kopatz/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update nginx settings

Browse Source
This commit is contained in:
Kopatz
2024-04-15 17:25:39 +02:00
parent a7dba3bffd
commit 2c8d126d6f
2 changed files with 29 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
modules/services/kavita.nix
View File

@@ -75,6 +75,7 @@ in
http3 = useHttps; http3 = useHttps;
locations."/".proxyPass = "http://127.0.0.1:5000"; locations."/".proxyPass = "http://127.0.0.1:5000";
locations."/".extraConfig = '' locations."/".extraConfig = ''
more_clear_headers 'x-frame-options';
add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS"; add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
add_header Access-Control-Allow-Headers "Authorization, Origin, X-Requested-With, Content-Type, Accept"; add_header Access-Control-Allow-Headers "Authorization, Origin, X-Requested-With, Content-Type, Accept";

56
modules/services/nginx.nix
View File

@@ -11,7 +11,7 @@
services.nginx = { services.nginx = {
enable = true; enable = true;
package = pkgs.nginxQuic; package = pkgs.nginxQuic;
#additionalModules = [ pkgs.nginxModules.moreheaders ]; additionalModules = [ pkgs.nginxModules.moreheaders ];
# Use recommended settings # Use recommended settings
recommendedGzipSettings = true; recommendedGzipSettings = true;
@@ -22,35 +22,35 @@
# Only allow PFS-enabled ciphers with AES256 # Only allow PFS-enabled ciphers with AES256
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
#appendConfig= '' appendHttpConfig= ''
# more_set_headers 'Strict-Transport-Security: max-age=31536000; includeSubDomains'; more_set_headers 'Strict-Transport-Security: max-age=31536000; includeSubDomains';
# more_set_headers 'X-XSS-Protection 1; mode=block'; more_set_headers 'X-XSS-Protection 1; mode=block';
# more_set_headers 'X-Frame-Options SAMEORIGIN'; # add_header X-Frame-Options 'ALLOW-FROM kopatz.ddns.net';
# more_set_headers 'X-Content-Type-Options nosniff'; more_set_headers 'X-Content-Type-Options nosniff';
# more_set_headers "Content-Security-Policy default-src 'self'; font-src *;"; more_set_headers "Content-Security-Policy: frame-ancestors 'https://kopatz.ddns.net'";
#'';
appendHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# Enable CSP for your services.
add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none'; frame-ancestors 'https://kopatz.ddns.net'" always;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
add_header X-Frame-Options 'ALLOW-FROM kopatz.ddns.net';
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
''; '';
#appendHttpConfig = ''
# # Add HSTS header with preloading to HTTPS requests.
# # Adding this header to HTTP requests is discouraged
# map $scheme $hsts_header {
# https "max-age=31536000; includeSubdomains; preload";
# }
# add_header Strict-Transport-Security $hsts_header;
# # Enable CSP for your services.
# add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none'; frame-ancestors 'https://kopatz.ddns.net'" always;
# # Minimize information leaked to other domains
# add_header 'Referrer-Policy' 'origin-when-cross-origin';
# # Disable embedding as a frame
# add_header X-Frame-Options 'ALLOW-FROM kopatz.ddns.net';
# # Prevent injection of code in other mime types (XSS Attacks)
# add_header X-Content-Type-Options nosniff;
#'';
# Setup Nextcloud virtual host to listen on ports # Setup Nextcloud virtual host to listen on ports
virtualHosts = { virtualHosts = {
"kopatz.ddns.net" = { "kopatz.ddns.net" = {