nginx: Don’t override HSTS, X-Frame-Options with other ‘add_header’s.

The nginx ‘add_header’ directive doesn’t inherit the way you’d
want (https://trac.nginx.org/nginx/ticket/854), so we need to manually
simulate inheritance using ‘include’, like we previously did with
api_headers.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
This commit is contained in:
Anders Kaseorg 2020-04-03 16:52:02 -07:00 committed by Tim Abbott
parent ba16b37f8d
commit 06e7d4ec19
4 changed files with 8 additions and 5 deletions

View File

@ -1,3 +1,4 @@
include /etc/nginx/zulip-include/headers;
add_header Access-Control-Allow-Origin * always; add_header Access-Control-Allow-Origin * always;
add_header Access-Control-Allow-Headers Authorization always; add_header Access-Control-Allow-Headers Authorization always;
add_header Access-Control-Allow-Methods 'GET, POST, DELETE, PUT, PATCH, HEAD' always; add_header Access-Control-Allow-Methods 'GET, POST, DELETE, PUT, PATCH, HEAD' always;

View File

@ -0,0 +1,5 @@
# Enable HSTS: tell browsers to always use HTTPS
add_header Strict-Transport-Security max-age=15768000 always;
# Set X-Frame-Options to deny to prevent clickjacking
add_header X-Frame-Options DENY always;

View File

@ -1,11 +1,7 @@
access_log /var/log/nginx/access.log; access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log; error_log /var/log/nginx/error.log;
# Enable HSTS: tell browsers to always use HTTPS include /etc/nginx/zulip-include/headers;
add_header Strict-Transport-Security max-age=15768000 always;
# Set X-Frame-Options to deny to prevent clickjacking
add_header X-Frame-Options DENY always;
# Serve a custom error page when the app is down # Serve a custom error page when the app is down
error_page 502 503 504 /static/webpack-bundles/5xx.html; error_page 502 503 504 /static/webpack-bundles/5xx.html;

View File

@ -24,6 +24,7 @@ server {
<% if @no_serve_uploads == '' -%> <% if @no_serve_uploads == '' -%>
location /user_avatars { location /user_avatars {
include /etc/nginx/zulip-include/headers;
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy "default-src 'none' img-src 'self'"; add_header Content-Security-Policy "default-src 'none' img-src 'self'";
include /etc/nginx/zulip-include/uploads.types; include /etc/nginx/zulip-include/uploads.types;