From e3d71d32fefeb6a19316a9c93cd5f8439dc7c987 Mon Sep 17 00:00:00 2001 From: Alex Anderson <191496+alxndrsn@users.noreply.github.com> Date: Thu, 18 Aug 2022 00:02:41 +0300 Subject: [PATCH 1/6] nginx: set security headers at root path (#308) Co-authored-by: alxndrsn --- files/nginx/common-headers.nginx.conf | 7 +++++++ files/nginx/odk.conf.template | 6 +++--- nginx.dockerfile | 1 + 3 files changed, 11 insertions(+), 3 deletions(-) create mode 100644 files/nginx/common-headers.nginx.conf diff --git a/files/nginx/common-headers.nginx.conf b/files/nginx/common-headers.nginx.conf new file mode 100644 index 00000000..b9f75ec7 --- /dev/null +++ b/files/nginx/common-headers.nginx.conf @@ -0,0 +1,7 @@ +# This file should be included in server{}, and also in any location{} +# which has a call to add_header. +# See: https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header + +add_header Strict-Transport-Security "max-age=63072000" always; +add_header X-Frame-Options "SAMEORIGIN"; +add_header X-Content-Type-Options nosniff; diff --git a/files/nginx/odk.conf.template b/files/nginx/odk.conf.template index 6a053548..c635dba4 100644 --- a/files/nginx/odk.conf.template +++ b/files/nginx/odk.conf.template @@ -13,10 +13,8 @@ server { ssl_dhparam /etc/dh/nginx.pem; server_tokens off; - add_header Strict-Transport-Security "max-age=63072000" always; - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-Content-Type-Options nosniff; + include /usr/share/nginx/common-headers.nginx.conf; client_max_body_size 100m; @@ -52,9 +50,11 @@ server { root /usr/share/nginx/html; location /version.txt { + include /usr/share/nginx/common-headers.nginx.conf; add_header Cache-Control no-cache; } location /index.html { + include /usr/share/nginx/common-headers.nginx.conf; add_header Cache-Control no-cache; } } diff --git a/nginx.dockerfile b/nginx.dockerfile index bb748043..1e5b639c 100644 --- a/nginx.dockerfile +++ b/nginx.dockerfile @@ -23,6 +23,7 @@ COPY files/local/customssl/*.pem /etc/customssl/live/local/ COPY files/nginx/default /etc/nginx/sites-enabled/ COPY files/nginx/inflate_body.lua /usr/share/nginx/ COPY files/nginx/odk.conf.template /usr/share/nginx/ +COPY files/nginx/common-headers.nginx.conf /usr/share/nginx/ COPY files/nginx/certbot.conf /usr/share/nginx/ COPY files/nginx/redirector.conf /usr/share/nginx/ COPY --from=intermediate client/dist/ /usr/share/nginx/html/ From d1882cf835d28662fee0c5dc0270261a6c2c00d0 Mon Sep 17 00:00:00 2001 From: Alex Anderson <191496+alxndrsn@users.noreply.github.com> Date: Wed, 31 Aug 2022 18:23:48 +0300 Subject: [PATCH 2/6] Add support for sentry organization subdomain (#312) Co-authored-by: alxndrsn --- files/service/config.json.template | 1 + 1 file changed, 1 insertion(+) diff --git a/files/service/config.json.template b/files/service/config.json.template index d526a2a2..fc3814eb 100644 --- a/files/service/config.json.template +++ b/files/service/config.json.template @@ -28,6 +28,7 @@ }, "external": { "sentry": { + "orgSubdomain": "o130137", "key": "3cf75f54983e473da6bd07daddf0d2ee", "project": "1298632" } From a421a2b441281984a62c31e65634406ed85acb18 Mon Sep 17 00:00:00 2001 From: Alex Anderson <191496+alxndrsn@users.noreply.github.com> Date: Fri, 2 Sep 2022 09:07:16 +0300 Subject: [PATCH 3/6] nginx: add header: Referrer-Policy (#314) Co-authored-by: alxndrsn --- files/nginx/common-headers.nginx.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/files/nginx/common-headers.nginx.conf b/files/nginx/common-headers.nginx.conf index b9f75ec7..2cbd82ee 100644 --- a/files/nginx/common-headers.nginx.conf +++ b/files/nginx/common-headers.nginx.conf @@ -2,6 +2,7 @@ # which has a call to add_header. # See: https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header +add_header Referrer-Policy same-origin; add_header Strict-Transport-Security "max-age=63072000" always; add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options nosniff; From e9c68e6a61ebe5fd75521a785f9e99bbbed8bd57 Mon Sep 17 00:00:00 2001 From: Matthew White Date: Mon, 19 Sep 2022 16:12:33 -0400 Subject: [PATCH 4/6] Upgrade Enketo to 4.1.2 --- enketo.dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/enketo.dockerfile b/enketo.dockerfile index 52d1da4d..1ef13ecc 100644 --- a/enketo.dockerfile +++ b/enketo.dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/enketo/enketo-express:4.1.1 +FROM ghcr.io/enketo/enketo-express:4.1.2 ENV ENKETO_SRC_DIR=/srv/src/enketo_express WORKDIR ${ENKETO_SRC_DIR} From d940e0123ad057172fe0ab0fbafd6b0e5850556a Mon Sep 17 00:00:00 2001 From: Matthew White Date: Mon, 19 Sep 2022 16:13:17 -0400 Subject: [PATCH 5/6] Update "server url" in Enketo config --- files/enketo/config.json.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/enketo/config.json.template b/files/enketo/config.json.template index 7c8fa829..8a81878e 100644 --- a/files/enketo/config.json.template +++ b/files/enketo/config.json.template @@ -11,7 +11,7 @@ "url": "https://${DOMAIN}:${HTTPS_PORT}/#/login?next={RETURNURL}" }, "name": "ODK Central", - "server url": "" + "server url": "${DOMAIN}" }, "logo": { "source": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mNkYAAAAAYAAjCB0C8AAAAASUVORK5CYII=", From 1d863178467f57257c18494fc1db4e56ebdb29ff Mon Sep 17 00:00:00 2001 From: Matthew White Date: Wed, 21 Sep 2022 16:51:57 -0400 Subject: [PATCH 6/6] Update submodules for v1.5.3 (#324) --- client | 2 +- server | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/client b/client index 3078965d..d9cb07fd 160000 --- a/client +++ b/client @@ -1 +1 @@ -Subproject commit 3078965dc8ad86b34944476d0dd84475487d44ab +Subproject commit d9cb07fdceaa7df017ed2aee114db1b2b7e1a2d8 diff --git a/server b/server index 12568c50..badb3912 160000 --- a/server +++ b/server @@ -1 +1 @@ -Subproject commit 12568c504151c919b11c9962dd3ef866cebbd0e7 +Subproject commit badb3912fdf4d5dca29bd4cd520b9d3b4788db6e