search

bilde2910 / Hauk

Open-source realtime location sharing
Apache License 2.0
583 stars 58 forks source link

Hardening the reverse proxy config #166

Closed callahan22 closed 3 years ago

callahan22 commented 3 years ago

For those of you that want to get an A+ at something like https://securityheaders.com, I have been hardening up the nginx reverse proxy config. Included below for those that are interested.

Edit - Looks like I spoke too soon. While no issues are seen on the site. The app, fails to show the maps. Assuming this is the CSP preventing the pulling in of maps from openstreetmap. Will put some more work into finding out cause....

Edit 2 - Fixed. Needed some adjustment to the Content-Security-Policy.

server {
  listen 80;
  server_name hauk.myserver.com;
  return 301 https://$server_name$request_uri;
}

server {
  listen 443 ssl http2;
  server_name hauk.myserver.com;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305';
    ssl_session_cache shared:SSL:10m;
    ssl_stapling on;
    ssl_stapling_verify on;

    ssl_ecdh_curve 'secp521r1:secp384r1';
    ssl_prefer_server_ciphers on;
    ssl_session_timeout 10m;
    ssl_session_tickets off;

  location / {
    proxy_pass http://10.0.4.2:2003;
    add_header Referrer-Policy same-origin always;
    add_header X-Frame-Options DENY always;
    add_header X-Content-Type-Options nosniff always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Robots-Tag "noindex, nofollow" always;

    # Hardening #
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()";
    add_header Content-Security-Policy "default-src https://hauk.myserver.com:443; style-src 'self' 'unsafe-hashes' 'sha256-rytaIms2QXmh8KLNkV6HhP89Mx7nl4orsV17KwlC3Ec=' 'sha256-EpRRn8UTeRTYku6zLrvPMbhfG04OfGpeku3jtDP/CLc='; img-src 'self' data: https://*.openstreetmap.org https://fdroid.gitlab.io https://play.google.com" always;
  }

    # Logging #
    access_log /var/log/nginx/hauk.myserver.com.access.log;
    error_log /var/log/nginx/hauk.myserver.com.error.log;

    ssl_certificate /etc/letsencrypt/live/hauk.myserver.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/hauk.myserver.com/privkey.pem; # managed by Certbot
}
bilde2910 commented 3 years ago

Thanks for the suggestions! I'll play around with these and see if I can add some of them to index.html as http-equiv meta headers, so they're web server independent and enabled by default. CSP can be somewhat tricky to configure, and STS can be risky to enable by default without fully knowing the implications of doing so.

bilde2910 commented 3 years ago

I've committed CSP to index.html now. img-src is set to * data: to accommodate users picking any map provider they want, and not just OpenStreetMap. Permissions-Policy cannot be set via HTML meta tags, so I'm holding off implementing that. Making it a recommendation in the README could also cause problems in the future, if more features are added that require functions that are blocked by whatever default policy we set. Permissions-Policy also has very poor browser coverage currently.