Nginx: rework CSP config to use ENV vars

djbe · djbe · commit a7c1204434ea · 2025-03-03T02:23:47.000+01:00
diff --git a/.github/workflows/build-and-publish-nuxt-base.yml b/.github/workflows/build-and-publish-nuxt-base.yml
@@ -22,13 +22,8 @@ jobs:
         info:
           - version: lts
             node: lts
-            target: secure
-          - version: lts-unsecured
-            node: lts
-            target: unsecured
     with:
       image: nuxt-base
       version: ${{ matrix.info.version }}
-      target: ${{ matrix.info.target }}
       build-args: |
         NODE_VERSION=${{ matrix.info.node }}
diff --git a/.github/workflows/build-and-publish-web-base.yml b/.github/workflows/build-and-publish-web-base.yml
@@ -21,10 +21,6 @@ jobs:
       matrix:
         info:
           - version: latest
-            target: secure
-          - version: latest-unsecured
-            target: unsecured
     with:
       image: web-base
       version: ${{ matrix.info.version }}
-      target: ${{ matrix.info.target }}
diff --git a/README.md b/README.md
@@ -12,6 +12,38 @@ Changes to this repository will trigger a build and push to GitHub packages auto
 
 Images with `nginx` can be configured using the following environment variables.
 
+### Content Security Policy
+
+Fetch:
+
+| Environment Key | Applied | Description | Default |
+------------------|---------|------------------------
+| NGINX_CSP_CHILD_SRC | Every run | Allowed children (workers, frames) | |
+| NGINX_CSP_CONNECT_SRC | Every run | Allowed connections (socket, xhr, …) | |
+| NGINX_CSP_FONT_SRC | Every run | Allowed fonts | |
+| NGINX_CSP_FRAME_SRC | Every run | Allowed iframes | |
+| NGINX_CSP_IMG_SRC | Every run | Allowed images | `https:` |
+| NGINX_CSP_MANIFEST_SRC | Every run | Allowed manifests | |
+| NGINX_CSP_MEDIA_SRC | Every run | Allowed media | `https:` |
+| NGINX_CSP_OBJECT_SRC | Every run | Allowed embeds | |
+| NGINX_CSP_SCRIPT_SRC | Every run | Allowed scripts | |
+| NGINX_CSP_STYLE_SRC | Every run | Allowed styles | |
+| NGINX_CSP_WORKER_SRC | Every run | Allowed workers | |
+
+Navigation:
+
+| Environment Key | Applied | Description | Default |
+------------------|---------|------------------------
+| NGINX_FRAME_OPTIONS | Every run | Possible embedders, deprecated. Note that setting to `disable` removes the header completely. | `deny` |
+| NGINX_CSP_FRAME_ANCESTORS | Every run | Possible embedders | `none` |
+| NGINX_CSP_FORM_ACTION | Every run | Form submit action | |
+
+Reporting:
+
+| Environment Key | Applied | Description | Default |
+------------------|---------|------------------------
+| NGINX_CSP_REPORT_URI | Every run | Set to Sentry CSP reporting URI | |
+
 ### Robots
 
 | Environment Key | Applied | Description | Default |
diff --git a/common/config/nginx/site-mods-available.d/headers-extra-security.conf b/common/config/nginx/site-mods-available.d/headers-extra-security.conf
diff --git a/common/config/nginx/site-mods-enabled.d/headers-extra-security.conf b/common/config/nginx/site-mods-enabled.d/headers-extra-security.conf
diff --git a/common/scripts/startup/env-configure-security.sh b/common/scripts/startup/env-configure-security.sh
@@ -0,0 +1,71 @@
+#!/usr/bin/env sh
+
+set -euo pipefail
+
+# Configure nginx security based on ENV vars
+#
+# Inputs:
+# - NGINX_CSP_CHILD_SRC: defaults to ''
+# - NGINX_CSP_CONNECT_SRC: defaults to ''
+# - NGINX_CSP_FONT_SRC: defaults to ''
+# - NGINX_CSP_FORM_ACTION: defaults to ''
+# - NGINX_CSP_FRAME_ANCESTORS: defaults to 'none'
+# - NGINX_CSP_FRAME_SRC: defaults to ''
+# - NGINX_CSP_IMG_SRC: defaults to 'https:'
+# - NGINX_CSP_MANIFEST_SRC: defaults to ''
+# - NGINX_CSP_MEDIA_SRC: defaults to 'https:'
+# - NGINX_CSP_OBJECT_SRC: defaults to ''
+# - NGINX_CSP_REPORT_URI: defaults to ''
+# - NGINX_CSP_SCRIPT_SRC: defaults to ''
+# - NGINX_CSP_STYLE_SRC: defaults to ''
+# - NGINX_CSP_WORKER_SRC: defaults to ''
+# - NGINX_FRAME_OPTIONS: defaults to 'deny', note that setting to `disable` removes the header completely.
+
+# Set defaults
+NGINX_CSP_CHILD_SRC="${NGINX_CSP_CHILD_SRC:-}"
+NGINX_CSP_CONNECT_SRC="${NGINX_CSP_CONNECT_SRC:-}"
+NGINX_CSP_FONT_SRC="${NGINX_CSP_FONT_SRC:-}"
+NGINX_CSP_FORM_ACTION="${NGINX_CSP_FORM_ACTION:-}"
+NGINX_CSP_FRAME_ANCESTORS="${NGINX_CSP_FRAME_ANCESTORS:-'none'}"
+NGINX_CSP_FRAME_SRC="${NGINX_CSP_FRAME_SRC:-}"
+NGINX_CSP_IMG_SRC="${NGINX_CSP_IMG_SRC:-https:}"
+NGINX_CSP_MANIFEST_SRC="${NGINX_CSP_MANIFEST_SRC:-}"
+NGINX_CSP_MEDIA_SRC="${NGINX_CSP_MEDIA_SRC:-https:}"
+NGINX_CSP_OBJECT_SRC="${NGINX_CSP_OBJECT_SRC:-}"
+NGINX_CSP_REPORT_URI="${NGINX_CSP_REPORT_URI:-}"
+NGINX_CSP_SCRIPT_SRC="${NGINX_CSP_SCRIPT_SRC:-}"
+NGINX_CSP_STYLE_SRC="${NGINX_CSP_STYLE_SRC:-}"
+NGINX_CSP_WORKER_SRC="${NGINX_CSP_WORKER_SRC:-}"
+NGINX_FRAME_OPTIONS="${NGINX_FRAME_OPTIONS:-deny}"
+
+if [ -d /etc/nginx/site-mods-enabled.d/ ]; then
+  # nginx frame options header
+  if [ "${NGINX_FRAME_OPTIONS}" != 'disable' ]; then
+    echo "Nginx: configuring frame options with '${NGINX_FRAME_OPTIONS}'…"
+    cat <<EOF > /etc/nginx/site-mods-enabled.d/00-generated-security.conf
+add_header 'X-Frame-Options' '${NGINX_FRAME_OPTIONS}' always;
+EOF
+  fi
+
+  # nginx content policy
+  echo "Nginx: configuring content security policy…"
+  cat <<EOF >> /etc/nginx/site-mods-enabled.d/00-generated-security.conf
+add_header 'Content-Security-Policy' "\
+default-src 'self'; \
+child-src 'self' data: blob: ${NGINX_CSP_CHILD_SRC}; \
+connect-src 'self' data: blob: ${NGINX_CSP_CONNECT_SRC}; \
+font-src 'self' ${NGINX_CSP_FONT_SRC}; \
+form-action 'self' ${NGINX_CSP_FORM_ACTION}; \
+frame-ancestors ${NGINX_CSP_FRAME_ANCESTORS}; \
+frame-src 'self' ${NGINX_CSP_FRAME_SRC}; \
+img-src 'self' data: blob: ${NGINX_CSP_IMG_SRC}; \
+manifest-src 'self' data: blob: ${NGINX_CSP_MANIFEST_SRC}; \
+media-src 'self' ${NGINX_CSP_MEDIA_SRC}; \
+object-src 'self' ${NGINX_CSP_OBJECT_SRC}; \
+script-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: ${NGINX_CSP_SCRIPT_SRC}; \
+style-src 'self' 'unsafe-inline' ${NGINX_CSP_STYLE_SRC}; \
+worker-src 'self' data: blob: ${NGINX_CSP_WORKER_SRC}; \
+report-uri ${NGINX_CSP_REPORT_URI}; \
+";
+EOF
+fi
diff --git a/nuxt-base/Dockerfile b/nuxt-base/Dockerfile
@@ -26,26 +26,9 @@ COPY common/scripts/ nuxt-base/scripts/ /scripts/
 WORKDIR /app/www
 RUN chown -R nobody:nobody /scripts /app/www /run /var/lib/nginx /var/log/nginx /etc/nginx/site-mods-enabled.d \
   && addgroup nobody tty
+USER nobody
 EXPOSE 8080
 
 # Start supervisord by default
 ENTRYPOINT ["/scripts/docker-entrypoint.sh"]
 CMD ["serve"]
-
-#
-# --- Variant: Unsecured ---
-#
-
-FROM base AS unsecured
-
-RUN rm /etc/nginx/site-mods-enabled.d/headers-extra-security.conf
-
-USER nobody
-
-#
-# --- Variant: Secure (default) ---
-#
-
-FROM base AS secure
-
-USER nobody
diff --git a/web-base/Dockerfile b/web-base/Dockerfile
@@ -41,17 +41,3 @@ EXPOSE 80
 # Start supervisord by default
 ENTRYPOINT ["/scripts/docker-entrypoint.sh"]
 CMD ["serve"]
-
-#
-# --- Variant: Unsecured ---
-#
-
-FROM base AS unsecured
-
-RUN rm /etc/nginx/site-mods-enabled.d/headers-extra-security.conf
-
-#
-# --- Variant: Secure (default) ---
-#
-
-FROM base AS secure
