Home Explore Help
Sign In
kolter
/
ansible-playbooks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Improve web content delivery in Nginx by adding some headers by default like: X-Frame-Options, X-XSS-Protection and X-Content-Type-Options

Emmanuel Bouthenot 10 years ago
parent
d5c9b696ca
commit
121ffad807
4 changed files with 32 additions and 10 deletions
Unified View Show Diff Stats
  1. 1 0
      roles/webserver/tasks/nginx.yml
  2. 1 0
      roles/webserver/templates/nginx/vhost_all.j2
  3. 14 10
      roles/webserver/templates/nginx/vhost_expires.j2
  4. 16 0
      roles/webserver/templates/nginx/vhost_security.j2

+ 1 - 0
roles/webserver/tasks/nginx.yml
View File 

@@ -29,6 +29,7 @@
 
     - expires
 
     - expires
 
     - cache-fd
 
     - cache-fd
 
     - protect-files
 
     - protect-files
 
+    - security
 
   notify:
 
   notify:
 
     - Reload nginx
 
     - Reload nginx
 
   when: with_nginx
 
   when: with_nginx

+ 1 - 0
roles/webserver/templates/nginx/vhost_all.j2
View File 

@@ -6,3 +6,4 @@
 
 include /etc/nginx/vhost_expires;
 
 include /etc/nginx/vhost_expires;
 
 include /etc/nginx/vhost_cache-fd;
 
 include /etc/nginx/vhost_cache-fd;
 
 include /etc/nginx/vhost_protect-files;
 
 include /etc/nginx/vhost_protect-files;
 
+include /etc/nginx/vhost_security;

+ 14 - 10
roles/webserver/templates/nginx/vhost_expires.j2
View File 

@@ -8,33 +8,37 @@
 
 
 
 # cache.appcache, your document html and data
 
 # cache.appcache, your document html and data
 
 location ~* \.(?:manifest|appcache|html?|xml|json)$ {
 
 location ~* \.(?:manifest|appcache|html?|xml|json)$ {
 
-  expires -1;
 
+    expires -1;
 
 }
 
 }
 
 
 
 # Feeds
 
 # Feeds
 
 location ~* \.(?:rss|atom)$ {
 
 location ~* \.(?:rss|atom)$ {
 
-  expires 1h;
 
-  add_header Cache-Control "public";
 
+    expires 1h;
 
+    add_header Cache-Control "public";
 
+    add_header X-Content-Type-Options "nosniff";
 
 }
 
 }
 
 
 
 # Media: images, icons, video, audio, HTC
 
 # Media: images, icons, video, audio, HTC
 
 location ~* \.(?:jpg|jpeg|gif|png|ico|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
 
 location ~* \.(?:jpg|jpeg|gif|png|ico|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
 
-  expires 1M;
 
-  access_log off;
 
-  add_header Cache-Control "public";
 
+    expires 1M;
 
+    access_log off;
 
+    add_header Cache-Control "public";
 
+    add_header X-Content-Type-Options "nosniff";
 
 }
 
 }
 
 
 
 # Web fonts
 
 # Web fonts
 
-location ~* \.(?:ttf|ttc|otf|eot|woff)$ {
 
+location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ {
 
     expires 1M;
 
     expires 1M;
 
     access_log off;
 
     access_log off;
 
     add_header Cache-Control "public";
 
     add_header Cache-Control "public";
 
     add_header "Access-Control-Allow-Origin" "*";
 
     add_header "Access-Control-Allow-Origin" "*";
 
+    add_header X-Content-Type-Options "nosniff";
 
 }
 
 }
 
 
 
 # CSS and Javascript
 
 # CSS and Javascript
 
 location ~* \.(?:css|js)$ {
 
 location ~* \.(?:css|js)$ {
 
-  expires 2M;
 
-  access_log off;
 
-  add_header Cache-Control "public";
 
+    expires 2M;
 
+    access_log off;
 
+    add_header Cache-Control "public";
 
+    add_header X-Content-Type-Options "nosniff";
 
 }
 
 }

+ 16 - 0
roles/webserver/templates/nginx/vhost_security.j2
View File 

@@ -0,0 +1,16 @@
 
+{% if ansible_prolog -%}
 
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
 
+{{ prolog() }}
 
+{% endif -%}
 
+#
 
+# Various security rules
 
+#
 
+
 
+# Clickjacking protection
 
+add_header X-Frame-Options "sameorigin";
 
+
 
+# Cross-site scripting (XSS) filter
 
+add_header X-XSS-Protection "1; mode=block";
 
+
 
+# Prevents from MIME-sniffing a response away from the declared content-type
 
+add_header X-Content-Type-Options "nosniff";