add headers to embed nextcloud in frame on external site (#28)
continuous-integration/drone/push Build is failing
Details
continuous-integration/drone/push Build is failing
Details
This introduces new env variables to configure nextloud to be embedded via iframe on an external site. Setting X_FRAME_OPTIONS_ENABLED=1 will configure nginx and nextcloud to set X-Frame-Options and CSP headers to allow the domain configured in X_FRAME_OPTIONS_ALLOW_FROM. I created a PR because I'm not sure if this is helpful for other people or just a custom hack that bloats the recipe :D Co-authored-by: Philipp Rothmann <philipprothmann@posteo.de> Reviewed-on: #28
This commit is contained in:
parent
daa57eece9
commit
16ad6c22ea
|
@ -16,3 +16,6 @@ SECRET_DB_PASSWORD_VERSION=v1
|
|||
SECRET_ADMIN_PASSWORD_VERSION=v1
|
||||
|
||||
EXTRA_VOLUME=/dev/null:/tmp/.dummy
|
||||
|
||||
# X_FRAME_OPTIONS_ENABLED=1
|
||||
# X_FRAME_OPTIONS_ALLOW_FROM=embedding-site.example.org
|
||||
|
|
3
abra.sh
3
abra.sh
|
@ -1,6 +1,7 @@
|
|||
export FPM_TUNE_VERSION=v4
|
||||
export NGINX_CONF_VERSION=v2
|
||||
export NGINX_CONF_VERSION=v3
|
||||
export MY_CNF_VERSION=v4
|
||||
export ENTRYPOINT_VERSION=v1
|
||||
|
||||
NC_APP_DIR="app:/var/www/html"
|
||||
|
||||
|
|
14
compose.yml
14
compose.yml
|
@ -6,6 +6,8 @@ services:
|
|||
- source: nginx_conf
|
||||
target: /etc/nginx/nginx.conf
|
||||
environment:
|
||||
- X_FRAME_OPTIONS_ALLOW_FROM
|
||||
- X_FRAME_OPTIONS_ENABLED
|
||||
- DOMAIN
|
||||
- STACK_NAME
|
||||
volumes:
|
||||
|
@ -39,10 +41,16 @@ services:
|
|||
configs:
|
||||
- source: fpm_tune
|
||||
target: /usr/local/etc/php-fpm.d/fpm-tune.conf
|
||||
- source: entrypoint
|
||||
target: /custom-entrypoint.sh
|
||||
mode: 555
|
||||
entrypoint: /custom-entrypoint.sh
|
||||
secrets:
|
||||
- db_password
|
||||
- admin_password
|
||||
environment:
|
||||
- X_FRAME_OPTIONS_ALLOW_FROM
|
||||
- X_FRAME_OPTIONS_ENABLED
|
||||
- DOMAIN
|
||||
- STACK_NAME
|
||||
- NEXTCLOUD_ADMIN_USER=${ADMIN_USER}
|
||||
|
@ -73,7 +81,6 @@ services:
|
|||
- "backupbot.backup=true"
|
||||
- "backupbot.backup.path=/var/www/html/config/,/var/www/html/data/,/var/www/html/custom_apps/"
|
||||
|
||||
|
||||
cron:
|
||||
image: nextcloud:24.0.3-fpm
|
||||
volumes:
|
||||
|
@ -111,6 +118,7 @@ volumes:
|
|||
nextconfig:
|
||||
redis:
|
||||
|
||||
|
||||
configs:
|
||||
nginx_conf:
|
||||
name: ${STACK_NAME}_nginx_${NGINX_CONF_VERSION}
|
||||
|
@ -119,6 +127,10 @@ configs:
|
|||
fpm_tune:
|
||||
name: ${STACK_NAME}_fpm_tune_${FPM_TUNE_VERSION}
|
||||
file: fpm-tune.ini
|
||||
entrypoint:
|
||||
name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
|
||||
file: entrypoint.sh.tmpl
|
||||
template_driver: golang
|
||||
|
||||
networks:
|
||||
proxy:
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
#!/bin/bash
|
||||
|
||||
{{ if eq (env "X_FRAME_OPTIONS_ENABLED") "1" }}
|
||||
if ! [[ $(grep {{ env "X_FRAME_OPTIONS_ALLOW_FROM" }} lib/public/AppFramework/Http/ContentSecurityPolicy.php) ]]; then
|
||||
sed -i "91 a\\\t\t'{{ env "X_FRAME_OPTIONS_ALLOW_FROM" }}', " lib/public/AppFramework/Http/ContentSecurityPolicy.php
|
||||
fi
|
||||
{{ end }}
|
||||
|
||||
/entrypoint.sh php-fpm
|
|
@ -41,6 +41,7 @@ http {
|
|||
# could take several months.
|
||||
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
|
||||
|
||||
|
||||
# set max upload size
|
||||
client_max_body_size 512M;
|
||||
fastcgi_buffers 64 4K;
|
||||
|
@ -61,11 +62,18 @@ http {
|
|||
add_header Referrer-Policy "no-referrer" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-Download-Options "noopen" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-Permitted-Cross-Domain-Policies "none" always;
|
||||
add_header X-Robots-Tag "none" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
|
||||
{{ if eq (env "X_FRAME_OPTIONS_ENABLED") "1" }}
|
||||
add_header X-Frame-Options "{{ env "X_FRAME_OPTIONS_ALLOW_FROM" }}" always;
|
||||
add_header Content-Security-Policy "frame-ancestors {{ env "X_FRAME_OPTIONS_ALLOW_FROM" }}";
|
||||
{{ else }}
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
{{ end }}
|
||||
|
||||
|
||||
# Remove X-Powered-By, which is an information leak
|
||||
fastcgi_hide_header X-Powered-By;
|
||||
|
||||
|
|
Loading…
Reference in New Issue