sync roles with changes from OWS

2023-10-21 13:13:20 +00:00
parent e14271eab0
commit ccd75528ed
43 changed files with 479 additions and 107 deletions
--- a/roles/webserver/templates/conf.d/cloud.conf.j2
+++ b/roles/webserver/templates/conf.d/cloud.conf.j2
@@ -22,7 +22,10 @@ server {
 server {
    listen 443 ssl;
    listen [::]:443 ssl;
-    http2 on;
+    # Enable QUIC and HTTP/3.
+    listen 443 quic;
+    listen [::]:443 quic;
+
    server_name {{ nextcloud_domain_name }} www.{{ nextcloud_domain_name }};
    include global/cert.conf;

@@ -35,7 +38,7 @@ server {
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
-    add_header Strict-Transport-Security "max-age=63072000" always;
+    add_header Strict-Transport-Security "max-age=15768000; preload" always;

    # set max upload size and increase upload timeout:
    client_max_body_size {{ nextcloud_max_upload_size }};
@@ -68,6 +71,10 @@ server {
    add_header X-Robots-Tag                      "noindex, nofollow" always;
    add_header X-XSS-Protection                  "1; mode=block"     always;

+    # Add Alt-Svc header to negotiate HTTP/3.
+    add_header Alt-Svc 'h2=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400' always;
+    add_header x-quic 'h3' always;
+
    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

--- a/roles/webserver/templates/conf.d/twirling.conf.j2
+++ b/roles/webserver/templates/conf.d/twirling.conf.j2
@@ -9,9 +9,17 @@ server {
 }

 server {
-    # Enable HTTP/2
-    listen 443 ssl http2 default_server;
-    listen [::]:443 ssl http2 default_server;
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+    http2 on;
+    # Enable QUIC and HTTP/3.
+    listen 443 quic reuseport default_server;
+    listen [::]:443 quic reuseport default_server;
+    http3 on;
+    http3_hq on;
+    quic_retry on;
+    quic_gso on;
+
    server_name {{ webserver_domain }} www.{{ webserver_domain }};
    include global/cert.conf;
    include global/header.conf;
--- a/roles/webserver/templates/header.conf.j2
+++ b/roles/webserver/templates/header.conf.j2
@@ -44,14 +44,17 @@ add_header X-XSS-Protection "1; mode=block" always;
 # I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
 # directives for css and js(if you have inline css or js, you will need to keep it too).
 # more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
-#add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src to 'none'; frame-ancestors 'self' https://*.twirling.de https://twirling.de";
+#add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; style-src 'self' 'unsafe-inline' font-src 'self'; frame-src ; object-src 'none'";
+add_header Content-Security-Policy "frame-ancestors 'self' https://*.{{ webserver_domain }} https://{{ webserver_domain }}";

 #add_header Referrer-Policy no-referrer;
 add_header Referrer-Policy "no-referrer" always;

-add_header Feature-Policy "accelerometer 'none'; autoplay 'self'; geolocation 'self'; midi 'none'; notifications 'self'; push 'self'; sync-xhr 'self' https://*.twirling.de; microphone 'self'; camera 'self'; magnetometer 'none'; gyroscope 'none'; speaker 'self'; vibrate 'self'; fullscreen 'self'; payment 'none'; usb 'none'";
-add_header Permissions-Policy "geolocation=(self);midi=();notifications=(self);push=(self);sync-xhr=(self 'https://*.twirling.de');microphone=(self);camera=(self);magnetometer=();gyroscope=();speaker=(self);vibrate=();fullscreen=(self);payment=()";
+add_header Feature-Policy "accelerometer 'none'; autoplay 'self'; geolocation 'self'; midi 'none'; notifications 'self'; push 'self'; sync-xhr 'self' https://*.{{ webserver_domain }}; microphone 'self'; camera 'self'; magnetometer 'none'; gyroscope 'none'; speaker 'self'; vibrate 'self'; fullscreen 'self'; payment 'none'; usb 'none'";
+add_header Permissions-Policy "geolocation=(self);midi=();notifications=(self);push=(self);sync-xhr=(self 'https://*.{{ webserver_domain }}');microphone=(self);camera=(self);magnetometer=();gyroscope=();speaker=(self);vibrate=();fullscreen=(self);payment=()";
+
+add_header X-Robots-Tag "noindex, noimageindex, nofollow, nosnippet, noarchive" always;

 # Add Alt-Svc header to negotiate HTTP/3.
-#add_header Alt-Svc 'quic=":443"'; # Advertise that QUIC is available
-#add_header QUIC-Status $quic;     # Sent when QUIC was used
+add_header Alt-Svc 'h2=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400' always;
+add_header x-quic 'h3' always;