From e9e380939866122f949b1fa755560762c14fde5b Mon Sep 17 00:00:00 2001 From: Saurabh Gupta Date: Mon, 17 Jun 2024 13:44:22 +0200 Subject: [PATCH] feat: add csp header configuration for review --- roles/bettermarks_proxy/defaults/main.yml | 4 +++- roles/bettermarks_proxy/templates/apps.conf.j2 | 7 ++++++- roles/bettermarks_proxy/templates/basic.conf.j2 | 6 +++++- roles/bettermarks_proxy/templates/school.conf.j2 | 14 +++++++++++++- 4 files changed, 27 insertions(+), 4 deletions(-) diff --git a/roles/bettermarks_proxy/defaults/main.yml b/roles/bettermarks_proxy/defaults/main.yml index 9ff53b0..ded516f 100644 --- a/roles/bettermarks_proxy/defaults/main.yml +++ b/roles/bettermarks_proxy/defaults/main.yml @@ -4,6 +4,7 @@ bettermarks_proxy_enabled_instances: - translations - apps - events + - csp-report bettermarks_subdomains: apm: apm school: school @@ -16,6 +17,7 @@ bettermarks_proxy_subdomains: apps: apps events: events translations: translations + csp: csp-report bettermarks_domain: bettermarks.com proxy_identification_header: "x-schulcloud-proxy" bettermarks_proxy_ingress_enabled: false @@ -41,4 +43,4 @@ bettermarks_proxy_chart_values: ingress: enabled: "{{ bettermarks_proxy_ingress_enabled }}" tls: "{{ bettermarks_proxy_ingress_tls }}" - annotations: "{{ bettermarks_proxy_ingress_annotations }}" \ No newline at end of file + annotations: "{{ bettermarks_proxy_ingress_annotations }}" diff --git a/roles/bettermarks_proxy/templates/apps.conf.j2 b/roles/bettermarks_proxy/templates/apps.conf.j2 index 7e13f2d..ad64d7b 100644 --- a/roles/bettermarks_proxy/templates/apps.conf.j2 +++ b/roles/bettermarks_proxy/templates/apps.conf.j2 @@ -3,6 +3,11 @@ server{ location / { proxy_hide_header 'Access-Control-Allow-Origin'; add_header 'Access-Control-Allow-Origin' $http_origin; + # Hide original CSP Headers + proxy_hide_header 'Content-Security-Policy'; + proxy_hide_header 'Content-Security-Policy-Report-Only'; + # We don't know how to add root domain. + add_header 'Content-Security-Policy-Report-Only' "default-src 'self' 'unsafe-eval' 'unsafe-inline' *.{{ bettermarks_proxy_maindomain }} {{ root_domain }}; report-uri https://{{ bettermarks_proxy_subdomains['csp'] }}.{{ bettermarks_proxy_maindomain }}/csp/report-only"; proxy_set_header {{ proxy_identification_header }} true; proxy_pass https://{{ bettermarks_subdomain }}.{{ bettermarks_domain }}; proxy_ssl_server_name on; @@ -15,4 +20,4 @@ server{ sub_filter_once off; sub_filter_types application/json text/javascript; } -} \ No newline at end of file +} diff --git a/roles/bettermarks_proxy/templates/basic.conf.j2 b/roles/bettermarks_proxy/templates/basic.conf.j2 index 3304486..516673d 100644 --- a/roles/bettermarks_proxy/templates/basic.conf.j2 +++ b/roles/bettermarks_proxy/templates/basic.conf.j2 @@ -3,9 +3,13 @@ server{ location / { proxy_hide_header 'Access-Control-Allow-Origin'; add_header 'Access-Control-Allow-Origin' $http_origin; + # Hide original CSP Headers + proxy_hide_header 'Content-Security-Policy'; + proxy_hide_header 'Content-Security-Policy-Report-Only'; + add_header 'Content-Security-Policy-Report-Only' "default-src 'self' 'unsafe-eval' 'unsafe-inline' *.{{ bettermarks_proxy_maindomain }} {{ root_domain }}; report-uri https://{{ bettermarks_proxy_subdomains['csp'] }}.{{ bettermarks_proxy_maindomain }}/csp/report-only"; proxy_set_header {{ proxy_identification_header }} true; proxy_pass https://{{ bettermarks_subdomain }}.{{ bettermarks_domain }}; proxy_ssl_server_name on; proxy_intercept_errors off; } -} \ No newline at end of file +} diff --git a/roles/bettermarks_proxy/templates/school.conf.j2 b/roles/bettermarks_proxy/templates/school.conf.j2 index f759414..2e12c92 100644 --- a/roles/bettermarks_proxy/templates/school.conf.j2 +++ b/roles/bettermarks_proxy/templates/school.conf.j2 @@ -7,6 +7,10 @@ server{ add_header 'Access-Control-Allow-Origin' $http_origin; proxy_hide_header 'Access-Control-Allow-Credentials'; add_header 'Access-Control-Allow-Credentials' true; + # Hide original CSP Headers + proxy_hide_header 'Content-Security-Policy'; + proxy_hide_header 'Content-Security-Policy-Report-Only'; + add_header 'Content-Security-Policy-Report-Only' "default-src 'self' 'unsafe-eval' 'unsafe-inline' *.{{ bettermarks_proxy_maindomain }} {{ root_domain }}; report-uri https://{{ bettermarks_proxy_subdomains['csp'] }}.{{ bettermarks_proxy_maindomain }}/csp/report-only"; # Proxy to the origin proxy_set_header {{ proxy_identification_header }} true; proxy_pass https://{{ bettermarks_subdomain }}.{{ bettermarks_domain }}; @@ -27,6 +31,10 @@ server{ add_header 'Access-Control-Allow-Origin' $http_origin; proxy_hide_header 'Access-Control-Allow-Credentials'; add_header 'Access-Control-Allow-Credentials' true; + # Hide original CSP Headers + proxy_hide_header 'Content-Security-Policy'; + proxy_hide_header 'Content-Security-Policy-Report-Only'; + add_header 'Content-Security-Policy-Report-Only' "default-src 'self' 'unsafe-eval' 'unsafe-inline' *.{{ bettermarks_proxy_maindomain }} {{ root_domain }}; report-uri https://{{ bettermarks_proxy_subdomains['csp'] }}.{{ bettermarks_proxy_maindomain }}/csp/report-only"; # Proxy to the origin proxy_set_header {{ proxy_identification_header }} true; proxy_pass https://{{ bettermarks_subdomain }}.{{ bettermarks_domain }}; @@ -49,6 +57,10 @@ server{ add_header 'Access-Control-Allow-Origin' $http_origin; proxy_hide_header 'Access-Control-Allow-Credentials'; add_header 'Access-Control-Allow-Credentials' true; + # Hide original CSP Headers + proxy_hide_header 'Content-Security-Policy'; + proxy_hide_header 'Content-Security-Policy-Report-Only'; + add_header 'Content-Security-Policy-Report-Only' "default-src 'self' 'unsafe-eval' 'unsafe-inline' *.{{ bettermarks_proxy_maindomain }} {{ root_domain }}; report-uri https://{{ bettermarks_proxy_subdomains['csp'] }}.{{ bettermarks_proxy_maindomain }}/csp/report-only"; # Proxy to the origin proxy_set_header {{ proxy_identification_header }} true; proxy_pass https://{{ bettermarks_subdomain }}.{{ bettermarks_domain }}; @@ -64,4 +76,4 @@ server{ sub_filter_once off; sub_filter_types application/json; } -} \ No newline at end of file +}