merge upstream

2021-05-25 21:10:34 +08:00
parent 85777e8f96 1ed0857019
commit ea6e344d05
9 changed files with 73 additions and 10 deletions
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2
@ -9,6 +9,14 @@
 	{% if matrix_nginx_proxy_floc_optout_enabled %}
 		add_header Permissions-Policy interest-cohort=() always;
 	{% endif %}
+	
+	{% if matrix_nginx_proxy_hsts_preload_enabled %}
+		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+	{% else %}
+		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+	{% endif %}
+	
+	add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";

 	{% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %}
 		{{- configuration_block }}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2
@ -3,8 +3,12 @@
 {% macro render_vhost_directives() %}
 	gzip on;
 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
-
-	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+	{% if matrix_nginx_proxy_hsts_preload_enabled %}
+		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+	{% else %}
+		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+	{% endif %}
+	add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
 	add_header X-Content-Type-Options nosniff;

 {% for configuration_block in matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks %}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2
@ -4,13 +4,20 @@
 	gzip on;
 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;

-	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+	{% if matrix_nginx_proxy_hsts_preload_enabled %}
+		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+	{% else %}
+		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+	{% endif %}
 	add_header X-Content-Type-Options nosniff;
+	add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
 	add_header X-Frame-Options SAMEORIGIN;
+
 	{% if matrix_nginx_proxy_floc_optout_enabled %}
 		add_header Permissions-Policy interest-cohort=() always;
 	{% endif %}

+
 	{% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %}
 		{{- configuration_block }}
 	{% endfor %}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2
@ -3,8 +3,12 @@
 {% macro render_vhost_directives() %}
 	gzip on;
 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
-
-	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+	{% if matrix_nginx_proxy_hsts_preload_enabled %}
+		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+	{% else %}
+		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+	{% endif %}
+	add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
 	add_header X-Content-Type-Options nosniff;
 	{% if matrix_nginx_proxy_floc_optout_enabled %}
 		add_header Permissions-Policy interest-cohort=() always;
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
@ -20,6 +20,14 @@
 	{% if matrix_nginx_proxy_floc_optout_enabled %}
 		add_header Permissions-Policy interest-cohort=() always;
 	{% endif %}
+	
+	{% if matrix_nginx_proxy_hsts_preload_enabled %}
+		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+	{% else %}
+		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+	{% endif %}
+	
+	add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";

 	location /.well-known/matrix {
 		root {{ matrix_static_files_base_path }};
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2
@ -4,7 +4,11 @@
 	gzip on;
 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;

-	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+	{% if matrix_nginx_proxy_hsts_preload_enabled %}
+		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+	{% else %}
+		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+	{% endif %}
 	# duplicate X-Content-Type-Options & X-Frame-Options header
 	# Enabled by grafana by default
 	# add_header X-Content-Type-Options nosniff;
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2
@ -3,8 +3,12 @@
 {% macro render_vhost_directives() %}
 	gzip on;
 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
-
-	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+	{% if matrix_nginx_proxy_hsts_preload_enabled %}
+		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+	{% else %}
+		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+	{% endif %}
+	add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
 	add_header X-Content-Type-Options nosniff;
 	{% if matrix_nginx_proxy_floc_optout_enabled %}
 		add_header Permissions-Policy interest-cohort=() always;
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2
@ -3,8 +3,12 @@
 {% macro render_vhost_directives() %}
 	gzip on;
 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
-
-	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+	{% if matrix_nginx_proxy_hsts_preload_enabled %}
+		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+	{% else %}
+		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+	{% endif %}
+	add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
 	add_header X-Content-Type-Options nosniff;
 	add_header X-Frame-Options DENY;