MirrorMirror
/
funkwhale
mirror of https://dev.funkwhale.audio/funkwhale/funkwhale.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

See #880: added CSP policy in deployment files

This commit is contained in:
Eliot Berriot 2019-07-10 15:11:29 +02:00
parent 49978081b0
commit 9c5f623d03
No known key found for this signature in database
GPG Key ID: DD6965E2476E5C27
5 changed files with 25 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
changes/changelog.d/880.enhancement Normal file
View File

@ -0,0 +1 @@
Hardened security thanks to CSP and additional HTTP headers (#880)

15
changes/notes.rst
View File

@ -43,3 +43,18 @@ Then, edit your ``/etc/systemd/system/funkwhale-server.service`` and replace the
``ExecStart=/srv/funkwhale/virtualenv/bin/gunicorn config.asgi:application -w ${FUNKWHALE_WEB_WORKERS} -k uvicorn.workers.UvicornWorker -b ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT}`` ``ExecStart=/srv/funkwhale/virtualenv/bin/gunicorn config.asgi:application -w ${FUNKWHALE_WEB_WORKERS} -k uvicorn.workers.UvicornWorker -b ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT}``
Then reload the configuration change with ``sudo systemctl daemon-reload`` and ``sudo systemctl restart funkwhale-server``. Then reload the configuration change with ``sudo systemctl daemon-reload`` and ``sudo systemctl restart funkwhale-server``.
Content-Security-Policy [manual action suggested]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
To improve the security and reduce the attack surface in case of a successfull exploit, we suggest
you add the following Content-Security-Policy to the Nginx configuration of your proxy (same value
for both Docker and non-Docker deployments)::
server {
# Security related headers
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
}
Then reload nginx with ``systemctl reload nginx``.

3
deploy/docker.proxy.template
View File

@ -29,6 +29,9 @@ server {
# HSTS # HSTS
add_header Strict-Transport-Security "max-age=31536000"; add_header Strict-Transport-Security "max-age=31536000";
# Security related headers
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
# compression settings # compression settings
gzip on; gzip on;
gzip_comp_level 5; gzip_comp_level 5;

5
deploy/nginx.template
View File

@ -41,6 +41,9 @@ server {
# HSTS # HSTS
add_header Strict-Transport-Security "max-age=31536000"; add_header Strict-Transport-Security "max-age=31536000";
# Security related headers
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
root ${FUNKWHALE_FRONTEND_PATH}; root ${FUNKWHALE_FRONTEND_PATH};
# compression settings # compression settings
@ -111,7 +114,7 @@ server {
internal; internal;
alias ${MEDIA_ROOT}; alias ${MEDIA_ROOT};
} }
# Comment the previous location and uncomment this one if you're storing # Comment the previous location and uncomment this one if you're storing
# media files in a S3 bucket # media files in a S3 bucket
# location ~ /_protected/media/(.+) { # location ~ /_protected/media/(.+) {

2
docker/nginx/conf.dev
View File

@ -69,6 +69,8 @@ http {
text/x-component text/x-component
text/x-cross-domain-policy; text/x-cross-domain-policy;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
location /front/ { location /front/ {
# uncomment the following line and comment the proxy-pass one # uncomment the following line and comment the proxy-pass one
# to use the frontend build with "yarn build" # to use the frontend build with "yarn build"