diff --git a/.env.sample b/.env.sample index 42ea31e..4faf1bc 100644 --- a/.env.sample +++ b/.env.sample @@ -16,3 +16,6 @@ SECRET_DB_PASSWORD_VERSION=v1 SECRET_ADMIN_PASSWORD_VERSION=v1 EXTRA_VOLUME=/dev/null:/tmp/.dummy + +# X_FRAME_OPTIONS_ENABLED=1 +# X_FRAME_OPTIONS_ALLOW_FROM=embedding-site.example.org diff --git a/abra.sh b/abra.sh index 650b31b..d0af171 100644 --- a/abra.sh +++ b/abra.sh @@ -1,6 +1,7 @@ export FPM_TUNE_VERSION=v4 -export NGINX_CONF_VERSION=v2 +export NGINX_CONF_VERSION=v3 export MY_CNF_VERSION=v4 +export ENTRYPOINT_VERSION=v1 NC_APP_DIR="app:/var/www/html" diff --git a/compose.yml b/compose.yml index 5d154fd..553711d 100644 --- a/compose.yml +++ b/compose.yml @@ -6,6 +6,8 @@ services: - source: nginx_conf target: /etc/nginx/nginx.conf environment: + - X_FRAME_OPTIONS_ALLOW_FROM + - X_FRAME_OPTIONS_ENABLED - DOMAIN - STACK_NAME volumes: @@ -39,10 +41,16 @@ services: configs: - source: fpm_tune target: /usr/local/etc/php-fpm.d/fpm-tune.conf + - source: entrypoint + target: /custom-entrypoint.sh + mode: 555 + entrypoint: /custom-entrypoint.sh secrets: - db_password - admin_password environment: + - X_FRAME_OPTIONS_ALLOW_FROM + - X_FRAME_OPTIONS_ENABLED - DOMAIN - STACK_NAME - NEXTCLOUD_ADMIN_USER=${ADMIN_USER} @@ -73,7 +81,6 @@ services: - "backupbot.backup=true" - "backupbot.backup.path=/var/www/html/config/,/var/www/html/data/,/var/www/html/custom_apps/" - cron: image: nextcloud:24.0.3-fpm volumes: @@ -111,6 +118,7 @@ volumes: nextconfig: redis: + configs: nginx_conf: name: ${STACK_NAME}_nginx_${NGINX_CONF_VERSION} @@ -119,6 +127,10 @@ configs: fpm_tune: name: ${STACK_NAME}_fpm_tune_${FPM_TUNE_VERSION} file: fpm-tune.ini + entrypoint: + name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION} + file: entrypoint.sh.tmpl + template_driver: golang networks: proxy: diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl new file mode 100644 index 0000000..40562d4 --- /dev/null +++ b/entrypoint.sh.tmpl @@ -0,0 +1,9 @@ +#!/bin/bash + +{{ if eq (env "X_FRAME_OPTIONS_ENABLED") "1" }} +if ! [[ $(grep {{ env "X_FRAME_OPTIONS_ALLOW_FROM" }} lib/public/AppFramework/Http/ContentSecurityPolicy.php) ]]; then + sed -i "91 a\\\t\t'{{ env "X_FRAME_OPTIONS_ALLOW_FROM" }}', " lib/public/AppFramework/Http/ContentSecurityPolicy.php +fi +{{ end }} + +/entrypoint.sh php-fpm diff --git a/nginx.conf.tmpl b/nginx.conf.tmpl index 4308bc2..befb5a7 100644 --- a/nginx.conf.tmpl +++ b/nginx.conf.tmpl @@ -41,6 +41,7 @@ http { # could take several months. #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + # set max upload size client_max_body_size 512M; fastcgi_buffers 64 4K; @@ -61,11 +62,18 @@ http { add_header Referrer-Policy "no-referrer" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "none" always; add_header X-XSS-Protection "1; mode=block" always; + {{ if eq (env "X_FRAME_OPTIONS_ENABLED") "1" }} + add_header X-Frame-Options "{{ env "X_FRAME_OPTIONS_ALLOW_FROM" }}" always; + add_header Content-Security-Policy "frame-ancestors {{ env "X_FRAME_OPTIONS_ALLOW_FROM" }}"; + {{ else }} + add_header X-Frame-Options "SAMEORIGIN" always; + {{ end }} + + # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By;