update nginx settings

2024-04-15 17:25:39 +02:00
parent a7dba3bffd
commit 2c8d126d6f
2 changed files with 29 additions and 28 deletions
--- a/modules/services/nginx.nix
+++ b/modules/services/nginx.nix
@@ -11,7 +11,7 @@
    services.nginx = {
        enable = true;
        package = pkgs.nginxQuic;
-        #additionalModules = [ pkgs.nginxModules.moreheaders ];
+        additionalModules = [ pkgs.nginxModules.moreheaders ];

        # Use recommended settings
        recommendedGzipSettings = true;
@@ -22,35 +22,35 @@
        # Only allow PFS-enabled ciphers with AES256
        sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";

-        #appendConfig= ''
-        #    more_set_headers 'Strict-Transport-Security: max-age=31536000; includeSubDomains';
-        #    more_set_headers 'X-XSS-Protection 1; mode=block';
-        #    more_set_headers 'X-Frame-Options SAMEORIGIN';
-        #    more_set_headers 'X-Content-Type-Options nosniff';
-        #    more_set_headers "Content-Security-Policy default-src 'self'; font-src *;";
-        #'';
-
-        appendHttpConfig = ''
-          # Add HSTS header with preloading to HTTPS requests.
-          # Adding this header to HTTP requests is discouraged
-          map $scheme $hsts_header {
-              https   "max-age=31536000; includeSubdomains; preload";
-          }
-          add_header Strict-Transport-Security $hsts_header;
-
-          # Enable CSP for your services.
-          add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none'; frame-ancestors 'https://kopatz.ddns.net'" always;
-
-          # Minimize information leaked to other domains
-          add_header 'Referrer-Policy' 'origin-when-cross-origin';
-
-          # Disable embedding as a frame
-          add_header X-Frame-Options 'ALLOW-FROM kopatz.ddns.net';
-
-          # Prevent injection of code in other mime types (XSS Attacks)
-          add_header X-Content-Type-Options nosniff;
+        appendHttpConfig= ''
+            more_set_headers 'Strict-Transport-Security: max-age=31536000; includeSubDomains';
+            more_set_headers 'X-XSS-Protection 1; mode=block';
+            #  add_header X-Frame-Options 'ALLOW-FROM kopatz.ddns.net';
+            more_set_headers 'X-Content-Type-Options nosniff';
+            more_set_headers "Content-Security-Policy: frame-ancestors 'https://kopatz.ddns.net'";
        '';

+        #appendHttpConfig = ''
+        #  # Add HSTS header with preloading to HTTPS requests.
+        #  # Adding this header to HTTP requests is discouraged
+        #  map $scheme $hsts_header {
+        #      https   "max-age=31536000; includeSubdomains; preload";
+        #  }
+        #  add_header Strict-Transport-Security $hsts_header;
+
+        #  # Enable CSP for your services.
+        #  add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none'; frame-ancestors 'https://kopatz.ddns.net'" always;
+
+        #  # Minimize information leaked to other domains
+        #  add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+        #  # Disable embedding as a frame
+        #  add_header X-Frame-Options 'ALLOW-FROM kopatz.ddns.net';
+
+        #  # Prevent injection of code in other mime types (XSS Attacks)
+        #  add_header X-Content-Type-Options nosniff;
+        #'';
+
        # Setup Nextcloud virtual host to listen on ports
        virtualHosts = {
            "kopatz.ddns.net" = {