From 06726fe6fe73300cd3d050295867644f55e5bcd4 Mon Sep 17 00:00:00 2001 From: WrenIX Date: Thu, 19 Sep 2024 20:02:00 +0200 Subject: [PATCH] fix(nginx): add option to easy manage HEADERS (make it possible to set HSTS) Signed-off-by: WrenIX --- charts/nextcloud/Chart.yaml | 2 +- charts/nextcloud/README.md | 29 +++++++++++++++++++++++++ charts/nextcloud/files/nginx.config.tpl | 15 +++++-------- charts/nextcloud/values.yaml | 18 +++++++++++++++ 4 files changed, 53 insertions(+), 11 deletions(-) diff --git a/charts/nextcloud/Chart.yaml b/charts/nextcloud/Chart.yaml index f6001abb..5ee041d3 100644 --- a/charts/nextcloud/Chart.yaml +++ b/charts/nextcloud/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: nextcloud -version: 6.1.1 +version: 6.2.0 appVersion: 30.0.1 description: A file sharing server that puts the control and security of your own data back into your hands. keywords: diff --git a/charts/nextcloud/README.md b/charts/nextcloud/README.md index d0650f5b..1339a202 100644 --- a/charts/nextcloud/README.md +++ b/charts/nextcloud/README.md @@ -20,6 +20,7 @@ helm install my-release nextcloud/nextcloud * [Object Storage as Primary Storage Configuration](#object-storage-as-primary-storage-configuration) * [Persistence Configurations](#persistence-configurations) * [Metrics Configurations](#metrics-configurations) + * [Headers set on nginx](#headers-set-on-nginx) * [Probes Configurations](#probes-configurations) * [Cron jobs](#cron-jobs) * [Using the nextcloud docker image auto-configuration via env vars](#using-the-nextcloud-docker-image-auto-configuration-via-env-vars) @@ -399,6 +400,34 @@ helm install --name my-release -f values.yaml nextcloud/nextcloud > **Tip**: You can use the default [values.yaml](values.yaml) +### Headers set on NGINX + +It is possible to set any additional header + +| Parameter | Description | Default | +|------------------------------|-------------------------------------|-----------| +| `nginx.config.headers.` | Headers which are added with nginx | | + + +Following keys are already set with this values: + - Referrer-Policy: `no-referrer` + - X-Content-Type-Options: `nosniff` + - X-Download-Options: `noopen` + - X-Frame-Options: `SAMEORIGIN` + - X-Permitted-Cross-Domain-Policies: `none` + - X-Robots-Tag: `noindex, nofollow` + - X-XSS-Protection: `1; mode=block` + +Maybe you like to set: + - Strict-Transport-Security: `max-age=15768000; includeSubDomains; preload;` +> [!WARNING] +> Only add the preload option once you read about +> the consequences in https://hstspreload.org/. This option +> will add the domain to a hardcoded list that is shipped +> in all major browsers and getting removed from this list +> could take several months. + + ### Probes Configurations The nextcloud deployment includes a series of different probes you can use to determine if a pod is ready or not. You can learn more in the [Configure Liveness, Readiness and Startup Probes Kubernetes docs](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/). diff --git a/charts/nextcloud/files/nginx.config.tpl b/charts/nextcloud/files/nginx.config.tpl index 59d68f35..93b9e906 100644 --- a/charts/nextcloud/files/nginx.config.tpl +++ b/charts/nextcloud/files/nginx.config.tpl @@ -20,7 +20,11 @@ server { # will add the domain to a hardcoded list that is shipped # in all major browsers and getting removed from this list # could take several months. - #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + {{- range $name, $value := .Values.nginx.config.headers }} + {{- if $value }} + add_header {{ $name }} {{ $value | quote }} always; + {{- end }} + {{- end }} # set max upload size client_max_body_size 10G; @@ -38,15 +42,6 @@ server { # with the `ngx_pagespeed` module, uncomment this line to disable it. #pagespeed off; - # HTTP response headers borrowed from Nextcloud `.htaccess` - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "noindex, nofollow" always; - add_header X-XSS-Protection "1; mode=block" always; - # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; diff --git a/charts/nextcloud/values.yaml b/charts/nextcloud/values.yaml index 7acc2ff1..92e7cc91 100644 --- a/charts/nextcloud/values.yaml +++ b/charts/nextcloud/values.yaml @@ -331,6 +331,24 @@ nginx: config: # This generates the default nginx config as per the nextcloud documentation default: true + headers: + # -- HSTS settings + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.org/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + # Example: + # "Strict-Transport-Security": "max-age=15768000; includeSubDomains; preload;" + "Strict-Transport-Security": "" + "Referrer-Policy": "no-referrer" + "X-Content-Type-Options": "nosniff" + "X-Download-Options": "noopen" + "X-Frame-Options": "SAMEORIGIN" + "X-Permitted-Cross-Domain-Policies": "none" + "X-Robots-Tag": "noindex, nofollow" + "X-XSS-Protection": "1; mode=block" + custom: # custom: |- # worker_processes 1;..