From cdeeab365fd8caf22e634c0c583c48b5f5638ceb Mon Sep 17 00:00:00 2001 From: saibotk Date: Mon, 29 Jun 2020 00:17:45 +0200 Subject: [PATCH] Remove HSTS headers & ssl_session_cache & use nginx:alpine The HSTS headers are already set by Traefik and the ssl session cache does not make sense for a HTTP only container, with a proxy that handles TLS. Also the docker image will now use the latest alpine image instead of the old fixed version. --- _docker/Dockerfile | 2 +- _docker/default.conf | 12 +----------- 2 files changed, 2 insertions(+), 12 deletions(-) diff --git a/_docker/Dockerfile b/_docker/Dockerfile index 37a119d..2670df4 100644 --- a/_docker/Dockerfile +++ b/_docker/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.17-alpine +FROM nginx:alpine COPY ./public/ /usr/share/nginx/html/ diff --git a/_docker/default.conf b/_docker/default.conf index 76d1c08..a0848e4 100644 --- a/_docker/default.conf +++ b/_docker/default.conf @@ -13,12 +13,6 @@ map $sent_http_content_type $expires { proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=STATIC:10m inactive=24h max_size=1g; -# Set HSTS if forwarded proto is https -map $http_x_forwarded_proto $hsts_header { - default ""; - https "max-age=31536000; includeSubDomains;"; -} - server { root /usr/share/nginx/html; @@ -33,13 +27,9 @@ server { set_real_ip_from 172.16.0.0/12; - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:50m; - - add_header Strict-Transport-Security $hsts_header; add_header X-Frame-Options "DENY"; add_header Referrer-Policy "no-referrer"; - add_header Content-Security-Policy "default-src 'none'; script-src 'self'; img-src data: 'self'; style-src 'self' 'unsafe-inline'; font-src data: 'self'; object-src data:; base-uri 'none'; form-action 'none'; worker-src 'self'; connect-src 'self'"; + add_header Content-Security-Policy "default-src 'none'; script-src 'self'; img-src data: 'self'; style-src 'self' 'unsafe-inline'; font-src data: 'self'; object-src data:; base-uri 'none'; form-action 'none'; worker-src 'self'; connect-src 'self'; manifest-src 'self'"; add_header Feature-Policy "geolocation 'none'; midi 'none'; notifications 'none'; push 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'none'; fullscreen 'self'; payment 'none'; usb 'none';"; add_header Allow "GET, HEAD" always;