From e686bef00a3847f61d48efc2ecd6dcfcd144a5a0 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sun, 21 Feb 2016 11:16:40 +0000 Subject: [PATCH] Function to disable content sniffing --- src/freedombone | 59 +++++++++++++++++++++---------------------------- 1 file changed, 25 insertions(+), 34 deletions(-) diff --git a/src/freedombone b/src/freedombone index 3f7bee2f..f822152e 100755 --- a/src/freedombone +++ b/src/freedombone @@ -1471,6 +1471,14 @@ function nginx_ssl { echo " ssl_ciphers '$SSL_CIPHERS';" >> $filename } +function nginx_disable_sniffing { + domain_name=$1 + filename=/etc/nginx/sites-available/$domain_name + echo ' add_header X-Frame-Options DENY;' >> $filename + echo ' add_header X-Content-Type-Options nosniff;' >> $filename + echo '' >> $filename +} + function set_repo_commit { repo_dir=$1 repo_commit_name=$2 @@ -6502,8 +6510,7 @@ function install_owncloud { echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME nginx_ssl $OWNCLOUD_DOMAIN_NAME - echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME - echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME + nginx_disable_sniffing $OWNCLOUD_DOMAIN_NAME echo ' add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' # if you want to be able to access the site via HTTP' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' # then replace the above with the following:' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME @@ -6578,8 +6585,7 @@ function install_owncloud { echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME - echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME - echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME + nginx_disable_sniffing $OWNCLOUD_DOMAIN_NAME echo ' add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' # if you want to be able to access the site via HTTP' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' # then replace the above with the following:' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME @@ -6899,8 +6905,7 @@ function install_gogs { echo " server_name $GIT_DOMAIN_NAME;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME echo ' access_log off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME echo " error_log /var/log/nginx/${GIT_DOMAIN_NAME}_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + nginx_disable_sniffing $GIT_DOMAIN_NAME echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME echo ' location / {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME @@ -6925,8 +6930,7 @@ function install_gogs { echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME nginx_ssl $GIT_DOMAIN_NAME - echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + nginx_disable_sniffing $GIT_DOMAIN_NAME echo ' add_header Strict-Transport-Security max-age=0;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME echo ' location / {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME @@ -6960,8 +6964,7 @@ function install_gogs { echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + nginx_disable_sniffing $GIT_DOMAIN_NAME echo ' add_header Strict-Transport-Security max-age=0;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME echo ' location / {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME @@ -7661,8 +7664,7 @@ function install_wiki { echo ' client_max_body_size 20m;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' client_body_buffer_size 128k;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + nginx_disable_sniffing $WIKI_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME @@ -7745,8 +7747,7 @@ function install_wiki { echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME nginx_ssl $WIKI_DOMAIN_NAME - echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + nginx_disable_sniffing $WIKI_DOMAIN_NAME echo ' add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME @@ -7829,8 +7830,7 @@ function install_wiki { echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + nginx_disable_sniffing $WIKI_DOMAIN_NAME echo ' add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME @@ -8000,8 +8000,7 @@ function install_blog { echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + nginx_disable_sniffing $FULLBLOG_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME echo ' # Always redirect the login page to https' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME echo ' location /login {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME @@ -8086,8 +8085,7 @@ function install_blog { echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME nginx_ssl $FULLBLOG_DOMAIN_NAME - echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + nginx_disable_sniffing $FULLBLOG_DOMAIN_NAME echo ' add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME @@ -8170,8 +8168,7 @@ function install_blog { echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + nginx_disable_sniffing $FULLBLOG_DOMAIN_NAME echo ' add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME @@ -8394,8 +8391,7 @@ function install_rss_reader { echo ' deny all;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + nginx_disable_sniffing $RSS_READER_DOMAIN_NAME echo ' client_max_body_size 15m;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME echo ' set $mobile_rewrite do_not_perform;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME @@ -8660,8 +8656,7 @@ function install_gnu_social { echo '' >> $microblog_nginx_site echo ' # Security' >> $microblog_nginx_site nginx_ssl $MICROBLOG_DOMAIN_NAME - echo ' add_header X-Frame-Options DENY;' >> $microblog_nginx_site - echo ' add_header X-Content-Type-Options nosniff;' >> $microblog_nginx_site + nginx_disable_sniffing $MICROBLOG_DOMAIN_NAME echo ' add_header Strict-Transport-Security max-age=15768000;' >> $microblog_nginx_site echo '' >> $microblog_nginx_site echo ' # Logs' >> $microblog_nginx_site @@ -8735,8 +8730,7 @@ function install_gnu_social { echo ' deny all;' >> $microblog_nginx_site echo ' }' >> $microblog_nginx_site echo '' >> $microblog_nginx_site - echo ' add_header X-Frame-Options DENY;' >> $microblog_nginx_site - echo ' add_header X-Content-Type-Options nosniff;' >> $microblog_nginx_site + nginx_disable_sniffing $MICROBLOG_DOMAIN_NAME echo ' client_max_body_size 15m;' >> $microblog_nginx_site echo '}' >> $microblog_nginx_site @@ -9124,8 +9118,7 @@ function install_hubzilla { echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME nginx_ssl $HUBZILLA_DOMAIN_NAME - echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + nginx_disable_sniffing $HUBZILLA_DOMAIN_NAME echo ' add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME @@ -9201,8 +9194,7 @@ function install_hubzilla { echo ' limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + nginx_disable_sniffing $HUBZILLA_DOMAIN_NAME echo ' add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME @@ -9512,8 +9504,7 @@ function install_mediagoblin { echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME nginx_ssl $MEDIAGOBLIN_DOMAIN_NAME - echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME - echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME + nginx_disable_sniffing $MEDIAGOBLIN_DOMAIN_NAME echo ' add_header Strict-Transport-Security max-age=0;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo ' location / {' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME