From 7e0dc206837a1859f0571bfe0c6d570e293daa11 Mon Sep 17 00:00:00 2001
From: vmaubert <v.maubert@code-troopers.com>
Date: Mon, 27 Nov 2023 11:57:55 +0100
Subject: [PATCH] fix(nginx): corrige les CSP
---
Dockerfile.ui | 3 ++-
ui_nginx.conf | 13 +++++++------
ui_nginx_headers.conf | 6 ++++++
3 files changed, 15 insertions(+), 7 deletions(-)
create mode 100644 ui_nginx_headers.conf
diff --git a/Dockerfile.ui b/Dockerfile.ui
index 2f3f14cff..52dbd3fb0 100644
--- a/Dockerfile.ui
+++ b/Dockerfile.ui
@@ -16,5 +16,6 @@ COPY ./ /app/
RUN make build/ui
FROM nginx:1.25.3
-ADD ui_nginx.conf /etc/nginx/templates/default.conf.template
+COPY ui_nginx.conf /etc/nginx/templates/default.conf.template
+COPY ui_nginx_headers.conf /etc/nginx/templates/headers.conf.template
COPY --from=build-stage /app/packages/ui/dist /usr/share/nginx/html
diff --git a/ui_nginx.conf b/ui_nginx.conf
index b3965e2ff..263707ac3 100644
--- a/ui_nginx.conf
+++ b/ui_nginx.conf
@@ -6,8 +6,11 @@ server {
gzip on;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/rss+xml text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/jpeg image/png image/svg+xml image/x-icon;
+ include /etc/nginx/conf.d/headers.conf;
+
location =/ {
root /usr/share/nginx/html;
+ include /etc/nginx/conf.d/headers.conf;
add_header Cache-Control no-cache;
expires 0;
try_files /index.html =404;
@@ -21,19 +24,15 @@ server {
location @index {
root /usr/share/nginx/html;
+ include /etc/nginx/conf.d/headers.conf;
add_header Cache-Control no-cache;
expires 0;
try_files /index.html =404;
}
- add_header Content-Security-Policy "default-src 'none'; script-src 'self' ${API_MATOMO_URL} 'sha256-quOgp+M4pH4TUco5DwHuTMyTY9AY+DOk4jkIMuGgSJs='; style-src 'self'; font-src 'self'; object-src 'self'; frame-src 'self'; connect-src 'self' sentry.incubateur.net ${API_MATOMO_URL}; img-src data: 'self' tile.openstreetmap.org a.tile.openstreetmap.org b.tile.openstreetmap.org c.tile.openstreetmap.org tile.openstreetmap.fr a.tile.openstreetmap.fr b.tile.openstreetmap.fr c.tile.openstreetmap.fr geoservices.brgm.fr wxs.ign.fr datacarto.geoguyane.fr gisdata.cerema.fr services.data.shom.fr; base-uri 'none'; form-action 'self'; frame-ancestors 'none';";
- add_header X-Frame-Options "DENY";
- add_header X-Content-Type-Options "nosniff";
- add_header X-XSS-Protection "1; mode=block";
- add_header Access-Control-Allow-Origin "*";
- add_header Referrer-Policy "same-origin";
location /apiUrl {
+ include /etc/nginx/conf.d/headers.conf;
add_header Cache-Control "no-cache";
rewrite ^/apiUrl/(.*) /$1 break;
proxy_pass ${API_URL};
@@ -41,6 +40,7 @@ server {
location /stream/version {
+ include /etc/nginx/conf.d/headers.conf;
add_header Cache-Control "no-cache";
proxy_set_header Connection '';
proxy_http_version 1.1;
@@ -49,6 +49,7 @@ server {
}
location /televersement {
+ include /etc/nginx/conf.d/headers.conf;
add_header Cache-Control "no-cache";
proxy_pass ${API_URL};
}
diff --git a/ui_nginx_headers.conf b/ui_nginx_headers.conf
new file mode 100644
index 000000000..ecdcbf77a
--- /dev/null
+++ b/ui_nginx_headers.conf
@@ -0,0 +1,6 @@
+add_header Content-Security-Policy "default-src 'none'; script-src 'self' ${API_MATOMO_URL} 'sha256-quOgp+M4pH4TUco5DwHuTMyTY9AY+DOk4jkIMuGgSJs='; style-src 'self'; font-src 'self'; object-src 'self'; frame-src 'self'; connect-src 'self' sentry.incubateur.net ${API_MATOMO_URL}; img-src data: 'self' tile.openstreetmap.org a.tile.openstreetmap.org b.tile.openstreetmap.org c.tile.openstreetmap.org tile.openstreetmap.fr a.tile.openstreetmap.fr b.tile.openstreetmap.fr c.tile.openstreetmap.fr geoservices.brgm.fr wxs.ign.fr datacarto.geoguyane.fr gisdata.cerema.fr services.data.shom.fr; base-uri 'none'; form-action 'self'; frame-ancestors 'none';";
+add_header X-Frame-Options "DENY";
+add_header X-Content-Type-Options "nosniff";
+add_header X-XSS-Protection "1; mode=block";
+add_header Access-Control-Allow-Origin "*";
+add_header Referrer-Policy "same-origin";
\ No newline at end of file
--
GitLab