mirror of https://github.com/MISP/misp-docker
add security settings for nginx (#159)
Co-authored-by: diegolamaral <diego.arruda.amaral@gmail.com>pull/170/head
parent
31db79c0df
commit
754220879b
|
@ -226,6 +226,47 @@ init_nginx() {
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Adjust Content-Security-Policy
|
||||||
|
echo "... adjusting Content-Security-Policy"
|
||||||
|
# Remove any existing CSP header
|
||||||
|
sed -i '/add_header Content-Security-Policy/d' /etc/nginx/includes/misp
|
||||||
|
|
||||||
|
if [[ -n "$CONTENT_SECURITY_POLICY" ]]; then
|
||||||
|
# If $CONTENT_SECURITY_POLICY is set, add CSP header
|
||||||
|
echo "... setting Content-Security-Policy to '$CONTENT_SECURITY_POLICY'"
|
||||||
|
sed -i "/add_header X-Download-Options/a add_header Content-Security-Policy \"$CONTENT_SECURITY_POLICY\";" /etc/nginx/includes/misp
|
||||||
|
else
|
||||||
|
# Otherwise, do not add any CSP headers
|
||||||
|
echo "... no Content-Security-Policy header will be set as CONTENT_SECURITY_POLICY is not defined"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Adjust X-Frame-Options
|
||||||
|
echo "... adjusting X-Frame-Options"
|
||||||
|
# Remove any existing X-Frame-Options header
|
||||||
|
sed -i '/add_header X-Frame-Options/d' /etc/nginx/includes/misp
|
||||||
|
|
||||||
|
if [[ -z "$X_FRAME_OPTIONS" ]]; then
|
||||||
|
echo "... setting 'X-Frame-Options SAMEORIGIN'"
|
||||||
|
sed -i "/add_header X-Download-Options/a add_header X-Frame-Options \"SAMEORIGIN\" always;" /etc/nginx/includes/misp
|
||||||
|
else
|
||||||
|
echo "... setting 'X-Frame-Options $X_FRAME_OPTIONS'"
|
||||||
|
sed -i "/add_header X-Download-Options/a add_header X-Frame-Options \"$X_FRAME_OPTIONS\";" /etc/nginx/includes/misp
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Adjust HTTP Strict Transport Security (HSTS)
|
||||||
|
echo "... adjusting HTTP Strict Transport Security (HSTS)"
|
||||||
|
# Remove any existing HSTS header
|
||||||
|
sed -i '/add_header Strict-Transport-Security/d' /etc/nginx/includes/misp
|
||||||
|
|
||||||
|
if [[ -n "$HSTS_MAX_AGE" ]]; then
|
||||||
|
# If $HSTS_MAX_AGE is defined, add the HSTS header
|
||||||
|
echo "... setting HSTS to 'max-age=$HSTS_MAX_AGE; includeSubdomains'"
|
||||||
|
sed -i "/add_header X-Download-Options/a add_header Strict-Transport-Security \"max-age=$HSTS_MAX_AGE; includeSubdomains\";" /etc/nginx/includes/misp
|
||||||
|
else
|
||||||
|
# Otherwise, do nothing, keeping without the HSTS header
|
||||||
|
echo "... no HSTS header will be set as HSTS_MAX_AGE is not defined"
|
||||||
|
fi
|
||||||
|
|
||||||
# Testing for files also test for links, and generalize better to mounted files
|
# Testing for files also test for links, and generalize better to mounted files
|
||||||
if [[ ! -f "/etc/nginx/sites-enabled/misp80" ]]; then
|
if [[ ! -f "/etc/nginx/sites-enabled/misp80" ]]; then
|
||||||
echo "... enabling port 80 redirect"
|
echo "... enabling port 80 redirect"
|
||||||
|
|
|
@ -193,6 +193,10 @@ services:
|
||||||
- "PHP_UPLOAD_MAX_FILESIZE=${PHP_UPLOAD_MAX_FILESIZE:-50M}"
|
- "PHP_UPLOAD_MAX_FILESIZE=${PHP_UPLOAD_MAX_FILESIZE:-50M}"
|
||||||
- "PHP_POST_MAX_SIZE=${PHP_POST_MAX_SIZE:-50M}"
|
- "PHP_POST_MAX_SIZE=${PHP_POST_MAX_SIZE:-50M}"
|
||||||
- "PHP_MAX_INPUT_TIME:${PHP_MAX_INPUT_TIME:-300}"
|
- "PHP_MAX_INPUT_TIME:${PHP_MAX_INPUT_TIME:-300}"
|
||||||
|
# Security Settings
|
||||||
|
- "HSTS_MAX_AGE=${HSTS_MAX_AGE}"
|
||||||
|
- "X_FRAME_OPTIONS=${X_FRAME_OPTIONS}"
|
||||||
|
- "CONTENT_SECURITY_POLICY=${CONTENT_SECURITY_POLICY}"
|
||||||
|
|
||||||
misp-modules:
|
misp-modules:
|
||||||
image: ghcr.io/misp/misp-docker/misp-modules:${MODULES_RUNNING_TAG:-latest}
|
image: ghcr.io/misp/misp-docker/misp-modules:${MODULES_RUNNING_TAG:-latest}
|
||||||
|
|
12
template.env
12
template.env
|
@ -199,3 +199,15 @@ SYNCSERVERS_1_PULL_RULES=
|
||||||
# NGINX_X_FORWARDED_FOR=true
|
# NGINX_X_FORWARDED_FOR=true
|
||||||
# Comma separated list of trusted IP addresses
|
# Comma separated list of trusted IP addresses
|
||||||
# NGINX_SET_REAL_IP_FROM=127.0.0.1
|
# NGINX_SET_REAL_IP_FROM=127.0.0.1
|
||||||
|
|
||||||
|
# Security Settings
|
||||||
|
# Maximum time (in seconds) for HSTS (HTTP Strict Transport Security), ensures HTTPS is used.
|
||||||
|
HSTS_MAX_AGE=
|
||||||
|
|
||||||
|
# X-Frame-Options policy configuration: controls whether the site can be embedded in frames or iframes.
|
||||||
|
# Options: DENY, SAMEORIGIN, ALLOW-FROM <URL> Default: SAMEORIGIN
|
||||||
|
X_FRAME_OPTIONS=""
|
||||||
|
|
||||||
|
# Content-Security-Policy (CSP) configuration: defines allowed resources and prevents attacks like XSS.
|
||||||
|
# Example: "frame-src 'self' https://*.example.com; frame-ancestors 'self' https://*.example.com; object-src 'none'; report-uri https://example.com/cspReport"
|
||||||
|
CONTENT_SECURITY_POLICY=""
|
||||||
|
|
Loading…
Reference in New Issue