From 0a1fd8adf0c28a5a9384555e3d27a947ee904a62 Mon Sep 17 00:00:00 2001 From: Artik Banana Date: Sun, 6 May 2018 14:19:29 +0000 Subject: Added headers for a more secure default. --- installation/pleroma.nginx | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'installation') diff --git a/installation/pleroma.nginx b/installation/pleroma.nginx index 895799a8e..44905da49 100644 --- a/installation/pleroma.nginx +++ b/installation/pleroma.nginx @@ -59,6 +59,16 @@ server { } # stop removing lines here. + add_header X-XSS-Protection "1; mode=block"; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Referrer-Policy same-origin; + add_header X-Download-Options noopen; + + # Uncomment this only after you get HTTPS working. + # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; -- cgit v1.2.3 From 4233b1504fb4ac81c9700fc71a806407452c6c54 Mon Sep 17 00:00:00 2001 From: Mark Felder Date: Mon, 7 May 2018 23:43:27 +0000 Subject: Caching notice URLs does not produce pleasant results --- installation/pleroma.vcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'installation') diff --git a/installation/pleroma.vcl b/installation/pleroma.vcl index f3faa9432..9f783b5da 100644 --- a/installation/pleroma.vcl +++ b/installation/pleroma.vcl @@ -41,7 +41,7 @@ sub vcl_recv { # Strip headers that will affect caching from all other static content # This also permits caching of individual toots and AP Activities - if ((req.url ~ "^/(media|notice|static)/") || + if ((req.url ~ "^/(media|static)/") || (req.url ~ "(?i)\.(html|js|css|jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|svg|swf|ttf|pdf|woff|woff2)$")) { unset req.http.Cookie; -- cgit v1.2.3 From a85d05167580035608909db241dd8f5756c351b9 Mon Sep 17 00:00:00 2001 From: Mark Felder Date: Mon, 7 May 2018 23:44:40 +0000 Subject: Don't strip headers from backend for /notice/ either --- installation/pleroma.vcl | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'installation') diff --git a/installation/pleroma.vcl b/installation/pleroma.vcl index 9f783b5da..63c1cb74d 100644 --- a/installation/pleroma.vcl +++ b/installation/pleroma.vcl @@ -93,8 +93,7 @@ sub vcl_backend_response { # Strip cache-restricting headers from Pleroma on static content that we want to cache # Also enable streaming of cached content to clients (no waiting for Varnish to complete backend fetch) - if ((bereq.url ~ "^/(notice)/") || - (bereq.url ~ "(?i)\.(js|css|jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|svg|swf|ttf|pdf|woff|woff2)$")) + if (bereq.url ~ "(?i)\.(js|css|jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|svg|swf|ttf|pdf|woff|woff2)$") { unset beresp.http.set-cookie; unset beresp.http.Cache-Control; -- cgit v1.2.3 From 38f5f6f659f4b5c4c669044e62e6bae5a9b962ef Mon Sep 17 00:00:00 2001 From: Normandy Date: Fri, 11 May 2018 05:19:20 +0000 Subject: Remove alias directive in service file Systemd will complain otherwise. --- installation/pleroma.service | 1 - 1 file changed, 1 deletion(-) (limited to 'installation') diff --git a/installation/pleroma.service b/installation/pleroma.service index fe314ed2b..fd4180985 100644 --- a/installation/pleroma.service +++ b/installation/pleroma.service @@ -13,4 +13,3 @@ Restart=on-failure [Install] WantedBy=multi-user.target -Alias=pleroma.service -- cgit v1.2.3