diff options
author | Timo Wilken | 2024-08-27 16:30:45 +0200 |
---|---|---|
committer | Timo Wilken | 2024-08-27 16:30:45 +0200 |
commit | 60900e534e3360db515f0fe5f347b291d60ce3e3 (patch) | |
tree | bead25300540c5557b3726d5dde9e9427314c06e /tw/services/nextcloud.scm | |
parent | a221060661dee87ca20f4a17d9c0774b10b022e1 (diff) |
Fix response headers for Nextcloud assets
https://github.com/nextcloud/documentation/commit/4ef607d350aa6f19f07ebe2fb0b8e3951248649f
Diffstat (limited to 'tw/services/nextcloud.scm')
-rw-r--r-- | tw/services/nextcloud.scm | 37 |
1 files changed, 24 insertions, 13 deletions
diff --git a/tw/services/nextcloud.scm b/tw/services/nextcloud.scm index 0a78fcaf..e9a99b5e 100644 --- a/tw/services/nextcloud.scm +++ b/tw/services/nextcloud.scm @@ -158,6 +158,19 @@ opcache.revalidate_freq=120 (with-exception-handler (cut cleanup #:rethrow <>) main) (cleanup)))) +(define nextcloud-default-headers + ;; HTTP response headers borrowed from Nextcloud `.htaccess` + (map (match-lambda + ((hdr . value) + `("add_header " ,hdr " \"" ,value "\" always;"))) + '(("Referrer-Policy" . "no-referrer") + ("Strict-Transport-Security" . "max-age=15552000") + ("X-Content-Type-Options" . "nosniff") + ("X-Frame-Options" . "SAMEORIGIN") + ("X-Permitted-Cross-Domain-Policies" . "none") + ("X-Robots-Tag" . "noindex, nofollow") + ("X-XSS-Protection" . "1; mode=block")))) + (define-public %nextcloud-services (list (simple-service 'nextcloud-https-server nginx-service-type ;; https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html @@ -192,17 +205,7 @@ opcache.revalidate_freq=120 "image/x-icon text/cache-manifest text/css text/plain text/vcard text/vtt " "text/vnd.rim.location.xloc text/x-component text/x-cross-domain-policy;") - ;; HTTP response headers borrowed from Nextcloud `.htaccess` - ,@(map (match-lambda - ((hdr . value) - `("add_header " ,hdr " \"" ,value "\" always;"))) - '(("Referrer-Policy" . "no-referrer") - ("Strict-Transport-Security" . "max-age=15552000") - ("X-Content-Type-Options" . "nosniff") - ("X-Frame-Options" . "SAMEORIGIN") - ("X-Permitted-Cross-Domain-Policies" . "none") - ("X-Robots-Tag" . "noindex, nofollow") - ("X-XSS-Protection" . "1; mode=block"))) + ,@nextcloud-default-headers ;; Remove X-Powered-By, which is an information leak "fastcgi_hide_header X-Powered-By;" @@ -270,8 +273,16 @@ opcache.revalidate_freq=120 (nginx-location-configuration (uri "~ \\.(?:css|js|mjs|svg|gif|ico|png|jpg|png|webp|wasm|tflite|map|ogg|flac)$") - (body '("try_files $uri /index.php$request_uri;" - "add_header Cache-Control \"public, max-age=15778463, immutable\";"))) + (body `("try_files $uri /index.php$request_uri;" + ;; The upstream configuration adds an "immutable" + ;; to this header if the original request had a + ;; ?v= flag, but then we would need to add a map{} + ;; to the nginx-configuration's extra-content. + "add_header Cache-Control \"public, max-age=15778463\";" + ;; Nginx resets any headers in a response block, + ;; if it contains even a single add_header line. + ;; We need to re-add the default headers. + ,@nextcloud-default-headers))) (nginx-location-configuration (uri "~ \\.woff2?$") (body '("try_files $uri /index.php$request_uri;" "expires 7d;"))) |