Merge pull request #30 from linuxserver/frame-ancestors

Set frame-ancestors in Content-Security-Policy

README.md

@@ -322,6 +322,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **29.10.20:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) ssl.conf - Add frame-ancestors to Content-Security-Policy.
 * **04.10.20:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, proxy.conf, and ssl.conf - Minor cleanups and reordering.
 * **20.09.20:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf - Added geoip2 configs. Added MAXMINDDB_LICENSE_KEY variable to readme.
 * **08.09.20:** - Add php7-xsl.

package_versions.txt

@@ -16,7 +16,7 @@ curl-7.69.1-r1
 db-5.3.28-r1
 expat-2.2.9-r1
 fail2ban-0.11.1-r3
-freetype-2.10.2-r0
+freetype-2.10.4-r0
 gdbm-1.13-r1
 git-2.26.2-r0
 git-perl-2.26.2-r0
@@ -95,26 +95,26 @@ ncurses-libs-6.2_p20200523-r0
 ncurses-terminfo-base-6.2_p20200523-r0
 nettle-3.5.1-r1
 nghttp2-libs-1.41.0-r0
-nginx-1.18.0-r0
-nginx-mod-devel-kit-1.18.0-r0
-nginx-mod-http-echo-1.18.0-r0
-nginx-mod-http-fancyindex-1.18.0-r0
-nginx-mod-http-geoip2-1.18.0-r0
-nginx-mod-http-headers-more-1.18.0-r0
-nginx-mod-http-image-filter-1.18.0-r0
-nginx-mod-http-lua-1.18.0-r0
-nginx-mod-http-lua-upstream-1.18.0-r0
-nginx-mod-http-nchan-1.18.0-r0
-nginx-mod-http-perl-1.18.0-r0
-nginx-mod-http-redis2-1.18.0-r0
-nginx-mod-http-set-misc-1.18.0-r0
-nginx-mod-http-upload-progress-1.18.0-r0
-nginx-mod-http-xslt-filter-1.18.0-r0
-nginx-mod-mail-1.18.0-r0
-nginx-mod-rtmp-1.18.0-r0
-nginx-mod-stream-1.18.0-r0
-nginx-mod-stream-geoip2-1.18.0-r0
-nginx-vim-1.18.0-r0
+nginx-1.18.0-r1
+nginx-mod-devel-kit-1.18.0-r1
+nginx-mod-http-echo-1.18.0-r1
+nginx-mod-http-fancyindex-1.18.0-r1
+nginx-mod-http-geoip2-1.18.0-r1
+nginx-mod-http-headers-more-1.18.0-r1
+nginx-mod-http-image-filter-1.18.0-r1
+nginx-mod-http-lua-1.18.0-r1
+nginx-mod-http-lua-upstream-1.18.0-r1
+nginx-mod-http-nchan-1.18.0-r1
+nginx-mod-http-perl-1.18.0-r1
+nginx-mod-http-redis2-1.18.0-r1
+nginx-mod-http-set-misc-1.18.0-r1
+nginx-mod-http-upload-progress-1.18.0-r1
+nginx-mod-http-xslt-filter-1.18.0-r1
+nginx-mod-mail-1.18.0-r1
+nginx-mod-rtmp-1.18.0-r1
+nginx-mod-stream-1.18.0-r1
+nginx-mod-stream-geoip2-1.18.0-r1
+nginx-vim-1.18.0-r1
 npth-1.6-r0
 openssl-1.1.1g-r0
 p11-kit-0.23.20-r5

readme-vars.yml

@@ -149,6 +149,7 @@ app_setup_nginx_reverse_proxy_block: ""
 
 # changelog
 changelogs:
+  - { date: "29.10.20:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) ssl.conf - Add frame-ancestors to Content-Security-Policy." }
   - { date: "04.10.20:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, proxy.conf, and ssl.conf - Minor cleanups and reordering." }
   - { date: "20.09.20:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf - Added geoip2 configs. Added MAXMINDDB_LICENSE_KEY variable to readme."}
   - { date: "08.09.20:", desc: "Add php7-xsl." }

root/defaults/geoip2.conf

@@ -1,4 +1,4 @@
-## Version 2020/09/20 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/geoip2.conf
+## Version 2020/10/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/geoip2.conf
 # To enable, uncommment the Geoip2 config line in nginx.conf
 # Add the -e MAXMINDDB_LICENSE_KEY=<licensekey> to automatically download the Geolite2 database.
 # A Maxmind license key can be acquired here: https://www.maxmind.com/en/geolite2/signup
@@ -18,48 +18,52 @@ geoip2 /config/geoip2db/GeoLite2-City.mmdb {
 # GEOIP2 COUNTRY CONFIG
 map $geoip2_data_country_iso_code $allowed_country {
     # default must be yes or no
+    # If default is set to "no" you will need to add the local ip ranges that you want to allow access in the $allow_list variable below.
     default yes;
 
     # Below you will setup conditions with yes or no
     # ex: <condition> <yes/no>;
-    # If your default is set to yes you can setup conditions that would set it to no (and vice versa)
-    # Conditions are either network address (CIDR notation) or country code
 
     # allow United Kingdom.
     #GB yes;
-
-    # allow local access.
-    #192.168.1.0/24 yes;
 }
 
 # GEOIP2 CITY CONFIG
 map $geoip2_data_city_name $allowed_city {
     # default must be yes or no
+    # If default is set to "no" you will need to add the local ip ranges that you want to allow access in the $allow_list variable below.
     default yes;
 
     # Below you will setup conditions with yes or no
     # ex: <condition> <yes/no>;
-    # If your default is set to yes you can setup conditions that would set it to no (and vice versa)
-    # Conditions are either network address (CIDR notation) or city name
 
     # allow Inverness.
     #Inverness yes;
+}
 
-    # allow local access.
-    #192.168.1.0/24 yes;
+# ALLOW LOCAL ACCESS
+geo $allow_list {
+    default yes; # Set this to no if $allowed_country or $allowed_city default is no. 
+    # IP/CIDR yes; # e.g. 192.168.1.0/24 yes;
 }
 
 # Server config example:
-# Add the following if statement inside any server context where you want to geo block countries.
+# Add the following if statements inside any server context where you want to geo block countries.
 
 ########################################
+#   if ($allow_list = yes) {
+#   set $allowed_country yes;
+#   }
 #	if ($allowed_country = no) {
 #	return 444;
 #	}
 #########################################
 
-# Add the following if statement inside any server context where you want to geo block cities.
+# Add the following if statements inside any server context where you want to geo block cities.
 ########################################
+#   if ($allow_list = yes) {
+#   set $allowed_country yes;
+#   }
 #	if ($allowed_city = no) {
 #	return 444;
 #	}
@@ -84,6 +88,10 @@ map $geoip2_data_city_name $allowed_city {
 #    #include /config/nginx/authelia-server.conf;
 
 
+#   # Allow lan access if default is set to no
+#   if ($allow_list = yes) {
+#   set $allowed_country yes;
+#   }
 #    # Country geo block
 #    if ($allowed_country = no) {
 #       return 444;

root/defaults/ssl.conf

@@ -1,4 +1,4 @@
-## Version 2020/10/04 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ssl.conf
+## Version 2020/10/29 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ssl.conf
 
 ### Mozilla Recommendations
 # generated 2020-06-17, Mozilla Guideline v5.4, nginx 1.18.0-r0, OpenSSL 1.1.1g-r0, intermediate configuration
@@ -40,7 +40,7 @@ ssl_early_data on;
 
 # Optional additional headers
 #add_header Cache-Control "no-transform" always;
-#add_header Content-Security-Policy "upgrade-insecure-requests";
+#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'";
 #add_header Referrer-Policy "same-origin" always;
 #add_header X-Content-Type-Options "nosniff" always;
 #add_header X-Frame-Options "SAMEORIGIN" always;