Upstream/bitwarden-server
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-02-27 03:41:30 +01:00
Code Issues Projects Releases Wiki Activity

Make nginx Content-Security-Policy configurable (#1048)

Browse Source 
* Adding the nginx head Content-Security-Policy to the Configuration file

* fixing whitespace formatting

* adding a '+' that got removed
This commit is contained in:
Joseph Flinn 2020-12-18 07:58:35 -08:00 committed by GitHub
parent 037757a740
commit 97ba472606
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
util/Setup/Configuration.cs
View File

@ -72,6 +72,15 @@ namespace Bit.Setup
"`/etc/ssl` within the container.")] "`/etc/ssl` within the container.")]
public string SslDiffieHellmanPath { get; set; } public string SslDiffieHellmanPath { get; set; }
[Description("Nginx Header Content-Security-Policy parameter\n" +
"WARNING: Reconfiguring this parameter may break features. By changing this parameter\n" +
"you become responsible for maintaining this value.")]
public string NginxHeaderContentSecurityPolicy { get; set; } = "default-src 'self'; style-src 'self' " +
"'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; " +
"child-src 'self' https://*.duosecurity.com; frame-src 'self' https://*.duosecurity.com; " +
"connect-src 'self' wss://{0} https://api.pwnedpasswords.com " +
"https://twofactorauth.org; object-src 'self' blob:;";
[Description("Communicate with the Bitwarden push relay service (push.bitwarden.com) for mobile\n" + [Description("Communicate with the Bitwarden push relay service (push.bitwarden.com) for mobile\n" +
"app live sync.")] "app live sync.")]
public bool PushNotifications { get; set; } = true; public bool PushNotifications { get; set; } = true;

10
util/Setup/NginxConfigBuilder.cs
View File

@ -6,13 +6,6 @@ namespace Bit.Setup
public class NginxConfigBuilder public class NginxConfigBuilder
{ {
private const string ConfFile = "/bitwarden/nginx/default.conf"; private const string ConfFile = "/bitwarden/nginx/default.conf";
private const string ContentSecurityPolicy =
"default-src 'self'; style-src 'self' 'unsafe-inline'; " +
"img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; " +
"child-src 'self' https://*.duosecurity.com; frame-src 'self' https://*.duosecurity.com; " +
"connect-src 'self' wss://{0} https://api.pwnedpasswords.com " +
"https://twofactorauth.org; " +
"object-src 'self' blob:;";
private readonly Context _context; private readonly Context _context;
@ -79,6 +72,7 @@ namespace Bit.Setup
Domain = context.Config.Domain; Domain = context.Config.Domain;
Url = context.Config.Url; Url = context.Config.Url;
RealIps = context.Config.RealIps; RealIps = context.Config.RealIps;
ContentSecurityPolicy = string.Format(context.Config.NginxHeaderContentSecurityPolicy, Domain);
if (Ssl) if (Ssl)
{ {
@ -129,7 +123,7 @@ namespace Bit.Setup
public string DiffieHellmanPath { get; set; } public string DiffieHellmanPath { get; set; }
public string SslCiphers { get; set; } public string SslCiphers { get; set; }
public string SslProtocols { get; set; } public string SslProtocols { get; set; }
public string ContentSecurityPolicy => string.Format(NginxConfigBuilder.ContentSecurityPolicy, Domain); public string ContentSecurityPolicy { get; set; }
public List<string> RealIps { get; set; } public List<string> RealIps { get; set; }
} }
} }