MirrorMirror
/
funkwhale
mirror of https://dev.funkwhale.audio/funkwhale/funkwhale.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

See #880: updated CSP, added X-Frame-Options on front-end files, ensure embeds work

This commit is contained in:
Eliot Berriot 2019-07-18 11:08:18 +02:00
parent 9c5f623d03
commit 53782a5eb5
No known key found for this signature in database
GPG Key ID: DD6965E2476E5C27
4 changed files with 89 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
changes/notes.rst
View File

@ -45,16 +45,56 @@ Then, edit your ``/etc/systemd/system/funkwhale-server.service`` and replace the
Then reload the configuration change with ``sudo systemctl daemon-reload`` and ``sudo systemctl restart funkwhale-server``. Then reload the configuration change with ``sudo systemctl daemon-reload`` and ``sudo systemctl restart funkwhale-server``.
Content-Security-Policy [manual action suggested] Content-Security-Policy and additional security headers [manual action suggested]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
To improve the security and reduce the attack surface in case of a successfull exploit, we suggest To improve the security and reduce the attack surface in case of a successfull exploit, we suggest
you add the following Content-Security-Policy to the Nginx configuration of your proxy (same value you add the following Content-Security-Policy to your nginx configuration.
for both Docker and non-Docker deployments)::
**On non-docker setups**, in ``/etc/nginx/sites-available/funkwhale.conf``::
server { server {
# Security related headers
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
location /front/ {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "SAMEORIGIN";
# … existing content here
}
# Also create a new location for the embeds to ensure external iframes work
# Simply copy-paste the /front/ location, but replace the following lines:
location /front/embed.html {
add_header X-Frame-Options "ALLOW";
alias ${FUNKWHALE_FRONTEND_PATH}/embed.html;
}
} }
Then reload nginx with ``systemctl reload nginx``. Then reload nginx with ``systemctl reload nginx``.
**On docker setups**, in ``/srv/funkwhalenginx/funkwhale.template``::
server {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
location /front/ {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "SAMEORIGIN";
# … existing content here
}
# Also create a new location for the embeds to ensure external iframes work
# Simply copy-paste the /front/ location, but replace the following lines:
location /front/embed.html {
add_header X-Frame-Options "ALLOW";
alias /frontent/embed.html;
}
}
Then reload nginx with ``docker-compose restart nginx``.

19
deploy/docker.nginx.template
View File

@ -23,6 +23,10 @@ server {
root /frontend; root /frontend;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
location / { location / {
include /etc/nginx/funkwhale_proxy.conf; include /etc/nginx/funkwhale_proxy.conf;
# this is needed if you have file import via upload enabled # this is needed if you have file import via upload enabled
@ -31,12 +35,27 @@ server {
} }
location /front/ { location /front/ {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "ALLOW";
alias /frontend/; alias /frontend/;
expires 30d; expires 30d;
add_header Pragma public; add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate"; add_header Cache-Control "public, must-revalidate, proxy-revalidate";
} }
location /front/embed.html {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "ALLOW";
alias /frontend/embed.html;
expires 30d;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
location /federation/ { location /federation/ {
include /etc/nginx/funkwhale_proxy.conf; include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://funkwhale-api/federation/; proxy_pass http://funkwhale-api/federation/;

16
deploy/nginx.template
View File

@ -41,8 +41,8 @@ server {
# HSTS # HSTS
add_header Strict-Transport-Security "max-age=31536000"; add_header Strict-Transport-Security "max-age=31536000";
# Security related headers
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
root ${FUNKWHALE_FRONTEND_PATH}; root ${FUNKWHALE_FRONTEND_PATH};
@ -81,11 +81,25 @@ server {
} }
location /front/ { location /front/ {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "SAMEORIGIN";
alias ${FUNKWHALE_FRONTEND_PATH}/; alias ${FUNKWHALE_FRONTEND_PATH}/;
expires 30d; expires 30d;
add_header Pragma public; add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate"; add_header Cache-Control "public, must-revalidate, proxy-revalidate";
} }
location /front/embed.html {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "ALLOW";
alias ${FUNKWHALE_FRONTEND_PATH}/embed.html;
expires 30d;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
location /federation/ { location /federation/ {
include /etc/nginx/funkwhale_proxy.conf; include /etc/nginx/funkwhale_proxy.conf;

10
docker/nginx/conf.dev
View File

@ -70,13 +70,23 @@ http {
text/x-cross-domain-policy; text/x-cross-domain-policy;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
location /front/ { location /front/ {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "SAMEORIGIN";
# uncomment the following line and comment the proxy-pass one # uncomment the following line and comment the proxy-pass one
# to use the frontend build with "yarn build" # to use the frontend build with "yarn build"
#alias /frontend/dist/; #alias /frontend/dist/;
proxy_pass http://funkwhale-front/front/; proxy_pass http://funkwhale-front/front/;
} }
location /front/embed.html {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "ALLOW";
proxy_pass http://funkwhale-front/front/embed.html;
}
location /front-server/ { location /front-server/ {
proxy_pass http://funkwhale-front/; proxy_pass http://funkwhale-front/;
} }