Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add csp header configuration for review #103

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion roles/bettermarks_proxy/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ bettermarks_proxy_enabled_instances:
- translations
- apps
- events
- csp-report
bettermarks_subdomains:
apm: apm
school: school
Expand All @@ -16,6 +17,7 @@ bettermarks_proxy_subdomains:
apps: apps
events: events
translations: translations
csp: csp-report
bettermarks_domain: bettermarks.com
proxy_identification_header: "x-schulcloud-proxy"
bettermarks_proxy_ingress_enabled: false
Expand All @@ -41,4 +43,4 @@ bettermarks_proxy_chart_values:
ingress:
enabled: "{{ bettermarks_proxy_ingress_enabled }}"
tls: "{{ bettermarks_proxy_ingress_tls }}"
annotations: "{{ bettermarks_proxy_ingress_annotations }}"
annotations: "{{ bettermarks_proxy_ingress_annotations }}"
7 changes: 6 additions & 1 deletion roles/bettermarks_proxy/templates/apps.conf.j2
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,11 @@ server{
location / {
proxy_hide_header 'Access-Control-Allow-Origin';
add_header 'Access-Control-Allow-Origin' $http_origin;
# Hide original CSP Headers
proxy_hide_header 'Content-Security-Policy';
proxy_hide_header 'Content-Security-Policy-Report-Only';
# We don't know how to add root domain.
add_header 'Content-Security-Policy-Report-Only' "default-src 'self' 'unsafe-eval' 'unsafe-inline' *.{{ bettermarks_proxy_maindomain }} *.{{ root_domain }}; report-uri https://{{ bettermarks_proxy_subdomains['csp'] }}.{{ bettermarks_proxy_maindomain }}/csp/report-only";
proxy_set_header {{ proxy_identification_header }} true;
proxy_pass https://{{ bettermarks_subdomain }}.{{ bettermarks_domain }};
proxy_ssl_server_name on;
Expand All @@ -15,4 +20,4 @@ server{
sub_filter_once off;
sub_filter_types application/json text/javascript;
}
}
}
6 changes: 5 additions & 1 deletion roles/bettermarks_proxy/templates/basic.conf.j2
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,13 @@ server{
location / {
proxy_hide_header 'Access-Control-Allow-Origin';
add_header 'Access-Control-Allow-Origin' $http_origin;
# Hide original CSP Headers
proxy_hide_header 'Content-Security-Policy';
proxy_hide_header 'Content-Security-Policy-Report-Only';
add_header 'Content-Security-Policy-Report-Only' "default-src 'self' 'unsafe-eval' 'unsafe-inline' *.{{ bettermarks_proxy_maindomain }} *.{{ root_domain }}; report-uri https://{{ bettermarks_proxy_subdomains['csp'] }}.{{ bettermarks_proxy_maindomain }}/csp/report-only";
proxy_set_header {{ proxy_identification_header }} true;
proxy_pass https://{{ bettermarks_subdomain }}.{{ bettermarks_domain }};
proxy_ssl_server_name on;
proxy_intercept_errors off;
}
}
}
14 changes: 13 additions & 1 deletion roles/bettermarks_proxy/templates/school.conf.j2
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@ server{
add_header 'Access-Control-Allow-Origin' $http_origin;
proxy_hide_header 'Access-Control-Allow-Credentials';
add_header 'Access-Control-Allow-Credentials' true;
# Hide original CSP Headers
proxy_hide_header 'Content-Security-Policy';
proxy_hide_header 'Content-Security-Policy-Report-Only';
add_header 'Content-Security-Policy-Report-Only' "default-src 'self' 'unsafe-eval' 'unsafe-inline' *.{{ bettermarks_proxy_maindomain }} *.{{ root_domain }}; report-uri https://{{ bettermarks_proxy_subdomains['csp'] }}.{{ bettermarks_proxy_maindomain }}/csp/report-only";
# Proxy to the origin
proxy_set_header {{ proxy_identification_header }} true;
proxy_pass https://{{ bettermarks_subdomain }}.{{ bettermarks_domain }};
Expand All @@ -27,6 +31,10 @@ server{
add_header 'Access-Control-Allow-Origin' $http_origin;
proxy_hide_header 'Access-Control-Allow-Credentials';
add_header 'Access-Control-Allow-Credentials' true;
# Hide original CSP Headers
proxy_hide_header 'Content-Security-Policy';
proxy_hide_header 'Content-Security-Policy-Report-Only';
add_header 'Content-Security-Policy-Report-Only' "default-src 'self' 'unsafe-eval' 'unsafe-inline' *.{{ bettermarks_proxy_maindomain }} *.{{ root_domain }}; report-uri https://{{ bettermarks_proxy_subdomains['csp'] }}.{{ bettermarks_proxy_maindomain }}/csp/report-only";
# Proxy to the origin
proxy_set_header {{ proxy_identification_header }} true;
proxy_pass https://{{ bettermarks_subdomain }}.{{ bettermarks_domain }};
Expand All @@ -49,6 +57,10 @@ server{
add_header 'Access-Control-Allow-Origin' $http_origin;
proxy_hide_header 'Access-Control-Allow-Credentials';
add_header 'Access-Control-Allow-Credentials' true;
# Hide original CSP Headers
proxy_hide_header 'Content-Security-Policy';
proxy_hide_header 'Content-Security-Policy-Report-Only';
add_header 'Content-Security-Policy-Report-Only' "default-src 'self' 'unsafe-eval' 'unsafe-inline' *.{{ bettermarks_proxy_maindomain }} *.{{ root_domain }}; report-uri https://{{ bettermarks_proxy_subdomains['csp'] }}.{{ bettermarks_proxy_maindomain }}/csp/report-only";
# Proxy to the origin
proxy_set_header {{ proxy_identification_header }} true;
proxy_pass https://{{ bettermarks_subdomain }}.{{ bettermarks_domain }};
Expand All @@ -64,4 +76,4 @@ server{
sub_filter_once off;
sub_filter_types application/json;
}
}
}