refactor(nginx): headers and proxy vars

2026-02-09 12:29:19 -08:00 · 2024-04-23 11:20:19 -07:00 · 2024-04-23 11:20:19 -07:00 · 418caefe64
commit 418caefe64
parent 692d3aacbd
6 changed files with 154 additions and 37 deletions
--- a/nixos/access/freepbx.nix
+++ b/nixos/access/freepbx.nix
@ -37,11 +37,9 @@ in {
          proxy = {
            enable = true;
            websocket.enable = true;
+            headers.hide.Access-Control-Allow-Origin = true;
          };
-          extraConfig = ''
-            proxy_hide_header Access-Control-Allow-Origin;
-            add_header Access-Control-Allow-Origin ${xvars.get.scheme}://${virtualHost.serverName};
-          '';
+          headers.set.Access-Control-Allow-Origin = "${xvars.get.scheme}://${virtualHost.serverName}";
        };
      };
      allLocations = mkMerge [
--- a/nixos/access/invidious.nix
+++ b/nixos/access/invidious.nix
@ -40,11 +40,10 @@ in {
        proxy = {
          enable = true;
          websocket.enable = true;
-          headers.enableRecommended = true;
+          headers.hide.content-security-policy = true;
        };
+        headers.set.content-security-policy = contentSecurityPolicy;
        extraConfig = ''
-          proxy_hide_header content-security-policy;
-          add_header content-security-policy "${contentSecurityPolicy}";
          proxy_cookie_domain ${virtualHosts.invidious.serverName} ${xvars.get.host};
        '';
      };
--- a/nixos/nginx.nix
+++ b/nixos/nginx.nix
@ -16,19 +16,21 @@ with lib; {
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = false;
+    headers.set = {
+      Referrer-Policy = mkDefault "origin-when-cross-origin";
+      #Strict-Transport-Security = "$hsts_header";
+      #Content-Security-Policy = ''"script-src 'self'; object-src 'none'; base-uri 'none';" always'';
+      #X-Frame-Options = "DENY";
+      #X-Content-Type-Options = "nosniff";
+      #X-XSS-Protection = "1; mode=block";
+    };
    commonHttpConfig = ''
      map $scheme $hsts_header {
          https   "max-age=31536000; includeSubdomains; preload";
      }
-      #add_header Strict-Transport-Security $hsts_header;
-      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
-      add_header 'Referrer-Policy' 'origin-when-cross-origin';
-      #add_header X-Frame-Options DENY;
-      #add_header X-Content-Type-Options nosniff;
-      #add_header X-XSS-Protection "1; mode=block";
      #proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
    '';
-    clientMaxBodySize = "512m";
+    clientMaxBodySize = mkDefault "512m";
    virtualHosts.fallback = {
      serverName = null;
      default = mkDefault true;