fix(nginx): add option to easy manage HEADERS (make it possible to se…

…t HSTS) #630 fix(nginx): add option to easy manage HEADERS (make it possible to set HSTS)
nextcloud · Oct 22, 2024 · 671f4c2 · 671f4c2
2 parents 3226e00 + 06726fe
commit 671f4c2
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 11 deletions.
diff --git a/charts/nextcloud/Chart.yaml b/charts/nextcloud/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: nextcloud
-version: 6.1.1
+version: 6.2.0
 appVersion: 30.0.1
 description: A file sharing server that puts the control and security of your own data back into your hands.
 keywords:

diff --git a/charts/nextcloud/README.md b/charts/nextcloud/README.md
@@ -20,6 +20,7 @@ helm install my-release nextcloud/nextcloud
     * [Object Storage as Primary Storage Configuration](#object-storage-as-primary-storage-configuration)
     * [Persistence Configurations](#persistence-configurations)
     * [Metrics Configurations](#metrics-configurations)
+    * [Headers set on nginx](#headers-set-on-nginx)
     * [Probes Configurations](#probes-configurations)
 * [Cron jobs](#cron-jobs)
 * [Using the nextcloud docker image auto-configuration via env vars](#using-the-nextcloud-docker-image-auto-configuration-via-env-vars)
@@ -399,6 +400,34 @@ helm install --name my-release -f values.yaml nextcloud/nextcloud
 > **Tip**: You can use the default [values.yaml](values.yaml)
 
 
+### Headers set on NGINX
+
+It is possible to set any additional header
+
+| Parameter                    | Description                         | Default   |
+|------------------------------|-------------------------------------|-----------|
+| `nginx.config.headers.<key>` | Headers which are added with nginx  |           |
+
+
+Following keys are already set with this values:
+  - Referrer-Policy: `no-referrer`
+  - X-Content-Type-Options: `nosniff`
+  - X-Download-Options: `noopen`
+  - X-Frame-Options: `SAMEORIGIN`
+  - X-Permitted-Cross-Domain-Policies: `none`
+  - X-Robots-Tag: `noindex, nofollow`
+  - X-XSS-Protection: `1; mode=block`
+
+Maybe you like to set:
+  - Strict-Transport-Security: `max-age=15768000; includeSubDomains; preload;`
+> [!WARNING]
+> Only add the preload option once you read about
+> the consequences in https://hstspreload.org/. This option
+> will add the domain to a hardcoded list that is shipped
+> in all major browsers and getting removed from this list
+> could take several months.
+
+
 ### Probes Configurations
 
 The nextcloud deployment includes a series of different probes you can use to determine if a pod is ready or not. You can learn more in the [Configure Liveness, Readiness and Startup Probes Kubernetes docs](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/).

diff --git a/charts/nextcloud/files/nginx.config.tpl b/charts/nextcloud/files/nginx.config.tpl
@@ -20,7 +20,11 @@ server {
     # will add the domain to a hardcoded list that is shipped
     # in all major browsers and getting removed from this list
     # could take several months.
-    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
+    {{- range $name, $value := .Values.nginx.config.headers }}
+    {{- if $value }}
+    add_header {{ $name }} {{ $value | quote }} always;
+    {{- end }}
+    {{- end }}
 
     # set max upload size
     client_max_body_size 10G;
@@ -38,15 +42,6 @@ server {
     # with the `ngx_pagespeed` module, uncomment this line to disable it.
     #pagespeed off;
 
-    # HTTP response headers borrowed from Nextcloud `.htaccess`
-    add_header Referrer-Policy                      "no-referrer"       always;
-    add_header X-Content-Type-Options               "nosniff"           always;
-    add_header X-Download-Options                   "noopen"            always;
-    add_header X-Frame-Options                      "SAMEORIGIN"        always;
-    add_header X-Permitted-Cross-Domain-Policies    "none"              always;
-    add_header X-Robots-Tag                         "noindex, nofollow" always;
-    add_header X-XSS-Protection                     "1; mode=block"     always;
-
     # Remove X-Powered-By, which is an information leak
     fastcgi_hide_header X-Powered-By;
 

diff --git a/charts/nextcloud/values.yaml b/charts/nextcloud/values.yaml
@@ -331,6 +331,24 @@ nginx:
   config:
     # This generates the default nginx config as per the nextcloud documentation
     default: true
+    headers:
+      # -- HSTS settings
+      # WARNING: Only add the preload option once you read about
+      # the consequences in https://hstspreload.org/. This option
+      # will add the domain to a hardcoded list that is shipped
+      # in all major browsers and getting removed from this list
+      # could take several months.
+      # Example:
+      # "Strict-Transport-Security": "max-age=15768000; includeSubDomains; preload;"
+      "Strict-Transport-Security": ""
+      "Referrer-Policy": "no-referrer"
+      "X-Content-Type-Options": "nosniff"
+      "X-Download-Options": "noopen"
+      "X-Frame-Options": "SAMEORIGIN"
+      "X-Permitted-Cross-Domain-Policies": "none"
+      "X-Robots-Tag": "noindex, nofollow"
+      "X-XSS-Protection": "1; mode=block"
+
     custom:
     # custom: |-
     #     worker_processes  1;..