~sircmpwn/sr.ht-dev

sr.ht-nginx: Include common headers from separate file v2 APPLIED

Conrad Hoffmann: 1
 Include common headers from separate file

 13 files changed, 15 insertions(+), 5 deletions(-)
Export patchset (mbox)
How do I use this?

Copy & paste the following snippet into your terminal to import this patchset into git:

curl -s https://lists.sr.ht/~sircmpwn/sr.ht-dev/patches/30235/mbox | git am -3
Learn more about email & git

[PATCH sr.ht-nginx v2] Include common headers from separate file Export this patch

This commit brings back all headers previously defined in port443.conf.
The current setup has been missing them since the `add_header` directive
was added to the individual `location` blocks (for CSP). The nginx
manual states:

> These directives are inherited from the previous configuration level
> if and only if there are no add_header directives defined on the
> current level

http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header

None of the headers are important enough that they would have to be
added to all possible `location` blocks. Adding them to the root block
for each site will be sufficient.
---
v2: change name from common_headers.conf to just headers.conf

 builds.sr.ht.conf   | 1 +
 chat.sr.ht.conf     | 1 +
 dispatch.sr.ht.conf | 1 +
 git.sr.ht.conf      | 1 +
 headers.conf        | 4 ++++
 hg.sr.ht.conf       | 1 +
 hub.sr.ht.conf      | 1 +
 lists.sr.ht.conf    | 1 +
 man.sr.ht.conf      | 1 +
 meta.sr.ht.conf     | 1 +
 paste.sr.ht.conf    | 1 +
 port443.conf        | 5 -----
 todo.sr.ht.conf     | 1 +
 13 files changed, 15 insertions(+), 5 deletions(-)
 create mode 100644 headers.conf

diff --git a/builds.sr.ht.conf b/builds.sr.ht.conf
index 6597166..36bed3e 100644
--- a/builds.sr.ht.conf
@@ -14,6 +14,7 @@ server {

	location / {
		proxy_pass http://127.0.0.1:5002;
		include headers.conf;
		add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'" always;
		include web.conf;
	}
diff --git a/chat.sr.ht.conf b/chat.sr.ht.conf
index 79faa45..5f3d7f6 100644
--- a/chat.sr.ht.conf
+++ b/chat.sr.ht.conf
@@ -19,6 +19,7 @@ server {
		}

		root /usr/share/webapps/gamja;
		include headers.conf;
		# We have to use a weird connect-src because of a Safari bug
		# https://bugs.webkit.org/show_bug.cgi?id=201591
		add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; connect-src wss://chat.sr.ht https://chat.sr.ht" always;
diff --git a/dispatch.sr.ht.conf b/dispatch.sr.ht.conf
index 41756de..953deca 100644
--- a/dispatch.sr.ht.conf
+++ b/dispatch.sr.ht.conf
@@ -12,6 +12,7 @@ server {

	location / {
		proxy_pass http://127.0.0.1:5005;
		include headers.conf;
		add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self'" always;
		include web.conf;
	}
diff --git a/git.sr.ht.conf b/git.sr.ht.conf
index ae2f3cf..65a49bc 100644
--- a/git.sr.ht.conf
+++ b/git.sr.ht.conf
@@ -14,6 +14,7 @@ server {

	location / {
		proxy_pass http://127.0.0.1:5001;
		include headers.conf;
		add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'" always;
		include web.conf;
	}
diff --git a/headers.conf b/headers.conf
new file mode 100644
index 0000000..b338332
--- /dev/null
+++ b/headers.conf
@@ -0,0 +1,4 @@
add_header X-Clacks-Overhead "GNU Terry Pratchett";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# Fuck you, Google, I don't spy on my users
add_header Permissions-Policy interest-cohort=();
diff --git a/hg.sr.ht.conf b/hg.sr.ht.conf
index 6ccdf5b..ce98cd9 100644
--- a/hg.sr.ht.conf
+++ b/hg.sr.ht.conf
@@ -14,6 +14,7 @@ server {

	location / {
		proxy_pass http://127.0.0.1:5010;
		include headers.conf;
		add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'" always;
		include web.conf;
	}
diff --git a/hub.sr.ht.conf b/hub.sr.ht.conf
index e20a8e2..6e12302 100644
--- a/hub.sr.ht.conf
+++ b/hub.sr.ht.conf
@@ -17,6 +17,7 @@ server {

	location / {
		proxy_pass http://127.0.0.1:5014;
		include headers.conf;
		add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self'" always;
		include web.conf;
	}
diff --git a/lists.sr.ht.conf b/lists.sr.ht.conf
index b1fc59f..aea70a6 100644
--- a/lists.sr.ht.conf
+++ b/lists.sr.ht.conf
@@ -13,6 +13,7 @@ server {

	location / {
		proxy_pass http://127.0.0.1:5006;
		include headers.conf;
		add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'";
		include web.conf;
	}
diff --git a/man.sr.ht.conf b/man.sr.ht.conf
index bb55300..24f1a78 100644
--- a/man.sr.ht.conf
+++ b/man.sr.ht.conf
@@ -14,6 +14,7 @@ server {

	location / {
		proxy_pass http://127.0.0.1:5004;
		include headers.conf;
		add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self'" always;
		include web.conf;
	}
diff --git a/meta.sr.ht.conf b/meta.sr.ht.conf
index 85544bc..46fdf20 100644
--- a/meta.sr.ht.conf
+++ b/meta.sr.ht.conf
@@ -12,6 +12,7 @@ server {

	location / {
		proxy_pass http://127.0.0.1:5000;
		include headers.conf;
		add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline' *.stripe.com *.stripe.network; frame-src *.stripe.com *.stripe.network" always;
		include web.conf;
	}
diff --git a/paste.sr.ht.conf b/paste.sr.ht.conf
index f2c258d..1d0139a 100644
--- a/paste.sr.ht.conf
+++ b/paste.sr.ht.conf
@@ -14,6 +14,7 @@ server {

	location / {
		proxy_pass http://127.0.0.1:5011;
		include headers.conf;
		add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'" always;
		include web.conf;
	}
diff --git a/port443.conf b/port443.conf
index a2ae4a2..f074123 100644
--- a/port443.conf
+++ b/port443.conf
@@ -1,11 +1,6 @@
listen 443 ssl http2;
listen [::]:443 ssl http2;

add_header X-Clacks-Overhead "GNU Terry Pratchett";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# Fuck you, Google, I don't spy on my users
add_header Permissions-Policy interest-cohort=();

gzip on;
gzip_types text/css text/html;

diff --git a/todo.sr.ht.conf b/todo.sr.ht.conf
index 880d4b1..55acb8a 100644
--- a/todo.sr.ht.conf
+++ b/todo.sr.ht.conf
@@ -14,6 +14,7 @@ server {

	location / {
		proxy_pass http://127.0.0.1:5003;
		include headers.conf;
		add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'" always;
		include web.conf;
	}
-- 
2.35.1
Thanks!

To git@git.sr.ht:~sircmpwn/sr.ht-nginx
   305e2a5..5300cf2  master -> master