Merge pull request #30 from linuxserver/frame-ancestors

Set frame-ancestors in Content-Security-Policy

README.md

@@ -245,7 +245,7 @@ This will *ask* Google et al not to index and list your site. Be careful with th
   2. Review our repository commits and apply the new changes yourself
   3. Delete the modified config file with listed updates, restart the container, reapply your changes
 * If you have NOT modified a file with noted changes in the changelog:
-  1. Delete the config file with listed updates, restart the container, reapply your changes
+  1. Delete the config file with listed updates, restart the container
 * Proxy sample updates are not listed in the changelog. See the changes here: [https://github.com/linuxserver/reverse-proxy-confs/commits/master](https://github.com/linuxserver/reverse-proxy-confs/commits/master)
 * Proxy sample files WILL be updated, however your renamed (enabled) proxy files will not.
 * You can check the new sample and adjust your active config as needed.
@@ -322,7 +322,9 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
-* **20.09.20:** - Update nginx.conf - Added geoip2 configs. Added MAXMINDDB_LICENSE_KEY variable to readme.
+* **29.10.20:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) ssl.conf - Add frame-ancestors to Content-Security-Policy.
+* **04.10.20:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, proxy.conf, and ssl.conf - Minor cleanups and reordering.
+* **20.09.20:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf - Added geoip2 configs. Added MAXMINDDB_LICENSE_KEY variable to readme.
 * **08.09.20:** - Add php7-xsl.
-* **01.09.20:** - Update nginx.conf and proxy.conf (and various proxy samples) to better handle websockets.
+* **01.09.20:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, proxy.conf, and various proxy samples - Global websockets across all configs.
 * **03.08.20:** - Initial release.

package_versions.txt

@@ -6,7 +6,7 @@ apr-1.7.0-r0
 apr-util-1.6.1-r6
 argon2-libs-20190702-r1
 bash-5.0.17-r0
-brotli-libs-1.0.7-r5
+brotli-libs-1.0.9-r1
 busybox-1.31.1-r19
 c-client-2007f-r11
 ca-certificates-20191127-r4
@@ -16,7 +16,7 @@ curl-7.69.1-r1
 db-5.3.28-r1
 expat-2.2.9-r1
 fail2ban-0.11.1-r3
-freetype-2.10.2-r0
+freetype-2.10.4-r0
 gdbm-1.13-r1
 git-2.26.2-r0
 git-perl-2.26.2-r0
@@ -95,26 +95,26 @@ ncurses-libs-6.2_p20200523-r0
 ncurses-terminfo-base-6.2_p20200523-r0
 nettle-3.5.1-r1
 nghttp2-libs-1.41.0-r0
-nginx-1.18.0-r0
-nginx-mod-devel-kit-1.18.0-r0
-nginx-mod-http-echo-1.18.0-r0
-nginx-mod-http-fancyindex-1.18.0-r0
-nginx-mod-http-geoip2-1.18.0-r0
-nginx-mod-http-headers-more-1.18.0-r0
-nginx-mod-http-image-filter-1.18.0-r0
-nginx-mod-http-lua-1.18.0-r0
-nginx-mod-http-lua-upstream-1.18.0-r0
-nginx-mod-http-nchan-1.18.0-r0
-nginx-mod-http-perl-1.18.0-r0
-nginx-mod-http-redis2-1.18.0-r0
-nginx-mod-http-set-misc-1.18.0-r0
-nginx-mod-http-upload-progress-1.18.0-r0
-nginx-mod-http-xslt-filter-1.18.0-r0
-nginx-mod-mail-1.18.0-r0
-nginx-mod-rtmp-1.18.0-r0
-nginx-mod-stream-1.18.0-r0
-nginx-mod-stream-geoip2-1.18.0-r0
-nginx-vim-1.18.0-r0
+nginx-1.18.0-r1
+nginx-mod-devel-kit-1.18.0-r1
+nginx-mod-http-echo-1.18.0-r1
+nginx-mod-http-fancyindex-1.18.0-r1
+nginx-mod-http-geoip2-1.18.0-r1
+nginx-mod-http-headers-more-1.18.0-r1
+nginx-mod-http-image-filter-1.18.0-r1
+nginx-mod-http-lua-1.18.0-r1
+nginx-mod-http-lua-upstream-1.18.0-r1
+nginx-mod-http-nchan-1.18.0-r1
+nginx-mod-http-perl-1.18.0-r1
+nginx-mod-http-redis2-1.18.0-r1
+nginx-mod-http-set-misc-1.18.0-r1
+nginx-mod-http-upload-progress-1.18.0-r1
+nginx-mod-http-xslt-filter-1.18.0-r1
+nginx-mod-mail-1.18.0-r1
+nginx-mod-rtmp-1.18.0-r1
+nginx-mod-stream-1.18.0-r1
+nginx-mod-stream-geoip2-1.18.0-r1
+nginx-vim-1.18.0-r1
 npth-1.6-r0
 openssl-1.1.1g-r0
 p11-kit-0.23.20-r5
@@ -151,8 +151,8 @@ php7-pdo_odbc-7.3.23-r0
 php7-pdo_pgsql-7.3.23-r0
 php7-pdo_sqlite-7.3.23-r0
 php7-pear-7.3.23-r0
-php7-pecl-apcu-5.1.18-r0
-php7-pecl-igbinary-3.1.4-r0
+php7-pecl-apcu-5.1.19-r0
+php7-pecl-igbinary-3.1.6-r0
 php7-pecl-mcrypt-1.0.3-r0
 php7-pecl-memcached-3.1.5-r0
 php7-pecl-redis-5.2.2-r1

readme-vars.yml

@@ -139,7 +139,7 @@ app_setup_block: |
     2. Review our repository commits and apply the new changes yourself
     3. Delete the modified config file with listed updates, restart the container, reapply your changes
   * If you have NOT modified a file with noted changes in the changelog:
-    1. Delete the config file with listed updates, restart the container, reapply your changes
+    1. Delete the config file with listed updates, restart the container
   * Proxy sample updates are not listed in the changelog. See the changes here: [https://github.com/linuxserver/reverse-proxy-confs/commits/master](https://github.com/linuxserver/reverse-proxy-confs/commits/master)
   * Proxy sample files WILL be updated, however your renamed (enabled) proxy files will not.
   * You can check the new sample and adjust your active config as needed.
@@ -149,7 +149,9 @@ app_setup_nginx_reverse_proxy_block: ""
 
 # changelog
 changelogs:
-  - { date: "20.09.20:", desc: "Update nginx.conf - Added geoip2 configs. Added MAXMINDDB_LICENSE_KEY variable to readme."}
+  - { date: "29.10.20:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) ssl.conf - Add frame-ancestors to Content-Security-Policy." }
+  - { date: "04.10.20:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, proxy.conf, and ssl.conf - Minor cleanups and reordering." }
+  - { date: "20.09.20:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf - Added geoip2 configs. Added MAXMINDDB_LICENSE_KEY variable to readme."}
   - { date: "08.09.20:", desc: "Add php7-xsl." }
-  - { date: "01.09.20:", desc: "Update nginx.conf and proxy.conf (and various proxy samples) to better handle websockets." }
+  - { date: "01.09.20:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, proxy.conf, and various proxy samples - Global websockets across all configs." }
   - { date: "03.08.20:", desc: "Initial release." }

root/defaults/geoip2.conf

@@ -1,4 +1,4 @@
-## Version 2020/09/20 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/geoip2.conf
+## Version 2020/10/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/geoip2.conf
 # To enable, uncommment the Geoip2 config line in nginx.conf
 # Add the -e MAXMINDDB_LICENSE_KEY=<licensekey> to automatically download the Geolite2 database.
 # A Maxmind license key can be acquired here: https://www.maxmind.com/en/geolite2/signup
@@ -18,48 +18,52 @@ geoip2 /config/geoip2db/GeoLite2-City.mmdb {
 # GEOIP2 COUNTRY CONFIG
 map $geoip2_data_country_iso_code $allowed_country {
     # default must be yes or no
+    # If default is set to "no" you will need to add the local ip ranges that you want to allow access in the $allow_list variable below.
     default yes;
 
     # Below you will setup conditions with yes or no
     # ex: <condition> <yes/no>;
-    # If your default is set to yes you can setup conditions that would set it to no (and vice versa)
-    # Conditions are either network address (CIDR notation) or country code
 
     # allow United Kingdom.
     #GB yes;
-
-    # allow local access.
-    #192.168.1.0/24 yes;
 }
 
 # GEOIP2 CITY CONFIG
 map $geoip2_data_city_name $allowed_city {
     # default must be yes or no
+    # If default is set to "no" you will need to add the local ip ranges that you want to allow access in the $allow_list variable below.
     default yes;
 
     # Below you will setup conditions with yes or no
     # ex: <condition> <yes/no>;
-    # If your default is set to yes you can setup conditions that would set it to no (and vice versa)
-    # Conditions are either network address (CIDR notation) or city name
 
     # allow Inverness.
     #Inverness yes;
+}
 
-    # allow local access.
-    #192.168.1.0/24 yes;
+# ALLOW LOCAL ACCESS
+geo $allow_list {
+    default yes; # Set this to no if $allowed_country or $allowed_city default is no. 
+    # IP/CIDR yes; # e.g. 192.168.1.0/24 yes;
 }
 
 # Server config example:
-# Add the following if statement inside any server context where you want to geo block countries.
+# Add the following if statements inside any server context where you want to geo block countries.
 
 ########################################
+#   if ($allow_list = yes) {
+#   set $allowed_country yes;
+#   }
 #	if ($allowed_country = no) {
 #	return 444;
 #	}
 #########################################
 
-# Add the following if statement inside any server context where you want to geo block cities.
+# Add the following if statements inside any server context where you want to geo block cities.
 ########################################
+#   if ($allow_list = yes) {
+#   set $allowed_country yes;
+#   }
 #	if ($allowed_city = no) {
 #	return 444;
 #	}
@@ -84,6 +88,10 @@ map $geoip2_data_city_name $allowed_city {
 #    #include /config/nginx/authelia-server.conf;
 
 
+#   # Allow lan access if default is set to no
+#   if ($allow_list = yes) {
+#   set $allowed_country yes;
+#   }
 #    # Country geo block
 #    if ($allowed_country = no) {
 #       return 444;

root/defaults/nginx.conf

@@ -1,4 +1,4 @@
-## Version 2020/09/20 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf
+## Version 2020/10/04 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf
 
 user abc;
 worker_processes 4;
@@ -16,21 +16,21 @@ http {
 	# Basic Settings
 	##
 
-	sendfile on;
-	tcp_nopush on;
-	tcp_nodelay on;
+	client_body_buffer_size 128k;
+	client_max_body_size 0;
 	keepalive_timeout 65;
+	large_client_header_buffers 4 16k;
+	send_timeout 5m;
+	sendfile on;
+	tcp_nodelay on;
+	tcp_nopush on;
 	types_hash_max_size 2048;
 	variables_hash_max_size 2048;
-	large_client_header_buffers 4 16k;
 
 	# server_tokens off;
-
 	# server_names_hash_bucket_size 64;
 	# server_name_in_redirect off;
 
-	client_max_body_size 0;
-
 	include /etc/nginx/mime.types;
 	default_type application/octet-stream;
 
@@ -90,9 +90,9 @@ http {
 	##
 	# Geoip2 config
 	##
-	# Uncomment to add the Geoip2 configs needed to geo block countries/cities. 
+	# Uncomment to add the Geoip2 configs needed to geo block countries/cities.
 	##
-	
+
 	#include /config/nginx/geoip2.conf;
 }
 

root/defaults/proxy.conf

@@ -1,33 +1,30 @@
-## Version 2020/09/01 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf
+## Version 2020/10/04 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf
 
-client_body_buffer_size 128k;
-
-#Timeout if the real server is dead
+# Timeout if the real server is dead
 proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
 
-# Advanced Proxy Config
-send_timeout 5m;
-proxy_read_timeout 240;
-proxy_send_timeout 240;
-proxy_connect_timeout 240;
-
-# TLS 1.3 early data
-proxy_set_header Early-Data $ssl_early_data;
-
-# Basic Proxy Config
-proxy_set_header Host $host;
-proxy_set_header X-Real-IP $remote_addr;
-proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-proxy_set_header X-Forwarded-Proto https;
-proxy_set_header X-Forwarded-Host $host;
-proxy_set_header X-Forwarded-Ssl on;
-proxy_redirect  http://  $scheme://;
-proxy_http_version 1.1;
-proxy_set_header Upgrade $http_upgrade;
-proxy_set_header Connection $connection_upgrade;
-#proxy_cookie_path / "/; HTTPOnly; Secure"; # enable at your own risk, may break certain apps
-proxy_cache_bypass $cookie_session;
-proxy_no_cache $cookie_session;
+# Proxy Connection Settings
 proxy_buffers 32 4k;
+proxy_connect_timeout 240;
 proxy_headers_hash_bucket_size 128;
 proxy_headers_hash_max_size 1024;
+proxy_http_version 1.1;
+proxy_read_timeout 240;
+proxy_redirect  http://  $scheme://;
+proxy_send_timeout 240;
+
+# Proxy Cache and Cookie Settings
+proxy_cache_bypass $cookie_session;
+#proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps
+proxy_no_cache $cookie_session;
+
+# Proxy Header Settings
+proxy_set_header Connection $connection_upgrade;
+proxy_set_header Early-Data $ssl_early_data;
+proxy_set_header Host $host;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Host $host;
+proxy_set_header X-Forwarded-Proto https;
+proxy_set_header X-Forwarded-Ssl on;
+proxy_set_header X-Real-IP $remote_addr;

root/defaults/ssl.conf

@@ -1,4 +1,4 @@
-## Version 2020/06/17 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ssl.conf
+## Version 2020/10/29 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ssl.conf
 
 ### Mozilla Recommendations
 # generated 2020-06-17, Mozilla Guideline v5.4, nginx 1.18.0-r0, OpenSSL 1.1.1g-r0, intermediate configuration
@@ -39,10 +39,10 @@ ssl_early_data on;
 #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
 
 # Optional additional headers
-#add_header Content-Security-Policy "upgrade-insecure-requests";
-#add_header X-Frame-Options "SAMEORIGIN" always;
-#add_header X-XSS-Protection "1; mode=block" always;
-#add_header X-Content-Type-Options "nosniff" always;
-#add_header X-UA-Compatible "IE=Edge" always;
 #add_header Cache-Control "no-transform" always;
+#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'";
 #add_header Referrer-Policy "same-origin" always;
+#add_header X-Content-Type-Options "nosniff" always;
+#add_header X-Frame-Options "SAMEORIGIN" always;
+#add_header X-UA-Compatible "IE=Edge" always;
+#add_header X-XSS-Protection "1; mode=block" always;