This commit brings back all headers previously defined in port443.conf.
The current setup has been missing them since the `add_header` directive
was added to the individual `location` blocks (for CSP). The nginx
manual states:
> These directives are inherited from the previous configuration level
> if and only if there are no add_header directives defined on the
> current level
http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
None of the headers are important enough that they would have to be
added to all possible `location` blocks. Adding them to the root block
for each site will be sufficient.
---
v2: change name from common_headers.conf to just headers.conf
builds.sr.ht.conf | 1 +
chat.sr.ht.conf | 1 +
dispatch.sr.ht.conf | 1 +
git.sr.ht.conf | 1 +
headers.conf | 4 ++++
hg.sr.ht.conf | 1 +
hub.sr.ht.conf | 1 +
lists.sr.ht.conf | 1 +
man.sr.ht.conf | 1 +
meta.sr.ht.conf | 1 +
paste.sr.ht.conf | 1 +
port443.conf | 5 -----
todo.sr.ht.conf | 1 +
13 files changed, 15 insertions(+), 5 deletions(-)
create mode 100644 headers.conf
diff --git a/builds.sr.ht.conf b/builds.sr.ht.conf
index 6597166..36bed3e 100644
--- a/builds.sr.ht.conf
@@ -14,6 +14,7 @@ server {
location / {
proxy_pass http://127.0.0.1:5002;
+ include headers.conf;
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'" always;
include web.conf;
}
diff --git a/chat.sr.ht.conf b/chat.sr.ht.conf
index 79faa45..5f3d7f6 100644
--- a/chat.sr.ht.conf
+++ b/chat.sr.ht.conf
@@ -19,6 +19,7 @@ server {
}
root /usr/share/webapps/gamja;
+ include headers.conf;
# We have to use a weird connect-src because of a Safari bug
# https://bugs.webkit.org/show_bug.cgi?id=201591
add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; connect-src wss://chat.sr.ht https://chat.sr.ht" always;
diff --git a/dispatch.sr.ht.conf b/dispatch.sr.ht.conf
index 41756de..953deca 100644
--- a/dispatch.sr.ht.conf
+++ b/dispatch.sr.ht.conf
@@ -12,6 +12,7 @@ server {
location / {
proxy_pass http://127.0.0.1:5005;
+ include headers.conf;
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self'" always;
include web.conf;
}
diff --git a/git.sr.ht.conf b/git.sr.ht.conf
index ae2f3cf..65a49bc 100644
--- a/git.sr.ht.conf
+++ b/git.sr.ht.conf
@@ -14,6 +14,7 @@ server {
location / {
proxy_pass http://127.0.0.1:5001;
+ include headers.conf;
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'" always;
include web.conf;
}
diff --git a/headers.conf b/headers.conf
new file mode 100644
index 0000000..b338332
--- /dev/null
@@ -0,0 +1,4 @@
+add_header X-Clacks-Overhead "GNU Terry Pratchett";
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+# Fuck you, Google, I don't spy on my users
+add_header Permissions-Policy interest-cohort=();
diff --git a/hg.sr.ht.conf b/hg.sr.ht.conf
index 6ccdf5b..ce98cd9 100644
--- a/hg.sr.ht.conf
+++ b/hg.sr.ht.conf
@@ -14,6 +14,7 @@ server {
location / {
proxy_pass http://127.0.0.1:5010;
+ include headers.conf;
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'" always;
include web.conf;
}
diff --git a/hub.sr.ht.conf b/hub.sr.ht.conf
index e20a8e2..6e12302 100644
--- a/hub.sr.ht.conf
+++ b/hub.sr.ht.conf
@@ -17,6 +17,7 @@ server {
location / {
proxy_pass http://127.0.0.1:5014;
+ include headers.conf;
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self'" always;
include web.conf;
}
diff --git a/lists.sr.ht.conf b/lists.sr.ht.conf
index b1fc59f..aea70a6 100644
--- a/lists.sr.ht.conf
+++ b/lists.sr.ht.conf
@@ -13,6 +13,7 @@ server {
location / {
proxy_pass http://127.0.0.1:5006;
+ include headers.conf;
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'";
include web.conf;
}
diff --git a/man.sr.ht.conf b/man.sr.ht.conf
index bb55300..24f1a78 100644
--- a/man.sr.ht.conf
+++ b/man.sr.ht.conf
@@ -14,6 +14,7 @@ server {
location / {
proxy_pass http://127.0.0.1:5004;
+ include headers.conf;
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self'" always;
include web.conf;
}
diff --git a/meta.sr.ht.conf b/meta.sr.ht.conf
index 85544bc..46fdf20 100644
--- a/meta.sr.ht.conf
+++ b/meta.sr.ht.conf
@@ -12,6 +12,7 @@ server {
location / {
proxy_pass http://127.0.0.1:5000;
+ include headers.conf;
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline' *.stripe.com *.stripe.network; frame-src *.stripe.com *.stripe.network" always;
include web.conf;
}
diff --git a/paste.sr.ht.conf b/paste.sr.ht.conf
index f2c258d..1d0139a 100644
--- a/paste.sr.ht.conf
+++ b/paste.sr.ht.conf
@@ -14,6 +14,7 @@ server {
location / {
proxy_pass http://127.0.0.1:5011;
+ include headers.conf;
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'" always;
include web.conf;
}
diff --git a/port443.conf b/port443.conf
index a2ae4a2..f074123 100644
--- a/port443.conf
+++ b/port443.conf
@@ -1,11 +1,6 @@
listen 443 ssl http2;
listen [::]:443 ssl http2;
-add_header X-Clacks-Overhead "GNU Terry Pratchett";
-add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
-# Fuck you, Google, I don't spy on my users
-add_header Permissions-Policy interest-cohort=();
-
gzip on;
gzip_types text/css text/html;
diff --git a/todo.sr.ht.conf b/todo.sr.ht.conf
index 880d4b1..55acb8a 100644
--- a/todo.sr.ht.conf
+++ b/todo.sr.ht.conf
@@ -14,6 +14,7 @@ server {
location / {
proxy_pass http://127.0.0.1:5003;
+ include headers.conf;
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'" always;
include web.conf;
}
--
2.35.1