search

fly-apps / laravel-docker

Base Docker images for use with Laravel on Fly.io
43 stars 8 forks source link

How to add script header Strict-Transport-Security #4

Closed bogordesaincom closed 9 months ago

bogordesaincom commented 1 year ago

How to add script header like this?

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
dejagersh commented 10 months ago

I don't know if this is the best approach, but I do this to run a custom Nginx configuration:

In my Dockerfile I run this:

RUN composer install --optimize-autoloader \
    && chown -R www-data:www-data /var/www/html \
    && rm -rf /etc/cont-init.d/* \
+   && rm /etc/nginx/sites-enabled/default && rsync -avz .fly/docker/nginx/* /etc/nginx/ \
    && .....

This removes the enabled site that fideloper/fly-laravel puts there for us. Then I rsync everything that's in .fly/docker/nginx/* into the /etc/nginx directory, allowing me to override the configuration for the enabled site.

Then in .fly/docker/nginx I have all the nginx config that I want to put in the /etc/nginx directory:

image

If you want to simply add those two lines, then the easiest way (I think) is to fly ssh console into your VM, navigate to /etc/nginx/sites-enabled and first inspect that folder:

fly ssh console -a your-app
cd /etc/nginx/sites-enabled

There you will find a file called default which is symlinked to /etc/nginx/sites-available/default (or default-octane if you're using Octane). Content should look something like this:

server {
    listen 8080 default_server;
    listen [::]:8080 default_server;

    root /var/www/html/public;

    index index.html index.htm index.php;

    server_name _;

    charset utf-8;

    client_max_body_size 2048M;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_param HTTP_X_FORWARDED_FOR $http_fly_client_ip;
        fastcgi_pass unix:/var/run/php/php-fpm.sock;
        fastcgi_buffers  16 16k;
        fastcgi_buffer_size  32k;
    }

    location = /favicon.ico {
        log_not_found off;
        access_log    off;
    }

    location = /robots.txt {
        log_not_found off;
        access_log    off;
    }

    location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
        expires    7d;
        access_log off;
        log_not_found off;
        # Pass to PHP to ensure PHP apps can handle routes that end in these filetypes
        try_files $uri /index.php?$query_string;
    }

    location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
        add_header Access-Control-Allow-Origin "*";
        expires    7d;
        access_log off;
    }

    location ~ /\.(?!well-known) {
        deny all;
    }

    add_header X-Frame-Options           "SAMEORIGIN" always;
    add_header X-Content-Type-Options    "nosniff" always;
    add_header Referrer-Policy           "no-referrer-when-downgrade" always;
}

Just copy that file into .fly/docker/nginx/sites-enabled and then modify it to your liking.

fideloper commented 10 months ago

thanks @dejagersh

I have half a mind to incorporate h5bp's nginx configuration, which does a bunch of work for caching static assets, securing dot files, and adding in these security headers.

https://github.com/h5bp/server-configs-nginx

I'd likely "just" include the "basic.conf" file so it just does some basics.

What do you think?