sourcephile / git / sourcephile-nix.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
nixpkgs: upstream public-inbox #104457 and freeciv #104460
[sourcephile-nix.git] / nixos / profiles / services / nginx.nix
diff --git a/nixos/profiles/services/nginx.nix b/nixos/profiles/services/nginx.nix
index 1498645c053baa709a53814b2faebc236debae4c..9cbfedb6b49ae9addfd5587ab78a2ad29923403e 100644 (file)
--- a/nixos/profiles/services/nginx.nix
+++ b/nixos/profiles/services/nginx.nix
@@ -56,29 +56,29 @@ services.nginx = {
   sslProtocols = "TLSv1.3 TLSv1.2";
   configs = rec {
     http_add_headers = ''
-      # Add HSTS header with preloading to HTTPS requests.
-      # Adding this header to HTTP requests is discouraged
-      # DOC: https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-strict-transport-security-implementation-on-your-web-server
-      add_header Strict-Transport-Security $hsts_header;
-
-      # Enable CSP for your services.
+      # Enable CSP
       #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
 
+      # Enable XSS protection of the browser.
+      # May be unnecessary when CSP is configured properly (see above)
+      add_header X-XSS-Protection "1; mode=block";
+
       # Minimize information leaked to other domains
       add_header 'Referrer-Policy' 'origin-when-cross-origin';
 
-      # Disable embedding as a frame
-      add_header X-Frame-Options DENY;
+      # Restrict embedding as a frame
+      #add_header X-Frame-Options SAMEORIGIN;
 
       # Prevent injection of code in other mime types (XSS Attacks)
       add_header X-Content-Type-Options nosniff;
-
-      # Enable XSS protection of the browser.
-      # May be unnecessary when CSP is configured properly (see above)
-      add_header X-XSS-Protection "1; mode=block";
     '';
     https_add_headers = ''
       ${http_add_headers}
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged,
+      # as doing so makes the connection vulnerable to SSL stripping attacks
+      # DOC: https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-strict-transport-security-implementation-on-your-web-server
+      add_header Strict-Transport-Security $hsts_header;
     '';
   };
   commonHttpConfig = ''
@@ -102,6 +102,7 @@ services.nginx = {
     types {
       text/html html5;
       text/plain md;
+      text/plain dump;
     }
     '' +
     lib.concatStringsSep "\n" (lib.attrValues {
@@ -115,7 +116,7 @@ services.nginx = {
         ${nginx.configs.http_add_headers}
 
         # This might create errors
-        proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+        #proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
       '';
       log = ''
         access_log /var/log/nginx/access.log main buffer=32k;
NixOS configurations for Sourcephile's infrastructure