Merge branch 'master' into PHRAS-3852_background-color

alchemy-fr · Sep 15, 2023 · a02c9ff · a02c9ff
2 parents 8e27cf6 + 7d23b76
commit a02c9ff
Show file tree

Hide file tree

Showing 6 changed files with 26 additions and 8 deletions.
diff --git a/.env b/.env
@@ -194,6 +194,11 @@ GATEWAY_USERS=
 # @run
 GATEWAY_FASTCGI_HTTPS=off
 
+# Content Security Policy (CSP)
+# security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting
+## @run 
+GATEWAY_CSP="default-src 'self' 127.0.0.1 https://apiws.carrick-skills.com:8443 https://apiws.carrick-flow.com:8443 https://fonts.gstatic.com *.tiles.mapbox.com https://api.mapbox.com https://events.mapbox.com *.axept.io *.matomo.cloud *.newrelic.com *.nr-data.net https://www.googletagmanager.com *.google-analytics.com *.phrasea.io https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443  https://maxcdn.bootstrapcdn.com data: ; script-src 'unsafe-inline' 'unsafe-eval' 'self' https://www.gstatic.com *.alchemyasp.com *.axept.io *.matomo.cloud *.newrelic.com https://www.googletagmanager.com https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443  https://maxcdn.bootstrapcdn.com  data: blob: ; style-src 'self' 'unsafe-inline' https://fonts.gstatic.com https://fonts.googleapis.com https://www.google.com https://www.gstatic.com https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443  https://maxcdn.bootstrapcdn.com ; img-src 'self'  data: blob: *.tiles.mapbox.com https://axeptio.imgix.net *.cloudfront.net *.phrasea.io *.amazonaws.com https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443  https://maxcdn.bootstrapcdn.com https://www.gnu.org/graphics/ ; object-src 'self'; frame-ancestors 'self'"
+
 # --- RabbitMQ settings ------------------------------------------------------------------------------------------------
 
 # RabbitMQ user account : create an account in RabbitMQ container and use it

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -35,6 +35,7 @@ services:
     - GATEWAY_ALLOWED_IPS                      
     - GATEWAY_DENIED_IPS 
     - GATEWAY_USERS
+    - GATEWAY_CSP
     ports:
       - ${PHRASEANET_APP_PORT}:80
     networks:
@@ -68,6 +69,7 @@ services:
     - GATEWAY_DENIED_IPS
     - GATEWAY_USERS
     - GATEWAY_FASTCGI_HTTPS
+    - GATEWAY_CSP
     networks:
       - internal
     labels:

diff --git a/docker/nginx/root/entrypoint.sh b/docker/nginx/root/entrypoint.sh
@@ -25,6 +25,16 @@ else
   GATEWAY_FASTCGI_HTTPS="fastcgi_param HTTPS on;fastcgi_param SERVER_PORT 443;"
 fi
 
+if [ ! -z "$GATEWAY_CSP" ]; then
+  echo "Content Security policies is defined to : $GATEWAY_CSP"
+  envsubst < "/securitycontentpolicies.sample.conf" > /etc/nginx/conf.d/securitycontentpolicies.conf
+else
+  echo "Content Security policies is defined"
+  export GATEWAY_CSP="default-src 'self' 127.0.0.1 https://apiws.carrick-skills.com:8443 https://apiws.carrick-flow.com:8443 https://fonts.gstatic.com *.tiles.mapbox.com https://api.mapbox.com https://events.mapbox.com *.axept.io *.matomo.cloud *.newrelic.com *.nr-data.net https://www.googletagmanager.com *.google-analytics.com *.phrasea.io https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443  https://maxcdn.bootstrapcdn.com data: ; script-src 'unsafe-inline' 'unsafe-eval' 'self' https://www.gstatic.com *.alchemyasp.com *.axept.io *.matomo.cloud *.newrelic.com https://www.googletagmanager.com https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443  https://maxcdn.bootstrapcdn.com  data: blob: ; style-src 'self' 'unsafe-inline' https://fonts.gstatic.com https://fonts.googleapis.com https://www.google.com https://www.gstatic.com https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443  https://maxcdn.bootstrapcdn.com ; img-src 'self'  data: blob: *.tiles.mapbox.com https://axeptio.imgix.net *.cloudfront.net *.phrasea.io *.amazonaws.com https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443  https://maxcdn.bootstrapcdn.com https://www.gnu.org/graphics/ ; object-src 'self'; frame-ancestors 'self'"
+  echo "setting Security policies to : " $GATEWAY_CSP
+  envsubst < "/securitycontentpolicies.sample.conf" > /etc/nginx/conf.d/securitycontentpolicies.conf
+fi
+
 cat /nginx.conf.sample | sed "s/\$MAX_BODY_SIZE/$MAX_BODY_SIZE/g" | sed "s/\$GATEWAY_SEND_TIMEOUT/$GATEWAY_SEND_TIMEOUT/g"  | sed "s/\$GATEWAY_FASTCGI_TIMEOUT/$GATEWAY_FASTCGI_TIMEOUT/g" | sed "s/\$MAX_BODY_SIZE/$MAX_BODY_SIZE/g" | sed "s/\$GATEWAY_PROXY_TIMEOUT/$GATEWAY_PROXY_TIMEOUT/g"  | sed "s/\$NEW_TARGET/$NEW_TARGET/g"  | sed "s/\$NEW_RESOLVER/$NEW_RESOLVER/g" | sed "s/\$GATEWAY_FASTCGI_HTTPS/$GATEWAY_FASTCGI_HTTPS/g" > /etc/nginx/conf.d/default.conf
 cat /fastcgi_timeout.conf  | sed "s/\$GATEWAY_FASTCGI_TIMEOUT/$GATEWAY_FASTCGI_TIMEOUT/g" > /etc/nginx/fastcgi_extended_params
 

diff --git a/docker/nginx/root/etc/nginx/nginx.conf b/docker/nginx/root/etc/nginx/nginx.conf
@@ -11,6 +11,7 @@ events {
 
 http {
     include       /etc/nginx/mime.types;
+
     default_type  application/octet-stream;
 
     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
@@ -23,13 +24,6 @@ http {
     #tcp_nopush     on;
     server_tokens off;
     #gzip  on;
-    ## Security headers for Nginx ##
-    add_header Strict-Transport-Security "max-age=15768000" always;
-    add_header X-Content-Type-Options "nosniff" always;
-    add_header X-Frame-Options "SAMEORIGIN" always;
-    add_header X-Xss-Protection "1; mode=block" always;
-    add_header Referrer-Policy  strict-origin-when-cross-origin;
-    add_header Content-Security-Policy  "default-src 'self' 127.0.0.1 https://fonts.gstatic.com *.tiles.mapbox.com https://api.mapbox.com https://events.mapbox.com *.axept.io *.matomo.cloud *.newrelic.com *.nr-data.net https://www.googletagmanager.com *.google-analytics.com *.phrasea.io data: ;script-src 'unsafe-inline' 'unsafe-eval' 'self' https://www.gstatic.com *.alchemyasp.com *.axept.io *.matomo.cloud *.newrelic.com https://www.googletagmanager.com ;style-src 'self' 'unsafe-inline' https://fonts.gstatic.com https://fonts.googleapis.com https://www.google.com https://www.gstatic.com ;img-src 'self' data: blob: *.tiles.mapbox.com https://axeptio.imgix.net *.cloudfront.net *.phrasea.io *.amazonaws.com ; object-src 'self';frame-ancestors 'self' ";
     include /etc/nginx/conf.d/*.conf;
 
 }
diff --git a/docker/nginx/root/securitycontentpolicies.sample.conf b/docker/nginx/root/securitycontentpolicies.sample.conf
@@ -0,0 +1,7 @@
+    ## Security headers for Nginx ##
+    add_header Strict-Transport-Security "max-age=15768000" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Xss-Protection "1; mode=block" always;
+    add_header Referrer-Policy  strict-origin-when-cross-origin;
+    add_header Content-Security-Policy  "$GATEWAY_CSP";
diff --git a/templates/mobile/common/matomo_analytics.html.twig b/templates/mobile/common/matomo_analytics.html.twig
@@ -6,7 +6,7 @@
         _paq.push(['trackPageView']);
         _paq.push(['enableLinkTracking']);
         (function() {
-            var u="//{{ app['conf'].get(['registry', 'general', 'matomo-analytics-url']) }}/";
+            var u="{{ app['conf'].get(['registry', 'general', 'matomo-analytics-url']) }}/";
             _paq.push(['setTrackerUrl', u+'matomo.php']);
             _paq.push(['setSiteId',  {{ app['conf'].get(['registry', 'general', 'matomo-analytics-id']) }}]);
             var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];