From 3d63630102dd1f752f76969f3f7fbecf6591bcfe Mon Sep 17 00:00:00 2001 From: Agate <me@agate.blue> Date: Thu, 23 Apr 2020 10:45:33 +0200 Subject: [PATCH] Added CSP configuration --- README.md | 1 + defaults/main.yml | 1 + templates/nginx.conf.j2 | 7 ++++++- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 7195c17..3874c88 100644 --- a/README.md +++ b/README.md @@ -120,6 +120,7 @@ Role Variables | `funkwhale_api_ip` | `127.0.0.1` | IP address with which to bind the Funkwhale server | | `funkwhale_api_port` | `5000` | Port with which to bind the Funkwhale server | | `funkwhale_config_path` | `/srv/funkwhale/config` | Path to Funkwhale's configuration directory | +| `funkwhale_nginx_csp_policy` | `"default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"` | Content-Security-Policy header to us. You will need to tweak this if you're serving media files from a separate domain. | | `funkwhale_database_managed` | `true` | If `true`, the role will manage the database server and Funkwhale's database | | `funkwhale_database_name` | `funkwhale` | Name of the Funkwhale database to use | | `funkwhale_database_user` | `funkwhale` | Postgresql username to login as | diff --git a/defaults/main.yml b/defaults/main.yml index 90f6639..74ea9c7 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -38,6 +38,7 @@ funkwhale_letsencrypt_certbot_flags: funkwhale_letsencrypt_enabled: true funkwhale_letsencrypt_skip_cert: false +funkwhale_nginx_csp_policy: "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:" funkwhale_redis_managed: true funkwhale_api_ip: 127.0.0.1 funkwhale_api_port: 5000 diff --git a/templates/nginx.conf.j2 b/templates/nginx.conf.j2 index 087aede..d7ff746 100644 --- a/templates/nginx.conf.j2 +++ b/templates/nginx.conf.j2 @@ -30,7 +30,12 @@ server { ssl_stapling on; ssl_stapling_verify on; add_header Strict-Transport-Security "max-age=63072000; preload"; - {% endif %} + {% endif -%} + + {% if funkwhale_nginx_csp_policy -%} + # Security-related headers + add_header Content-Security-Policy "{{ funkwhale_nginx_csp_policy }}"; + {% endif -%} root {{ funkwhale_frontend_path }}; -- GitLab