Conrad Hoffmann: 1 Include common headers from separate file 13 files changed, 15 insertions(+), 5 deletions(-)
Copy & paste the following snippet into your terminal to import this patchset into git:
curl -s https://lists.sr.ht/~sircmpwn/sr.ht-dev/patches/30235/mbox | git am -3Learn more about email & git
This commit brings back all headers previously defined in port443.conf. The current setup has been missing them since the `add_header` directive was added to the individual `location` blocks (for CSP). The nginx manual states: > These directives are inherited from the previous configuration level > if and only if there are no add_header directives defined on the > current level http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header None of the headers are important enough that they would have to be added to all possible `location` blocks. Adding them to the root block for each site will be sufficient. --- v2: change name from common_headers.conf to just headers.conf builds.sr.ht.conf | 1 + chat.sr.ht.conf | 1 + dispatch.sr.ht.conf | 1 + git.sr.ht.conf | 1 + headers.conf | 4 ++++ hg.sr.ht.conf | 1 + hub.sr.ht.conf | 1 + lists.sr.ht.conf | 1 + man.sr.ht.conf | 1 + meta.sr.ht.conf | 1 + paste.sr.ht.conf | 1 + port443.conf | 5 ----- todo.sr.ht.conf | 1 + 13 files changed, 15 insertions(+), 5 deletions(-) create mode 100644 headers.conf diff --git a/builds.sr.ht.conf b/builds.sr.ht.conf index 6597166..36bed3e 100644 --- a/builds.sr.ht.conf @@ -14,6 +14,7 @@ server { location / { proxy_pass http://127.0.0.1:5002; + include headers.conf; add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'" always; include web.conf; } diff --git a/chat.sr.ht.conf b/chat.sr.ht.conf index 79faa45..5f3d7f6 100644 --- a/chat.sr.ht.conf +++ b/chat.sr.ht.conf @@ -19,6 +19,7 @@ server { } root /usr/share/webapps/gamja; + include headers.conf; # We have to use a weird connect-src because of a Safari bug # https://bugs.webkit.org/show_bug.cgi?id=201591 add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; connect-src wss://chat.sr.ht https://chat.sr.ht" always; diff --git a/dispatch.sr.ht.conf b/dispatch.sr.ht.conf index 41756de..953deca 100644 --- a/dispatch.sr.ht.conf +++ b/dispatch.sr.ht.conf @@ -12,6 +12,7 @@ server { location / { proxy_pass http://127.0.0.1:5005; + include headers.conf; add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self'" always; include web.conf; } diff --git a/git.sr.ht.conf b/git.sr.ht.conf index ae2f3cf..65a49bc 100644 --- a/git.sr.ht.conf +++ b/git.sr.ht.conf @@ -14,6 +14,7 @@ server { location / { proxy_pass http://127.0.0.1:5001; + include headers.conf; add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'" always; include web.conf; } diff --git a/headers.conf b/headers.conf new file mode 100644 index 0000000..b338332 --- /dev/null +++ b/headers.conf @@ -0,0 +1,4 @@ +add_header X-Clacks-Overhead "GNU Terry Pratchett"; +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; +# Fuck you, Google, I don't spy on my users +add_header Permissions-Policy interest-cohort=(); diff --git a/hg.sr.ht.conf b/hg.sr.ht.conf index 6ccdf5b..ce98cd9 100644 --- a/hg.sr.ht.conf +++ b/hg.sr.ht.conf @@ -14,6 +14,7 @@ server { location / { proxy_pass http://127.0.0.1:5010; + include headers.conf; add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'" always; include web.conf; } diff --git a/hub.sr.ht.conf b/hub.sr.ht.conf index e20a8e2..6e12302 100644 --- a/hub.sr.ht.conf +++ b/hub.sr.ht.conf @@ -17,6 +17,7 @@ server { location / { proxy_pass http://127.0.0.1:5014; + include headers.conf; add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self'" always; include web.conf; } diff --git a/lists.sr.ht.conf b/lists.sr.ht.conf index b1fc59f..aea70a6 100644 --- a/lists.sr.ht.conf +++ b/lists.sr.ht.conf @@ -13,6 +13,7 @@ server { location / { proxy_pass http://127.0.0.1:5006; + include headers.conf; add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'"; include web.conf; } diff --git a/man.sr.ht.conf b/man.sr.ht.conf index bb55300..24f1a78 100644 --- a/man.sr.ht.conf +++ b/man.sr.ht.conf @@ -14,6 +14,7 @@ server { location / { proxy_pass http://127.0.0.1:5004; + include headers.conf; add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self'" always; include web.conf; } diff --git a/meta.sr.ht.conf b/meta.sr.ht.conf index 85544bc..46fdf20 100644 --- a/meta.sr.ht.conf +++ b/meta.sr.ht.conf @@ -12,6 +12,7 @@ server { location / { proxy_pass http://127.0.0.1:5000; + include headers.conf; add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline' *.stripe.com *.stripe.network; frame-src *.stripe.com *.stripe.network" always; include web.conf; } diff --git a/paste.sr.ht.conf b/paste.sr.ht.conf index f2c258d..1d0139a 100644 --- a/paste.sr.ht.conf +++ b/paste.sr.ht.conf @@ -14,6 +14,7 @@ server { location / { proxy_pass http://127.0.0.1:5011; + include headers.conf; add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'" always; include web.conf; } diff --git a/port443.conf b/port443.conf index a2ae4a2..f074123 100644 --- a/port443.conf +++ b/port443.conf @@ -1,11 +1,6 @@ listen 443 ssl http2; listen [::]:443 ssl http2; -add_header X-Clacks-Overhead "GNU Terry Pratchett"; -add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; -# Fuck you, Google, I don't spy on my users -add_header Permissions-Policy interest-cohort=(); - gzip on; gzip_types text/css text/html; diff --git a/todo.sr.ht.conf b/todo.sr.ht.conf index 880d4b1..55acb8a 100644 --- a/todo.sr.ht.conf +++ b/todo.sr.ht.conf @@ -14,6 +14,7 @@ server { location / { proxy_pass http://127.0.0.1:5003; + include headers.conf; add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'" always; include web.conf; } -- 2.35.1
Thanks! To git@git.sr.ht:~sircmpwn/sr.ht-nginx 305e2a5..5300cf2 master -> master