From a32e013909c1871987ac1a9000ed73b8d1950073 Mon Sep 17 00:00:00 2001 From: barrucadu Date: Fri, 28 Sep 2018 22:17:19 +0000 Subject: Relax form-action content security policy 'self' only allows forms submitted to the same origin, which breaks the "remote follow" form. To allow remote following, we want to allow forms to be submitted to any host. --- installation/pleroma.nginx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'installation') diff --git a/installation/pleroma.nginx b/installation/pleroma.nginx index 37871ea5b..f648336ca 100644 --- a/installation/pleroma.nginx +++ b/installation/pleroma.nginx @@ -77,7 +77,7 @@ server { add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "same-origin" always; add_header X-Download-Options "noopen" always; - add_header Content-Security-Policy "default-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://example.tld; upgrade-insecure-requests;" always; + add_header Content-Security-Policy "default-src 'none'; base-uri 'self'; form-action *; frame-ancestors 'none'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://example.tld; upgrade-insecure-requests;" always; # Uncomment this only after you get HTTPS working. # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; -- cgit v1.2.3 From 0a58428de6096f3222dd30d1a1f186150c25f4f2 Mon Sep 17 00:00:00 2001 From: shibayashi Date: Thu, 25 Oct 2018 00:37:31 +0200 Subject: Add some security related directives to the systemd service example --- installation/pleroma.service | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'installation') diff --git a/installation/pleroma.service b/installation/pleroma.service index fd4180985..e410764f3 100644 --- a/installation/pleroma.service +++ b/installation/pleroma.service @@ -11,5 +11,15 @@ ExecReload=/bin/kill $MAINPID KillMode=process Restart=on-failure +; Some security directives. +; Use private /tmp and /var/tmp folders inside a new file system namespace, which are discarded after the process stops. +PrivateTmp=true +; This makes /usr, /boot, /etc read-only. +ProtectSystem=full +; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi. +PrivateDevices=false +; Ensures that the service process and all its children can never gain new privileges through execve() +NoNewPrivileges=true + [Install] WantedBy=multi-user.target -- cgit v1.2.3 From 043cb7138e3e970d0e50f3f5a9be5efb385bbc92 Mon Sep 17 00:00:00 2001 From: shibayashi Date: Thu, 25 Oct 2018 00:57:47 +0200 Subject: Add a little bit more detail in the comments. --- installation/pleroma.service | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'installation') diff --git a/installation/pleroma.service b/installation/pleroma.service index e410764f3..84747d952 100644 --- a/installation/pleroma.service +++ b/installation/pleroma.service @@ -14,11 +14,11 @@ Restart=on-failure ; Some security directives. ; Use private /tmp and /var/tmp folders inside a new file system namespace, which are discarded after the process stops. PrivateTmp=true -; This makes /usr, /boot, /etc read-only. +; Mount /usr, /boot, and /etc as read-only for processes invoked by this service. ProtectSystem=full ; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi. PrivateDevices=false -; Ensures that the service process and all its children can never gain new privileges through execve() +; Ensures that the service process and all its children can never gain new privileges through execve(). NoNewPrivileges=true [Install] -- cgit v1.2.3 From 56c49513e0f66fe6e40724c6b7f18c29263c77ca Mon Sep 17 00:00:00 2001 From: shibayashi Date: Sat, 3 Nov 2018 23:41:37 +0100 Subject: Use the server name as variable --- installation/caddyfile-pleroma.example | 2 +- installation/pleroma-apache.conf | 20 +++++++++++--------- installation/pleroma.nginx | 12 ++++++------ 3 files changed, 18 insertions(+), 16 deletions(-) (limited to 'installation') diff --git a/installation/caddyfile-pleroma.example b/installation/caddyfile-pleroma.example index 2c1efde2d..d74eb82b6 100644 --- a/installation/caddyfile-pleroma.example +++ b/installation/caddyfile-pleroma.example @@ -22,7 +22,7 @@ social.domain.tld { Referrer-Policy "same-origin" Strict-Transport-Security "max-age=31536000; includeSubDomains;" Expect-CT "enforce, max-age=2592000" - Content-Security-Policy "default-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://social.domain.tld; upgrade-insecure-requests;" + Content-Security-Policy "default-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://{host}; upgrade-insecure-requests;" } # If you do not want remote frontends to be able to access your Pleroma backend server, remove these lines. diff --git a/installation/pleroma-apache.conf b/installation/pleroma-apache.conf index 992c0c900..6174c85c0 100644 --- a/installation/pleroma-apache.conf +++ b/installation/pleroma-apache.conf @@ -1,24 +1,26 @@ #Example configuration for when Apache httpd and Pleroma are on the same host. -#Needed modules: headers proxy proxy_http proxy_wstunnel rewrite ssl +#Needed modules: define headers proxy proxy_http proxy_wstunnel rewrite ssl #This assumes a Debian style Apache config. Put this in /etc/apache2/sites-available #Install your TLS certificate, possibly using Let's Encrypt. #Replace 'pleroma.example.com' with your instance's domain wherever it appears -ServerName pleroma.example.com +Define servername pleroma.example.com + +ServerName ${servername} ServerTokens Prod ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined - Redirect permanent / https://pleroma.example.com + Redirect permanent / https://${servername} SSLEngine on - SSLCertificateFile /etc/letsencrypt/live/pleroma.example.com/cert.pem - SSLCertificateKeyFile /etc/letsencrypt/live/pleroma.example.com/privkey.pem - SSLCertificateChainFile /etc/letsencrypt/live/pleroma.example.com/fullchain.pem + SSLCertificateFile /etc/letsencrypt/live/${servername}/cert.pem + SSLCertificateKeyFile /etc/letsencrypt/live/${servername}/privkey.pem + SSLCertificateChainFile /etc/letsencrypt/live/${servername}/fullchain.pem # Mozilla modern configuration, tweak to your needs SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 @@ -31,7 +33,7 @@ CustomLog ${APACHE_LOG_DIR}/access.log combined Header always set X-Frame-Options "DENY" Header always set X-Content-Type-Options "nosniff" Header always set Referrer-Policy same-origin - Header always set Content-Security-Policy "default-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://pleroma.example.tld; upgrade-insecure-requests;" + Header always set Content-Security-Policy "default-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://${servername}; upgrade-insecure-requests;" # Uncomment this only after you get HTTPS working. # Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" @@ -45,7 +47,7 @@ CustomLog ${APACHE_LOG_DIR}/access.log combined ProxyPass / http://localhost:4000/ ProxyPassReverse / http://localhost:4000/ - RequestHeader set Host "pleroma.example.com" + RequestHeader set Host ${servername} ProxyPreserveHost On @@ -53,4 +55,4 @@ CustomLog ${APACHE_LOG_DIR}/access.log combined SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off -SSLStaplingCache shmcb:/var/run/ocsp(128000) \ No newline at end of file +SSLStaplingCache shmcb:/var/run/ocsp(128000) diff --git a/installation/pleroma.nginx b/installation/pleroma.nginx index f648336ca..94db8d685 100644 --- a/installation/pleroma.nginx +++ b/installation/pleroma.nginx @@ -31,9 +31,9 @@ server { listen 443 ssl http2; ssl_session_timeout 5m; - ssl_trusted_certificate /etc/letsencrypt/live/example.tld/fullchain.pem; - ssl_certificate /etc/letsencrypt/live/example.tld/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/example.tld/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/$server_name/fullchain.pem; + ssl_certificate /etc/letsencrypt/live/$server_name/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/$server_name/privkey.pem; # Add TLSv1.0 to support older devices ssl_protocols TLSv1.2; @@ -46,7 +46,7 @@ server { ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; ssl_stapling on; ssl_stapling_verify on; - + server_name example.tld; gzip_vary on; @@ -77,8 +77,8 @@ server { add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "same-origin" always; add_header X-Download-Options "noopen" always; - add_header Content-Security-Policy "default-src 'none'; base-uri 'self'; form-action *; frame-ancestors 'none'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://example.tld; upgrade-insecure-requests;" always; - + add_header Content-Security-Policy "default-src 'none'; base-uri 'self'; form-action *; frame-ancestors 'none'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://$server_name; upgrade-insecure-requests;" always; + # Uncomment this only after you get HTTPS working. # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; -- cgit v1.2.3 From 732d3fce73122536beaddff0d97adc650655c1fe Mon Sep 17 00:00:00 2001 From: shibayashi Date: Sat, 3 Nov 2018 23:44:26 +0100 Subject: Use the same example domain in all config examples --- installation/caddyfile-pleroma.example | 8 ++++---- installation/pleroma-apache.conf | 4 ++-- installation/pleroma.nginx | 6 +++--- 3 files changed, 9 insertions(+), 9 deletions(-) (limited to 'installation') diff --git a/installation/caddyfile-pleroma.example b/installation/caddyfile-pleroma.example index d74eb82b6..41a7eaa72 100644 --- a/installation/caddyfile-pleroma.example +++ b/installation/caddyfile-pleroma.example @@ -1,4 +1,4 @@ -social.domain.tld { +pleroma.example.tld { log /var/log/caddy/pleroma_access.log errors /var/log/caddy/pleroma_error.log @@ -9,7 +9,7 @@ social.domain.tld { transparent } - tls user@domain.tld { + tls user@example.tld { # Remove the rest of the lines in here, if you want to support older devices key_type p256 ciphers ECDHE-ECDSA-WITH-CHACHA20-POLY1305 ECDHE-RSA-WITH-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 @@ -29,8 +29,8 @@ social.domain.tld { # If you want to allow all origins access, remove the origin lines. # To use this directive, you need the http.cors plugin for Caddy. cors / { - origin https://halcyon.domain.tld - origin https://pinafore.domain.tld + origin https://halcyon.example.tld + origin https://pinafore.example.tld methods POST,PUT,DELETE,GET,PATCH,OPTIONS allowed_headers Authorization,Content-Type,Idempotency-Key exposed_headers Link,X-RateLimit-Reset,X-RateLimit-Limit,X-RateLimit-Remaining,X-Request-Id diff --git a/installation/pleroma-apache.conf b/installation/pleroma-apache.conf index 6174c85c0..5fc04d69f 100644 --- a/installation/pleroma-apache.conf +++ b/installation/pleroma-apache.conf @@ -2,9 +2,9 @@ #Needed modules: define headers proxy proxy_http proxy_wstunnel rewrite ssl #This assumes a Debian style Apache config. Put this in /etc/apache2/sites-available #Install your TLS certificate, possibly using Let's Encrypt. -#Replace 'pleroma.example.com' with your instance's domain wherever it appears +#Replace 'pleroma.example.tld' with your instance's domain wherever it appears -Define servername pleroma.example.com +Define servername pleroma.example.tld ServerName ${servername} ServerTokens Prod diff --git a/installation/pleroma.nginx b/installation/pleroma.nginx index 94db8d685..202e4a620 100644 --- a/installation/pleroma.nginx +++ b/installation/pleroma.nginx @@ -2,7 +2,7 @@ # # Simple installation instructions: # 1. Install your TLS certificate, possibly using Let's Encrypt. -# 2. Replace 'example.tld' with your instance's domain wherever it appears. +# 2. Replace 'pleroma.example.tld' with your instance's domain wherever it appears. # 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it # in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx. @@ -10,8 +10,8 @@ proxy_cache_path /tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cac inactive=720m use_temp_path=off; server { + server_name pleroma.example.tld; listen 80; - server_name example.tld; return 301 https://$server_name$request_uri; # Uncomment this if you need to use the 'webroot' method with certbot. Make sure @@ -47,7 +47,7 @@ server { ssl_stapling on; ssl_stapling_verify on; - server_name example.tld; + server_name pleroma.example.tld; gzip_vary on; gzip_proxied any; -- cgit v1.2.3 From 941f9a888c1d08e0e5a158956e55439631748764 Mon Sep 17 00:00:00 2001 From: shibayashi Date: Sat, 3 Nov 2018 23:59:52 +0100 Subject: Update instructions --- installation/caddyfile-pleroma.example | 8 +++++++- installation/pleroma-apache.conf | 15 ++++++++++----- 2 files changed, 17 insertions(+), 6 deletions(-) (limited to 'installation') diff --git a/installation/caddyfile-pleroma.example b/installation/caddyfile-pleroma.example index 41a7eaa72..f5ecf9d26 100644 --- a/installation/caddyfile-pleroma.example +++ b/installation/caddyfile-pleroma.example @@ -1,3 +1,9 @@ +# default Caddyfile config for Pleroma +# +# Simple installation instructions: +# 1. Replace 'pleroma.example.tld' with your instance's domain wherever it appears. +# 2. Copy this section into your Caddyfile and restart Caddy. + pleroma.example.tld { log /var/log/caddy/pleroma_access.log errors /var/log/caddy/pleroma_error.log @@ -9,7 +15,7 @@ pleroma.example.tld { transparent } - tls user@example.tld { + tls { # Remove the rest of the lines in here, if you want to support older devices key_type p256 ciphers ECDHE-ECDSA-WITH-CHACHA20-POLY1305 ECDHE-RSA-WITH-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 diff --git a/installation/pleroma-apache.conf b/installation/pleroma-apache.conf index 5fc04d69f..10918ed1f 100644 --- a/installation/pleroma-apache.conf +++ b/installation/pleroma-apache.conf @@ -1,8 +1,13 @@ -#Example configuration for when Apache httpd and Pleroma are on the same host. -#Needed modules: define headers proxy proxy_http proxy_wstunnel rewrite ssl -#This assumes a Debian style Apache config. Put this in /etc/apache2/sites-available -#Install your TLS certificate, possibly using Let's Encrypt. -#Replace 'pleroma.example.tld' with your instance's domain wherever it appears +# default Apache site config for Pleroma +# +# needed modules: define headers proxy proxy_http proxy_wstunnel rewrite ssl +# +# Simple installation instructions: +# 1. Install your TLS certificate, possibly using Let's Encrypt. +# 2. Replace 'pleroma.example.tld' with your instance's domain wherever it appears. +# 3. This assumes a Debian style Apache config. Copy this file to +# /etc/apache2/sites-available/ and then add a symlink to it in +# /etc/apache2/sites-enabled/ by running 'a2ensite pleroma-apache.conf', then restart Apache. Define servername pleroma.example.tld -- cgit v1.2.3 From 800d233631c37f75d17ddc1fbad7ac0e44366b1a Mon Sep 17 00:00:00 2001 From: shibayashi Date: Sun, 4 Nov 2018 14:06:18 +0100 Subject: Use example.tld so a single search and replace works --- installation/caddyfile-pleroma.example | 4 ++-- installation/pleroma-apache.conf | 4 ++-- installation/pleroma.nginx | 12 ++++++------ 3 files changed, 10 insertions(+), 10 deletions(-) (limited to 'installation') diff --git a/installation/caddyfile-pleroma.example b/installation/caddyfile-pleroma.example index f5ecf9d26..305f2aa79 100644 --- a/installation/caddyfile-pleroma.example +++ b/installation/caddyfile-pleroma.example @@ -1,10 +1,10 @@ # default Caddyfile config for Pleroma # # Simple installation instructions: -# 1. Replace 'pleroma.example.tld' with your instance's domain wherever it appears. +# 1. Replace 'example.tld' with your instance's domain wherever it appears. # 2. Copy this section into your Caddyfile and restart Caddy. -pleroma.example.tld { +example.tld { log /var/log/caddy/pleroma_access.log errors /var/log/caddy/pleroma_error.log diff --git a/installation/pleroma-apache.conf b/installation/pleroma-apache.conf index 10918ed1f..fb777983e 100644 --- a/installation/pleroma-apache.conf +++ b/installation/pleroma-apache.conf @@ -4,12 +4,12 @@ # # Simple installation instructions: # 1. Install your TLS certificate, possibly using Let's Encrypt. -# 2. Replace 'pleroma.example.tld' with your instance's domain wherever it appears. +# 2. Replace 'example.tld' with your instance's domain wherever it appears. # 3. This assumes a Debian style Apache config. Copy this file to # /etc/apache2/sites-available/ and then add a symlink to it in # /etc/apache2/sites-enabled/ by running 'a2ensite pleroma-apache.conf', then restart Apache. -Define servername pleroma.example.tld +Define servername example.tld ServerName ${servername} ServerTokens Prod diff --git a/installation/pleroma.nginx b/installation/pleroma.nginx index 202e4a620..6dc2c9760 100644 --- a/installation/pleroma.nginx +++ b/installation/pleroma.nginx @@ -2,7 +2,7 @@ # # Simple installation instructions: # 1. Install your TLS certificate, possibly using Let's Encrypt. -# 2. Replace 'pleroma.example.tld' with your instance's domain wherever it appears. +# 2. Replace 'example.tld' with your instance's domain wherever it appears. # 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it # in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx. @@ -10,7 +10,7 @@ proxy_cache_path /tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cac inactive=720m use_temp_path=off; server { - server_name pleroma.example.tld; + server_name example.tld; listen 80; return 301 https://$server_name$request_uri; @@ -31,9 +31,9 @@ server { listen 443 ssl http2; ssl_session_timeout 5m; - ssl_trusted_certificate /etc/letsencrypt/live/$server_name/fullchain.pem; - ssl_certificate /etc/letsencrypt/live/$server_name/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/$server_name/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/example.tld/fullchain.pem; + ssl_certificate /etc/letsencrypt/live/example.tld/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/example.tld/privkey.pem; # Add TLSv1.0 to support older devices ssl_protocols TLSv1.2; @@ -47,7 +47,7 @@ server { ssl_stapling on; ssl_stapling_verify on; - server_name pleroma.example.tld; + server_name example.tld; gzip_vary on; gzip_proxied any; -- cgit v1.2.3 From 3ea4f9ac8deea09711c80e3ef2cce8d02c64f2ee Mon Sep 17 00:00:00 2001 From: Hakaba Hitoyo Date: Mon, 5 Nov 2018 04:18:43 +0000 Subject: Remove Access-Control-Allow-Origin --- installation/pleroma.nginx | 1 - 1 file changed, 1 deletion(-) (limited to 'installation') diff --git a/installation/pleroma.nginx b/installation/pleroma.nginx index f648336ca..f86239672 100644 --- a/installation/pleroma.nginx +++ b/installation/pleroma.nginx @@ -62,7 +62,6 @@ server { location / { # if you do not want remote frontends to be able to access your Pleroma backend # server, remove these lines. - add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always; add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always; add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always; -- cgit v1.2.3 From fd918863aa842fda58c620434e3b1f15d510cb53 Mon Sep 17 00:00:00 2001 From: William Pitcock Date: Sun, 11 Nov 2018 05:42:30 +0000 Subject: nginx example config: remove CORS headers, now managed by CORSPlug. --- installation/pleroma.nginx | 10 ---------- 1 file changed, 10 deletions(-) (limited to 'installation') diff --git a/installation/pleroma.nginx b/installation/pleroma.nginx index 65a3cdb4c..9b7419497 100644 --- a/installation/pleroma.nginx +++ b/installation/pleroma.nginx @@ -60,16 +60,6 @@ server { client_max_body_size 16m; location / { - # if you do not want remote frontends to be able to access your Pleroma backend - # server, remove these lines. - add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always; - add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always; - add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always; - if ($request_method = OPTIONS) { - return 204; - } - # stop removing lines here. - add_header X-XSS-Protection "1; mode=block" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Frame-Options "DENY" always; -- cgit v1.2.3 From 057a9017b3852f10e76165b70b907d9af458c301 Mon Sep 17 00:00:00 2001 From: William Pitcock Date: Sun, 11 Nov 2018 06:12:26 +0000 Subject: example configs: remove obsolete CSP configuration --- installation/caddyfile-pleroma.example | 17 ----------------- installation/pleroma-apache.conf | 6 ------ installation/pleroma.nginx | 8 -------- installation/pleroma.vcl | 5 ----- 4 files changed, 36 deletions(-) (limited to 'installation') diff --git a/installation/caddyfile-pleroma.example b/installation/caddyfile-pleroma.example index 305f2aa79..c34b47045 100644 --- a/installation/caddyfile-pleroma.example +++ b/installation/caddyfile-pleroma.example @@ -22,27 +22,10 @@ example.tld { } header / { - X-XSS-Protection "1; mode=block" - X-Frame-Options "DENY" - X-Content-Type-Options "nosniff" - Referrer-Policy "same-origin" Strict-Transport-Security "max-age=31536000; includeSubDomains;" Expect-CT "enforce, max-age=2592000" - Content-Security-Policy "default-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://{host}; upgrade-insecure-requests;" } - # If you do not want remote frontends to be able to access your Pleroma backend server, remove these lines. - # If you want to allow all origins access, remove the origin lines. - # To use this directive, you need the http.cors plugin for Caddy. - cors / { - origin https://halcyon.example.tld - origin https://pinafore.example.tld - methods POST,PUT,DELETE,GET,PATCH,OPTIONS - allowed_headers Authorization,Content-Type,Idempotency-Key - exposed_headers Link,X-RateLimit-Reset,X-RateLimit-Limit,X-RateLimit-Remaining,X-Request-Id - } - # Stop removing lines here. - # If you do not want to use the mediaproxy function, remove these lines. # To use this directive, you need the http.cache plugin for Caddy. cache { diff --git a/installation/pleroma-apache.conf b/installation/pleroma-apache.conf index fb777983e..cbb165064 100644 --- a/installation/pleroma-apache.conf +++ b/installation/pleroma-apache.conf @@ -34,12 +34,6 @@ CustomLog ${APACHE_LOG_DIR}/access.log combined SSLCompression off SSLSessionTickets off - Header always set X-Xss-Protection "1; mode=block" - Header always set X-Frame-Options "DENY" - Header always set X-Content-Type-Options "nosniff" - Header always set Referrer-Policy same-origin - Header always set Content-Security-Policy "default-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://${servername}; upgrade-insecure-requests;" - # Uncomment this only after you get HTTPS working. # Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" diff --git a/installation/pleroma.nginx b/installation/pleroma.nginx index 9b7419497..62c99383f 100644 --- a/installation/pleroma.nginx +++ b/installation/pleroma.nginx @@ -60,14 +60,6 @@ server { client_max_body_size 16m; location / { - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Frame-Options "DENY" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "same-origin" always; - add_header X-Download-Options "noopen" always; - add_header Content-Security-Policy "default-src 'none'; base-uri 'self'; form-action *; frame-ancestors 'none'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://$server_name; upgrade-insecure-requests;" always; - # Uncomment this only after you get HTTPS working. # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; diff --git a/installation/pleroma.vcl b/installation/pleroma.vcl index 74490be2a..5d80c6f44 100644 --- a/installation/pleroma.vcl +++ b/installation/pleroma.vcl @@ -121,11 +121,6 @@ sub vcl_pipe { } sub vcl_deliver { - set resp.http.X-Frame-Options = "DENY"; - set resp.http.X-XSS-Protection = "1; mode=block"; - set resp.http.X-Content-Type-Options = "nosniff"; - set resp.http.Referrer-Policy = "same-origin"; - set resp.http.Content-Security-Policy = "default-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://" + req.http.host + "; upgrade-insecure-requests;"; # Uncomment this only after you get HTTPS working. # set resp.http.Strict-Transport-Security= "max-age=31536000; includeSubDomains"; } -- cgit v1.2.3 From e4bd5a6950d08eddbbc12ddd3f2e91c43544238c Mon Sep 17 00:00:00 2001 From: William Pitcock Date: Sun, 11 Nov 2018 06:56:46 +0000 Subject: example configs: kill STS/CT headers --- installation/caddyfile-pleroma.example | 5 ----- installation/pleroma-apache.conf | 3 --- installation/pleroma.nginx | 3 --- installation/pleroma.vcl | 5 ----- 4 files changed, 16 deletions(-) (limited to 'installation') diff --git a/installation/caddyfile-pleroma.example b/installation/caddyfile-pleroma.example index c34b47045..03ff000b6 100644 --- a/installation/caddyfile-pleroma.example +++ b/installation/caddyfile-pleroma.example @@ -21,11 +21,6 @@ example.tld { ciphers ECDHE-ECDSA-WITH-CHACHA20-POLY1305 ECDHE-RSA-WITH-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 } - header / { - Strict-Transport-Security "max-age=31536000; includeSubDomains;" - Expect-CT "enforce, max-age=2592000" - } - # If you do not want to use the mediaproxy function, remove these lines. # To use this directive, you need the http.cache plugin for Caddy. cache { diff --git a/installation/pleroma-apache.conf b/installation/pleroma-apache.conf index cbb165064..d5e75044f 100644 --- a/installation/pleroma-apache.conf +++ b/installation/pleroma-apache.conf @@ -34,9 +34,6 @@ CustomLog ${APACHE_LOG_DIR}/access.log combined SSLCompression off SSLSessionTickets off - # Uncomment this only after you get HTTPS working. - # Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" - RewriteEngine On RewriteCond %{HTTP:Connection} Upgrade [NC] RewriteCond %{HTTP:Upgrade} websocket [NC] diff --git a/installation/pleroma.nginx b/installation/pleroma.nginx index 62c99383f..f0e684f2c 100644 --- a/installation/pleroma.nginx +++ b/installation/pleroma.nginx @@ -60,9 +60,6 @@ server { client_max_body_size 16m; location / { - # Uncomment this only after you get HTTPS working. - # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; diff --git a/installation/pleroma.vcl b/installation/pleroma.vcl index 5d80c6f44..63c1cb74d 100644 --- a/installation/pleroma.vcl +++ b/installation/pleroma.vcl @@ -119,8 +119,3 @@ sub vcl_pipe { set bereq.http.connection = req.http.connection; } } - -sub vcl_deliver { - # Uncomment this only after you get HTTPS working. - # set resp.http.Strict-Transport-Security= "max-age=31536000; includeSubDomains"; -} -- cgit v1.2.3 From 124a9bb7a5d5342fd15deb0e41e957d51d3d1d7c Mon Sep 17 00:00:00 2001 From: shibayashi Date: Mon, 12 Nov 2018 23:01:06 +0100 Subject: Add MIX_ENV=prod --- installation/pleroma.service | 1 + 1 file changed, 1 insertion(+) (limited to 'installation') diff --git a/installation/pleroma.service b/installation/pleroma.service index 84747d952..6955e5cc6 100644 --- a/installation/pleroma.service +++ b/installation/pleroma.service @@ -6,6 +6,7 @@ After=network.target postgresql.service User=pleroma WorkingDirectory=/home/pleroma/pleroma Environment="HOME=/home/pleroma" +Environment="MIX_ENV=prod" ExecStart=/usr/local/bin/mix phx.server ExecReload=/bin/kill $MAINPID KillMode=process -- cgit v1.2.3