Closed jessuppi closed 3 months ago
jessuppi
commented
1 year ago Since we are using a unique Nginx server blocks directory /var/www/sites/ we probably should ensure that any custom child config files are in a subdirectory there to avoid confusion.
For example like:
/var/www/sites/custom/I was going back on forth on this but I don't think custom is a good sudirectory name. It sounds like maybe users could replace default server blocks with their own but that's not true, it's just for Nginx includes only.
So I'm proceeding with calling this /var/www/sites/includes/
https://github.com/littlebizzy/slickstack/commit/91ac5a6470d2ae9a8dd1af28b24c1c46dc08601f
After a few Google searches it looks like Roots Trellis uses a similar folder name nginx-includes so that's good, at least some similar naming helps the community.
Ref: https://roots.io/trellis/docs/nginx-includes/
Still pending integration with SlickStack installer scripts and the main Nginx config file...
jessuppi
commented
1 year ago See here:
## pending testing ##
# include /var/www/sites/includes/featurepolicy.conf;For better security/control perhaps we can include specific child includes only as they become approved by the community instead of just a wildcard include...
https://github.com/littlebizzy/slickstack/blob/master/modules/nginx/nginx-conf.txt
jessuppi
commented
1 year ago https://forum.nginx.org/read.php?11,256135
Hi, you may use the include directive with some glob() pattern tricks
For instance, replace this
include /path/to/something/nonexisting.conf
with
include /path/to/something/nonexisting[.]conf
the config parser won't complain if such file does not exist.
Not sure if still relevant.
jessuppi
commented
3 months ago jessuppi
commented
3 months ago New default Permissions Policy submodule called perms-policy.conf
https://github.com/littlebizzy/slickstack/blob/master/modules/nginx/includes/perms-policy-conf.txt
You can now customize this in SlickStack. Simply edit your own file under /var/www/sites-includes/perms-policy.conf and SlickStack will validate that file during installation... if it's missing the string add_header Permissions-Policy then our default submodule will be installed in that file location instead.
Ref: https://github.com/littlebizzy/slickstack/blob/master/bash/ss-install-nginx-config.txt
This is an issue we knew would eventually need to be discussed, and here it is being requested:
https://slickstack.io/forum/topic/feature-policy-header-blocking-camera-request
It gets to a bigger issue which is better support for "sub-config" files added under e.g.
/etc/nginx/conf.d/however, the official Nginx.com docs suggest feature-specific files which doesn't really apply to SlickStack since it's mostly just http... their docs suggest child config files for e.g. http, events, stream, etc.Ref: https://docs.nginx.com/nginx/admin-guide/basic-functionality/managing-configuration-files/
I think we need to be even narrower than that for SlickStack. For example maybe
featurepolicy.confto focus specifically on that HTTP header, since other HTTP headers will likely remain hardcoded in SlickStack...