From 89430ddde5ed245b51974c146d08d607df37afb2 Mon Sep 17 00:00:00 2001 From: stekrause Date: Tue, 15 Aug 2023 08:15:25 +0200 Subject: [PATCH 1/6] add script-src-elem to nginx config --- dockerconf/nginx.conf.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dockerconf/nginx.conf.template b/dockerconf/nginx.conf.template index 6bd71e1a8f..7fba2ec04f 100644 --- a/dockerconf/nginx.conf.template +++ b/dockerconf/nginx.conf.template @@ -2,7 +2,7 @@ server { listen 4000; server_name localhost; - set $csp "default-src 'self'; base-uri 'self'; script-src 'nonce-$request_id' 'strict-dynamic' 'unsafe-inline' https:; object-src 'none'; font-src 'self' data:; img-src 'self' data:; style-src 'self' 'unsafe-inline'; frame-src 'self' ${H5P_FRAME_SRC_URLS}"; + set $csp "default-src 'self'; base-uri 'self'; script-src 'nonce-$request_id' 'strict-dynamic' 'unsafe-inline' https:; script-src-elem 'nonce-$request_id' 'unsafe-inline' ${H5P_SCRIPT_SRC_URLS} https:; object-src 'none'; font-src 'self' data:; img-src 'self' data:; style-src 'self' 'unsafe-inline'; frame-src 'self' ${H5P_FRAME_SRC_URLS}"; location /status { stub_status; From d160135e01fc9d2113272854c78d88ccbb425ad0 Mon Sep 17 00:00:00 2001 From: stekrause Date: Tue, 15 Aug 2023 08:16:01 +0200 Subject: [PATCH 2/6] add H5P_IMG_SRC_URLS to nginx config --- dockerconf/nginx.conf.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dockerconf/nginx.conf.template b/dockerconf/nginx.conf.template index 7fba2ec04f..5340ea1a5b 100644 --- a/dockerconf/nginx.conf.template +++ b/dockerconf/nginx.conf.template @@ -2,7 +2,7 @@ server { listen 4000; server_name localhost; - set $csp "default-src 'self'; base-uri 'self'; script-src 'nonce-$request_id' 'strict-dynamic' 'unsafe-inline' https:; script-src-elem 'nonce-$request_id' 'unsafe-inline' ${H5P_SCRIPT_SRC_URLS} https:; object-src 'none'; font-src 'self' data:; img-src 'self' data:; style-src 'self' 'unsafe-inline'; frame-src 'self' ${H5P_FRAME_SRC_URLS}"; + set $csp "default-src 'self'; base-uri 'self'; script-src 'nonce-$request_id' 'strict-dynamic' 'unsafe-inline' https:; script-src-elem 'nonce-$request_id' 'unsafe-inline' ${H5P_SCRIPT_SRC_URLS} https:; object-src 'none'; font-src 'self' data:; img-src 'self' ${H5P_IMG_SRC_URLS} data:; style-src 'self' 'unsafe-inline'; frame-src 'self' ${H5P_FRAME_SRC_URLS}"; location /status { stub_status; From 04aeabeb82c2d3cec4776fb2e45b2efdaf37e8f0 Mon Sep 17 00:00:00 2001 From: stekrause Date: Fri, 1 Sep 2023 09:41:04 +0200 Subject: [PATCH 3/6] add location h5p to csp rules --- dockerconf/nginx.conf.template | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/dockerconf/nginx.conf.template b/dockerconf/nginx.conf.template index 5340ea1a5b..ada3a95066 100644 --- a/dockerconf/nginx.conf.template +++ b/dockerconf/nginx.conf.template @@ -2,7 +2,9 @@ server { listen 4000; server_name localhost; - set $csp "default-src 'self'; base-uri 'self'; script-src 'nonce-$request_id' 'strict-dynamic' 'unsafe-inline' https:; script-src-elem 'nonce-$request_id' 'unsafe-inline' ${H5P_SCRIPT_SRC_URLS} https:; object-src 'none'; font-src 'self' data:; img-src 'self' ${H5P_IMG_SRC_URLS} data:; style-src 'self' 'unsafe-inline'; frame-src 'self' ${H5P_FRAME_SRC_URLS}"; + set $csp "default-src 'self'; base-uri 'self'; script-src 'strict-dynamic' 'nonce-$request_id' 'unsafe-inline' https:; object-src 'none'; font-src 'self' data:; img-src 'self' ${H5P_IMG_SRC_URLS} data:; style-src 'self' 'unsafe-inline'; frame-src 'self'"; + + set $h5pcsp "default-src 'self'; base-uri 'self'; script-src 'nonce-$request_id' ${H5P_SCRIPT_SRC_URLS} 'unsafe-inline' https:; object-src 'none'; font-src 'self' data:; img-src 'self' ${H5P_IMG_SRC_URLS} data:; style-src 'self' 'unsafe-inline'; frame-src 'self' ${H5P_FRAME_SRC_URLS}"; location /status { stub_status; @@ -61,8 +63,22 @@ server { proxy_pass ${LEGACY_CLIENT_URL}; } + location /h5p/ { + root /usr/share/nginx/html/h5p; + index index.html index.htm; + add_header Content-Security-Policy "${h5pcsp}"; + add_header X-Content-Type-Options nosniff; + add_header Referrer-Policy 'same-origin'; + add_header X-XSS-Protection '1; mode=block'; + add_header X-Frame-Options 'SAMEORIGIN'; + add_header Permissions-Policy 'fullscreen=(*), sync-xhr=(*), geolocation=(self), midi=(self), microphone=(self), camera=(self), magnetometer=(self), gyroscope=(self), payment=()'; + sub_filter_once off; + sub_filter '**CSP_NONCE**' $request_id; + try_files $uri /index.html =404; + } + location / { - root /usr/share/nginx/html; + root /usr/share/nginx/html/frontend; index index.html index.htm; add_header Content-Security-Policy "${csp}"; add_header X-Content-Type-Options nosniff; @@ -81,4 +97,4 @@ server { gzip_proxied expired no-cache no-store private auth; gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml; gzip_disable "MSIE [1-6]\."; -} +} \ No newline at end of file From 8f53e942db8b964d6435f39ee869110a7c7c9632 Mon Sep 17 00:00:00 2001 From: stekrause Date: Fri, 1 Sep 2023 09:41:26 +0200 Subject: [PATCH 4/6] copy second index.html for h5p location ins csp rules --- Dockerfile | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 2e21bcb883..0b8e0a9eab 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # build stage -FROM docker.io/node:18-bullseye AS build-stage +FROM docker.io/node:18-bullseye as build-stage ## add libraries needed for installing canvas npm package RUN apt update && apt install -y g++ libcairo2-dev libpango1.0-dev libjpeg-dev libgif-dev librsvg2-dev; @@ -9,7 +9,7 @@ WORKDIR /app COPY package.json package-lock.json ./ RUN npm ci -COPY babel.config.js .eslintrc.js LICENSE.md .prettierrc.js tsconfig.json tsconfig.build.json vue.config.js .eslintignore .prettierignore ./ +COPY babel.config.js .eslintrc.js LICENSE.md .prettierrc.js tsconfig.json tsconfig.build.json vue.config.js ./ COPY public ./public COPY src ./src COPY webpack-config ./webpack-config @@ -24,6 +24,9 @@ RUN echo "{\"sha\": \"$(git rev-parse HEAD)\", \"version\": \"$(git describe --t FROM docker.io/nginx:1.25 RUN mkdir /etc/nginx/templates COPY dockerconf/nginx.conf.template /etc/nginx/templates/default.conf.template -COPY --from=build-stage /app/dist /usr/share/nginx/html +COPY --from=build-stage /app/dist /usr/share/nginx/html/frontend +# second index.html needed for the location /h5p/ in csp rules +COPY --from=build-stage /app/dist /usr/share/nginx/html/h5p + EXPOSE 4000 -CMD ["nginx", "-g", "daemon off;"] +CMD ["nginx", "-g", "daemon off;"] \ No newline at end of file From f8b00b802f15eca8eb76096f9bb450294acd952a Mon Sep 17 00:00:00 2001 From: Stephan Krause <101647440+SteKrause@users.noreply.github.com> Date: Fri, 1 Sep 2023 10:45:10 +0200 Subject: [PATCH 5/6] Update Dockerfile --- Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 0b8e0a9eab..3b716a8e8b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # build stage -FROM docker.io/node:18-bullseye as build-stage +FROM docker.io/node:18-bullseye AS build-stage ## add libraries needed for installing canvas npm package RUN apt update && apt install -y g++ libcairo2-dev libpango1.0-dev libjpeg-dev libgif-dev librsvg2-dev; @@ -9,7 +9,7 @@ WORKDIR /app COPY package.json package-lock.json ./ RUN npm ci -COPY babel.config.js .eslintrc.js LICENSE.md .prettierrc.js tsconfig.json tsconfig.build.json vue.config.js ./ +COPY babel.config.js .eslintrc.js LICENSE.md .prettierrc.js tsconfig.json tsconfig.build.json vue.config.js .eslintignore .prettierignore ./ COPY public ./public COPY src ./src COPY webpack-config ./webpack-config @@ -29,4 +29,4 @@ COPY --from=build-stage /app/dist /usr/share/nginx/html/frontend COPY --from=build-stage /app/dist /usr/share/nginx/html/h5p EXPOSE 4000 -CMD ["nginx", "-g", "daemon off;"] \ No newline at end of file +CMD ["nginx", "-g", "daemon off;"] From 5afef349f9114e87844e917828e84fc511d95058 Mon Sep 17 00:00:00 2001 From: Stephan Krause <101647440+SteKrause@users.noreply.github.com> Date: Fri, 1 Sep 2023 10:45:45 +0200 Subject: [PATCH 6/6] Update nginx.conf.template --- dockerconf/nginx.conf.template | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dockerconf/nginx.conf.template b/dockerconf/nginx.conf.template index ada3a95066..6456d44bdb 100644 --- a/dockerconf/nginx.conf.template +++ b/dockerconf/nginx.conf.template @@ -2,7 +2,7 @@ server { listen 4000; server_name localhost; - set $csp "default-src 'self'; base-uri 'self'; script-src 'strict-dynamic' 'nonce-$request_id' 'unsafe-inline' https:; object-src 'none'; font-src 'self' data:; img-src 'self' ${H5P_IMG_SRC_URLS} data:; style-src 'self' 'unsafe-inline'; frame-src 'self'"; + set $csp "default-src 'self'; base-uri 'self'; script-src 'nonce-$request_id' 'strict-dynamic' 'unsafe-inline' https:; object-src 'none'; font-src 'self' data:; img-src 'self' data:; style-src 'self' 'unsafe-inline'; frame-src 'self' ${H5P_FRAME_SRC_URLS}"; set $h5pcsp "default-src 'self'; base-uri 'self'; script-src 'nonce-$request_id' ${H5P_SCRIPT_SRC_URLS} 'unsafe-inline' https:; object-src 'none'; font-src 'self' data:; img-src 'self' ${H5P_IMG_SRC_URLS} data:; style-src 'self' 'unsafe-inline'; frame-src 'self' ${H5P_FRAME_SRC_URLS}"; @@ -97,4 +97,4 @@ server { gzip_proxied expired no-cache no-store private auth; gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml; gzip_disable "MSIE [1-6]\."; -} \ No newline at end of file +}