | Path to Funkwhale's configuration directory | | `funkwhale_config_path` | `/srv/funkwhale/config` | Path to Funkwhale's configuration directory |
| `funkwhale_nginx_csp_policy` | `"default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"` | Content-Security-Policy header to us. You will need to tweak this if you're serving media files from a separate domain. |
| `funkwhale_database_managed` | `true` | If `true`, the role will manage the database server and Funkwhale's database | | `funkwhale_database_managed` | `true` | If `true`, the role will manage the database server and Funkwhale's database |
| `funkwhale_database_name` | `funkwhale` | Name of the Funkwhale database to use | | `funkwhale_database_name` | `funkwhale` | Name of the Funkwhale database to use |
| `funkwhale_database_user` | `funkwhale` | Postgresql username to login as | | `funkwhale_database_user` | `funkwhale` | Postgresql username to login as |
......
defaults/main.yml
+ 1
0
View file @ f74dd456
...@@ -38,6 +38,7 @@ funkwhale_letsencrypt_certbot_flags: ...@@ -38,6 +38,7 @@ funkwhale_letsencrypt_certbot_flags:
funkwhale_letsencrypt_enabled: true funkwhale_letsencrypt_enabled: true
funkwhale_letsencrypt_skip_cert: false funkwhale_letsencrypt_skip_cert: false
funkwhale_nginx_csp_policy: "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"
funkwhale_redis_managed: true funkwhale_redis_managed: true
funkwhale_api_ip: 127.0.0.1 funkwhale_api_ip: 127.0.0.1
funkwhale_api_port: 5000 funkwhale_api_port: 5000
......
templates/nginx.conf.j2
+ 6
1
View file @ f74dd456
...@@ -30,7 +30,12 @@ server { ...@@ -30,7 +30,12 @@ server {
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=63072000; preload"; add_header Strict-Transport-Security "max-age=63072000; preload";
{% endif %} {% endif -%}
{% if funkwhale_nginx_csp_policy -%}
# Security-related headers
add_header Content-Security-Policy "{{ funkwhale_nginx_csp_policy }}";
{% endif -%}
root {{ funkwhale_frontend_path }}; root {{ funkwhale_frontend_path }};
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment