From aec610120e723aeaf91b046295ae24252406ea7d Mon Sep 17 00:00:00 2001 From: Sebastian Leidig Date: Tue, 21 Sep 2021 15:50:12 +0200 Subject: [PATCH 01/14] fix(core): add CSP headers for security closes #312, closes #950 --- build/default.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/build/default.conf b/build/default.conf index d38723fd83..f6e3cbbf2b 100644 --- a/build/default.conf +++ b/build/default.conf @@ -7,6 +7,10 @@ server { root /usr/share/nginx/html; + add_header Content-Security-Policy-Report-Only "default-src 'self'; frame-ancestors 'self' ${CSP_FRAME_ALLOW}; report-uri ${CSP_REPORT_URI}"; + add_header X-Frame-Options: SAMEORIGIN; # only applies in older browsers, CSP frame-ancestors takes prevalence https://stackoverflow.com/a/40417609/1473411 + add_header X-Content-Type-Options: nosniff; + # Catch requests to the (locale) assets folder and add fallback to super-folder # E.g. if '/en-US/assets/config.json' doesn't exist, try '/assets/config.json' location ~* ^/.+/assets/(.+)$ { From 4b5a562e94de101e651a2131e46bc22333ab6ecd Mon Sep 17 00:00:00 2001 From: Sebastian Leidig Date: Wed, 22 Sep 2021 18:17:31 +0200 Subject: [PATCH 02/14] WIP: CSP and sentry via reverse-proxy --- build/Dockerfile | 9 ++++++++- build/README.md | 8 ++++++++ build/default.conf | 8 +++++++- proxy.conf.json | 6 ++++++ src/app/app.module.ts | 4 +++- src/environments/environment.ts | 2 +- 6 files changed, 33 insertions(+), 4 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index 5d531d8101..71044f151b 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -62,6 +62,13 @@ ENV WEBDAV_URL="http://localhost" ENV COUCHDB_URL="http://localhost" # The language which should be loaded on default options are "en-US" and "de" ENV DEFAULT_LANGUAGE="en-US" + +# url to be reverse-proxied for logging endpoint (e.g. sentry.io) +ENV LOGGING_URL="" + +ENV CSP_SRC_ALLOW="" +ENV CSP_FRAME_ALLOW="" +ENV CSP_REPORT_URI="" # variables are inserted into the nginx config -CMD envsubst '$$PORT $$WEBDAV_URL $$COUCHDB_URL $$DEFAULT_LANGUAGE' < /etc/nginx/templates/default.conf > /etc/nginx/conf.d/default.conf &&\ +CMD envsubst '$$PORT $$WEBDAV_URL $$COUCHDB_URL $$DEFAULT_LANGUAGE $$LOGGING_URL $$CSP_SRC_ALLOW $$CSP_FRAME_ALLOW $$CSP_REPORT_URI' < /etc/nginx/templates/default.conf > /etc/nginx/conf.d/default.conf &&\ nginx -g 'daemon off;' diff --git a/build/README.md b/build/README.md index 34ca842c4c..75f6fa1e4d 100644 --- a/build/README.md +++ b/build/README.md @@ -10,6 +10,14 @@ for every official (tagged) build. ## How to build & publish a new image You can simply create a new git tag and the CI setup will build and publish a docker image for that version. +## Building locally +Run the following commands from the root folder to build, run and kill the application on your local machine: +``` +docker build -f build/Dockerfile -t aam/digital:latest . +docker run -p=80:80 aam/digital:latest +docker kill aam-digital +``` + ## How does the official release process work? We use [semantic-release](https://github.com/semantic-release/semantic-release) to automatically create new versions. Our process roughly follows the [GitFlow](https://www.atlassian.com/git/tutorials/comparing-workflows/gitflow-workflow) process, diff --git a/build/default.conf b/build/default.conf index f6e3cbbf2b..353aa72f60 100644 --- a/build/default.conf +++ b/build/default.conf @@ -7,7 +7,7 @@ server { root /usr/share/nginx/html; - add_header Content-Security-Policy-Report-Only "default-src 'self'; frame-ancestors 'self' ${CSP_FRAME_ALLOW}; report-uri ${CSP_REPORT_URI}"; + add_header Content-Security-Policy-Report-Only "default-src 'self' ${CSP_SRC_ALLOW}; frame-ancestors 'self' ${CSP_FRAME_ALLOW}; trusted-types angular; require-trusted-types-for 'script'; report-uri ${CSP_REPORT_URI}"; add_header X-Frame-Options: SAMEORIGIN; # only applies in older browsers, CSP frame-ancestors takes prevalence https://stackoverflow.com/a/40417609/1473411 add_header X-Content-Type-Options: nosniff; @@ -56,5 +56,11 @@ server { rewrite /webdav/(.*) /$1 break; proxy_pass ${WEBDAV_URL}; } + + location /logging { + rewrite /logging/(.*) /$1 break; + add_header Content-Type: application/x-sentry-envelope; + proxy_pass ${LOGGING_URL}; + } } diff --git a/proxy.conf.json b/proxy.conf.json index 93402e8153..1c7c11d31e 100644 --- a/proxy.conf.json +++ b/proxy.conf.json @@ -5,6 +5,12 @@ "logLevel": "debug", "changeOrigin": true }, + "/logging": { + "target": "http://localhost:81", + "secure": true, + "logLevel": "debug", + "changeOrigin": true + }, "/nextcloud": { "target": "https://nextcloud.aam-digital.com/remote.php/webdav", "secure": true, diff --git a/src/app/app.module.ts b/src/app/app.module.ts index 072c96af76..ffe43bd04a 100644 --- a/src/app/app.module.ts +++ b/src/app/app.module.ts @@ -163,6 +163,8 @@ export class AppModule {} // Initialize remote logging LoggingService.initRemoteLogging({ + dsn: environment.remoteLoggingDsn, - whitelistUrls: [/https?:\/\/(.*)\.?aam-digital\.com/], + tunnel: "/logging", + //TODO: reactivate before merge //whitelistUrls: [/https?:\/\/(.*)\.?aam-digital\.com/], }); diff --git a/src/environments/environment.ts b/src/environments/environment.ts index cd0e7a99f6..3f2a55b4e9 100644 --- a/src/environments/environment.ts +++ b/src/environments/environment.ts @@ -27,5 +27,5 @@ export const environment = { production: false, appVersion: "0.0.0", // replaced automatically during docker build repositoryId: "Aam-Digital/ndb-core", - remoteLoggingDsn: undefined, // only set for production mode in environment.prod.ts + remoteLoggingDsn: "https://bd6aba79ca514d35bb06a4b4e0c2a21e@sentry.io/1242399", //TODO: reset // only set for production mode in environment.prod.ts }; From 72ffac0059c09e227d92ad9580578cb2260a222f Mon Sep 17 00:00:00 2001 From: Sebastian Leidig Date: Wed, 19 Jul 2023 17:24:02 +0200 Subject: [PATCH 03/14] trying sentry with simple proxy --- build/default.conf | 7 +++++-- proxy.conf.json | 2 +- src/environments/environment.ts | 4 ++-- src/main.ts | 1 - 4 files changed, 8 insertions(+), 6 deletions(-) diff --git a/build/default.conf b/build/default.conf index ed47b805fe..03d7d9ed1b 100644 --- a/build/default.conf +++ b/build/default.conf @@ -59,8 +59,11 @@ server { location /logging { rewrite /logging/(.*) /$1 break; - add_header Content-Type: application/x-sentry-envelope; - proxy_pass ${LOGGING_URL}; + proxy_redirect off; + proxy_buffering off; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Ssl on; } } diff --git a/proxy.conf.json b/proxy.conf.json index 83dfe6ee1e..e4cff02016 100644 --- a/proxy.conf.json +++ b/proxy.conf.json @@ -9,7 +9,7 @@ } }, "/logging": { - "target": "http://localhost:81", + "target": "https://bd6aba79ca514d35bb06a4b4e0c2a21e@sentry.io/1242399", "secure": true, "logLevel": "debug", "changeOrigin": true diff --git a/src/environments/environment.ts b/src/environments/environment.ts index 93dc43a408..bb7a4ce3b1 100644 --- a/src/environments/environment.ts +++ b/src/environments/environment.ts @@ -30,8 +30,8 @@ export const environment = { production: false, appVersion: "0.0.0", // replaced automatically during docker build repositoryId: "Aam-Digital/ndb-core", - // TODO: remove sentryDsn (go via tunnel)? - remoteLoggingDsn: undefined, // only set for production mode in environment.prod.ts + remoteLoggingDsn: "/logging", + // TODO remoteLoggingDsn: undefined, // only set for production mode in environment.prod.ts /** The following settings can be overridden by the `config.json` if present, see {@link AppSettings} */ demo_mode: true, session_type: SessionType.mock, diff --git a/src/main.ts b/src/main.ts index 0fbb19999d..1c22a3c918 100644 --- a/src/main.ts +++ b/src/main.ts @@ -39,7 +39,6 @@ PwaInstallService.registerPWAInstallListener(); // Initialize remote logging LoggingService.initRemoteLogging({ dsn: environment.remoteLoggingDsn, - tunnel: "/logging", //TODO: reactivate before merge //whitelistUrls: [/https?:\/\/(.*)\.?aam-digital\.com/], }); const logger = new LoggingService(); From 880328132df6594c036aa51a542ed971891c8c17 Mon Sep 17 00:00:00 2001 From: Sebastian Leidig Date: Wed, 19 Jul 2023 17:52:29 +0200 Subject: [PATCH 04/14] no sentry proxying, just simple csp --- build/Dockerfile | 2 +- build/default.conf | 9 --------- proxy.conf.json | 6 ------ src/environments/environment.ts | 4 ++-- src/main.ts | 1 - 5 files changed, 3 insertions(+), 19 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index 3a6338b507..b2071584b4 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -76,7 +76,7 @@ ENV NOMINATIM_URL="https://nominatim.openstreetmap.org" # url to be reverse-proxied for logging endpoint (e.g. sentry.io) ENV LOGGING_URL="" # content security policy header overrides -ENV CSP_SRC_ALLOW="" +ENV CSP_SRC_ALLOW="https://sentry.io https://*.aam-digital.com" ENV CSP_FRAME_ALLOW="" ENV CSP_REPORT_URI="" diff --git a/build/default.conf b/build/default.conf index 03d7d9ed1b..e95b35697e 100644 --- a/build/default.conf +++ b/build/default.conf @@ -56,14 +56,5 @@ server { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Ssl on; } - - location /logging { - rewrite /logging/(.*) /$1 break; - proxy_redirect off; - proxy_buffering off; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Ssl on; - } } diff --git a/proxy.conf.json b/proxy.conf.json index e4cff02016..ed04c094ea 100644 --- a/proxy.conf.json +++ b/proxy.conf.json @@ -8,12 +8,6 @@ "/db": "" } }, - "/logging": { - "target": "https://bd6aba79ca514d35bb06a4b4e0c2a21e@sentry.io/1242399", - "secure": true, - "logLevel": "debug", - "changeOrigin": true - }, "/nominatim": { "target": "https://nominatim.openstreetmap.org", "secure": true, diff --git a/src/environments/environment.ts b/src/environments/environment.ts index bb7a4ce3b1..818fc3f461 100644 --- a/src/environments/environment.ts +++ b/src/environments/environment.ts @@ -30,8 +30,8 @@ export const environment = { production: false, appVersion: "0.0.0", // replaced automatically during docker build repositoryId: "Aam-Digital/ndb-core", - remoteLoggingDsn: "/logging", - // TODO remoteLoggingDsn: undefined, // only set for production mode in environment.prod.ts + remoteLoggingDsn: + "https://bd6aba79ca514d35bb06a4b4e0c2a21e@sentry.io/1242399", // only set for production mode in environment.prod.ts /** The following settings can be overridden by the `config.json` if present, see {@link AppSettings} */ demo_mode: true, session_type: SessionType.mock, diff --git a/src/main.ts b/src/main.ts index 1c22a3c918..55fca96eec 100644 --- a/src/main.ts +++ b/src/main.ts @@ -39,7 +39,6 @@ PwaInstallService.registerPWAInstallListener(); // Initialize remote logging LoggingService.initRemoteLogging({ dsn: environment.remoteLoggingDsn, - //TODO: reactivate before merge //whitelistUrls: [/https?:\/\/(.*)\.?aam-digital\.com/], }); const logger = new LoggingService(); From cfdb82af6b1c5e26bd05c4936b02720a237a7815 Mon Sep 17 00:00:00 2001 From: Sebastian Leidig Date: Wed, 19 Jul 2023 18:42:27 +0200 Subject: [PATCH 05/14] add important defaults --- build/Dockerfile | 5 ++--- build/default.conf | 2 +- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index b2071584b4..70d938e746 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -76,10 +76,9 @@ ENV NOMINATIM_URL="https://nominatim.openstreetmap.org" # url to be reverse-proxied for logging endpoint (e.g. sentry.io) ENV LOGGING_URL="" # content security policy header overrides -ENV CSP_SRC_ALLOW="https://sentry.io https://*.aam-digital.com" -ENV CSP_FRAME_ALLOW="" +ENV CSP_SRC_ALLOW="https://sentry.io https://matomo.aam-digital.org https://*.aam-digital.com" ENV CSP_REPORT_URI="" # variables are inserted into the nginx config -CMD envsubst '$$PORT $$COUCHDB_URL $$NOMINATIM_URL $$LOGGING_URL $$CSP_SRC_ALLOW $$CSP_FRAME_ALLOW $$CSP_REPORT_URI' < /etc/nginx/templates/default.conf > /etc/nginx/conf.d/default.conf &&\ +CMD envsubst '$$PORT $$COUCHDB_URL $$NOMINATIM_URL $$LOGGING_URL $$CSP_SRC_ALLOW $$CSP_REPORT_URI' < /etc/nginx/templates/default.conf > /etc/nginx/conf.d/default.conf &&\ nginx -g 'daemon off;' diff --git a/build/default.conf b/build/default.conf index e95b35697e..1a3f74a8cd 100644 --- a/build/default.conf +++ b/build/default.conf @@ -10,7 +10,7 @@ server { root /usr/share/nginx/html; - add_header Content-Security-Policy-Report-Only "default-src 'self' ${CSP_SRC_ALLOW}; frame-ancestors 'self' ${CSP_FRAME_ALLOW}; trusted-types angular; require-trusted-types-for 'script'; report-uri ${CSP_REPORT_URI}"; + add_header Content-Security-Policy-Report-Only "default-src 'self' ${CSP_SRC_ALLOW}; style-src 'self' 'unsafe-inline'; img-src 'self' data:; trusted-types angular; require-trusted-types-for 'script'; report-uri ${CSP_REPORT_URI}"; add_header X-Frame-Options: SAMEORIGIN; # only applies in older browsers, CSP frame-ancestors takes prevalence https://stackoverflow.com/a/40417609/1473411 add_header X-Content-Type-Options: nosniff; From 77ae7ee84a01598ab98f8ca3f81c014b2e1fbe75 Mon Sep 17 00:00:00 2001 From: Sebastian Date: Thu, 20 Jul 2023 06:39:30 +0200 Subject: [PATCH 06/14] Update build/README.md Co-authored-by: Simon --- build/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/README.md b/build/README.md index 75f6fa1e4d..50a0b75012 100644 --- a/build/README.md +++ b/build/README.md @@ -14,7 +14,7 @@ You can simply create a new git tag and the CI setup will build and publish a do Run the following commands from the root folder to build, run and kill the application on your local machine: ``` docker build -f build/Dockerfile -t aam/digital:latest . -docker run -p=80:80 aam/digital:latest +docker run -p=80:80 --name aam-digital aam/digital:latest docker kill aam-digital ``` From 6922c10cbb353a91170a6f392d9e3df1781ce304 Mon Sep 17 00:00:00 2001 From: Sebastian Leidig Date: Thu, 20 Jul 2023 07:12:01 +0200 Subject: [PATCH 07/14] updated CSP rules after testing --- build/Dockerfile | 13 ++++++++++--- build/default.conf | 3 ++- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index 70d938e746..c376da739e 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -75,10 +75,17 @@ ENV COUCHDB_URL="http://localhost" ENV NOMINATIM_URL="https://nominatim.openstreetmap.org" # url to be reverse-proxied for logging endpoint (e.g. sentry.io) ENV LOGGING_URL="" -# content security policy header overrides -ENV CSP_SRC_ALLOW="https://sentry.io https://matomo.aam-digital.org https://*.aam-digital.com" + +# content security policy headers ENV CSP_REPORT_URI="" +## additional allowed default sources +ENV CSP_SRC_ALLOW="https://sentry.io https://matomo.aam-digital.org https://api.github.com/repos/Aam-Digital/ndb-core" +## (optional) complete override of CSP; Warning: the defaults here will be overwritten but similar rules are required for smooth functioning of the app +### index.html writing browser details: 'sha256-Sh1PNRUktjifFwuOicavxmlAcFpZMbUqQGiCIoKhDI8=' + +ENV CSP_SRC="default-src 'self' $$CSP_SRC_ALLOW 'sha256-Sh1PNRUktjifFwuOicavxmlAcFpZMbUqQGiCIoKhDI8='; style-src 'self' 'unsafe-inline'; img-src 'self' data:" + # variables are inserted into the nginx config -CMD envsubst '$$PORT $$COUCHDB_URL $$NOMINATIM_URL $$LOGGING_URL $$CSP_SRC_ALLOW $$CSP_REPORT_URI' < /etc/nginx/templates/default.conf > /etc/nginx/conf.d/default.conf &&\ +CMD envsubst '$$PORT $$COUCHDB_URL $$NOMINATIM_URL $$LOGGING_URL $$CSP_SRC $$CSP_REPORT_URI' < /etc/nginx/templates/default.conf > /etc/nginx/conf.d/default.conf &&\ nginx -g 'daemon off;' diff --git a/build/default.conf b/build/default.conf index 1a3f74a8cd..b8d7f7ee8c 100644 --- a/build/default.conf +++ b/build/default.conf @@ -10,7 +10,8 @@ server { root /usr/share/nginx/html; - add_header Content-Security-Policy-Report-Only "default-src 'self' ${CSP_SRC_ALLOW}; style-src 'self' 'unsafe-inline'; img-src 'self' data:; trusted-types angular; require-trusted-types-for 'script'; report-uri ${CSP_REPORT_URI}"; + add_header Content-Security-Policy-Report-Only "${CSP_SRC}; report-uri ${CSP_REPORT_URI}"; + # TODO: consider adding `trusted-types angular angular#unsafe-bypass; require-trusted-types-for 'script';` CSP in future add_header X-Frame-Options: SAMEORIGIN; # only applies in older browsers, CSP frame-ancestors takes prevalence https://stackoverflow.com/a/40417609/1473411 add_header X-Content-Type-Options: nosniff; From 9d73d8ff0e4b780d81dbb3f0929570e77aa9aeb4 Mon Sep 17 00:00:00 2001 From: Sebastian Leidig Date: Thu, 20 Jul 2023 08:14:53 +0200 Subject: [PATCH 08/14] further tuning of CSP rules --- angular.json | 9 ++++++++- build/Dockerfile | 9 ++++----- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/angular.json b/angular.json index fa404e4f47..d252ea34eb 100644 --- a/angular.json +++ b/angular.json @@ -56,7 +56,14 @@ "maximumWarning": "6kb" } ], - "optimization": true, + "optimization": { + "scripts": true, + "styles": { + "minify": true, + "inlineCritical": false + }, + "fonts": true + }, "outputHashing": "all", "namedChunks": false, "extractLicenses": true, diff --git a/build/Dockerfile b/build/Dockerfile index c376da739e..9ccd753941 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -79,12 +79,11 @@ ENV LOGGING_URL="" # content security policy headers ENV CSP_REPORT_URI="" ## additional allowed default sources -ENV CSP_SRC_ALLOW="https://sentry.io https://matomo.aam-digital.org https://api.github.com/repos/Aam-Digital/ndb-core" +ENV CSP_SRC_ALLOW="https://sentry.io https://api.github.com/repos/Aam-Digital/ https://matomo.aam-digital.org https://*.aam-digital.com" ## (optional) complete override of CSP; Warning: the defaults here will be overwritten but similar rules are required for smooth functioning of the app -### index.html writing browser details: 'sha256-Sh1PNRUktjifFwuOicavxmlAcFpZMbUqQGiCIoKhDI8=' - -ENV CSP_SRC="default-src 'self' $$CSP_SRC_ALLOW 'sha256-Sh1PNRUktjifFwuOicavxmlAcFpZMbUqQGiCIoKhDI8='; style-src 'self' 'unsafe-inline'; img-src 'self' data:" - +### 'sha256-Sh1PNRUktjifFwuOicavxmlAcFpZMbUqQGiCIoKhDI8=' for index.html writing browser details +### 'unsafe-eval' required for pouchdb https://github.com/pouchdb/pouchdb/issues/7853#issuecomment-535020600 +ENV CSP_SRC="default-src 'self' 'unsafe-eval' $CSP_SRC_ALLOW 'sha256-Sh1PNRUktjifFwuOicavxmlAcFpZMbUqQGiCIoKhDI8='; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:" # variables are inserted into the nginx config CMD envsubst '$$PORT $$COUCHDB_URL $$NOMINATIM_URL $$LOGGING_URL $$CSP_SRC $$CSP_REPORT_URI' < /etc/nginx/templates/default.conf > /etc/nginx/conf.d/default.conf &&\ From 26a3f0565a5ef8c6eb26e711450d1700452d69db Mon Sep 17 00:00:00 2001 From: Sebastian Leidig Date: Thu, 20 Jul 2023 08:17:41 +0200 Subject: [PATCH 09/14] clarify comments --- build/Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index 9ccd753941..7d7cc6d7f8 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -78,12 +78,12 @@ ENV LOGGING_URL="" # content security policy headers ENV CSP_REPORT_URI="" -## additional allowed default sources +## additional allowed default sources, define URLs that you want to allow as CSP_SRC_ALLOW. This is only used if CSP_SRC is *not* overwritten ENV CSP_SRC_ALLOW="https://sentry.io https://api.github.com/repos/Aam-Digital/ https://matomo.aam-digital.org https://*.aam-digital.com" -## (optional) complete override of CSP; Warning: the defaults here will be overwritten but similar rules are required for smooth functioning of the app +## (optional) complete override of CSP using CSP_SRC; Warning: the defaults here will be overwritten but similar rules are required for smooth functioning of the app +ENV CSP_SRC="default-src 'self' 'unsafe-eval' $CSP_SRC_ALLOW 'sha256-Sh1PNRUktjifFwuOicavxmlAcFpZMbUqQGiCIoKhDI8='; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:" ### 'sha256-Sh1PNRUktjifFwuOicavxmlAcFpZMbUqQGiCIoKhDI8=' for index.html writing browser details ### 'unsafe-eval' required for pouchdb https://github.com/pouchdb/pouchdb/issues/7853#issuecomment-535020600 -ENV CSP_SRC="default-src 'self' 'unsafe-eval' $CSP_SRC_ALLOW 'sha256-Sh1PNRUktjifFwuOicavxmlAcFpZMbUqQGiCIoKhDI8='; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:" # variables are inserted into the nginx config CMD envsubst '$$PORT $$COUCHDB_URL $$NOMINATIM_URL $$LOGGING_URL $$CSP_SRC $$CSP_REPORT_URI' < /etc/nginx/templates/default.conf > /etc/nginx/conf.d/default.conf &&\ From 4acbfb79175b63ce893a434cb6a7d9353cc80737 Mon Sep 17 00:00:00 2001 From: Sebastian Leidig Date: Thu, 20 Jul 2023 11:48:45 +0200 Subject: [PATCH 10/14] cascading env doesn't work - this is build time ... --- build/Dockerfile | 8 +++----- build/default.conf | 3 ++- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index 7d7cc6d7f8..ffcf028ca3 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -78,13 +78,11 @@ ENV LOGGING_URL="" # content security policy headers ENV CSP_REPORT_URI="" -## additional allowed default sources, define URLs that you want to allow as CSP_SRC_ALLOW. This is only used if CSP_SRC is *not* overwritten -ENV CSP_SRC_ALLOW="https://sentry.io https://api.github.com/repos/Aam-Digital/ https://matomo.aam-digital.org https://*.aam-digital.com" -## (optional) complete override of CSP using CSP_SRC; Warning: the defaults here will be overwritten but similar rules are required for smooth functioning of the app -ENV CSP_SRC="default-src 'self' 'unsafe-eval' $CSP_SRC_ALLOW 'sha256-Sh1PNRUktjifFwuOicavxmlAcFpZMbUqQGiCIoKhDI8='; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:" +## (optional) complete override of Content-Security-Policy headers +ENV CSP="default-src 'self' 'unsafe-eval' https://sentry.io https://b.tile.openstreetmap.org/ https://matomo.aam-digital.org https://*.aam-digital.com https://api.github.com/repos/Aam-Digital/ 'sha256-Sh1PNRUktjifFwuOicavxmlAcFpZMbUqQGiCIoKhDI8='; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:" ### 'sha256-Sh1PNRUktjifFwuOicavxmlAcFpZMbUqQGiCIoKhDI8=' for index.html writing browser details ### 'unsafe-eval' required for pouchdb https://github.com/pouchdb/pouchdb/issues/7853#issuecomment-535020600 # variables are inserted into the nginx config -CMD envsubst '$$PORT $$COUCHDB_URL $$NOMINATIM_URL $$LOGGING_URL $$CSP_SRC $$CSP_REPORT_URI' < /etc/nginx/templates/default.conf > /etc/nginx/conf.d/default.conf &&\ +CMD envsubst '$$PORT $$COUCHDB_URL $$NOMINATIM_URL $$LOGGING_URL $$CSP_SRC_ALLOW $$CSP_OVERRIDE $$CSP_REPORT_URI' < /etc/nginx/templates/default.conf > /etc/nginx/conf.d/default.conf &&\ nginx -g 'daemon off;' diff --git a/build/default.conf b/build/default.conf index b8d7f7ee8c..7f1d0c835d 100644 --- a/build/default.conf +++ b/build/default.conf @@ -10,7 +10,8 @@ server { root /usr/share/nginx/html; - add_header Content-Security-Policy-Report-Only "${CSP_SRC}; report-uri ${CSP_REPORT_URI}"; + add_header Content-Security-Policy-Report-Only "${CSP}; report-uri ${CSP_REPORT_URI}"; + # TODO: consider adding `trusted-types angular angular#unsafe-bypass; require-trusted-types-for 'script';` CSP in future add_header X-Frame-Options: SAMEORIGIN; # only applies in older browsers, CSP frame-ancestors takes prevalence https://stackoverflow.com/a/40417609/1473411 add_header X-Content-Type-Options: nosniff; From b8896772d08ebb49032c58a9d57d251e06793608 Mon Sep 17 00:00:00 2001 From: Sebastian Leidig Date: Thu, 20 Jul 2023 12:55:12 +0200 Subject: [PATCH 11/14] fix dockerfile env --- build/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/Dockerfile b/build/Dockerfile index ffcf028ca3..a2c2b6576f 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -84,5 +84,5 @@ ENV CSP="default-src 'self' 'unsafe-eval' https://sentry.io https://b.tile.opens ### 'unsafe-eval' required for pouchdb https://github.com/pouchdb/pouchdb/issues/7853#issuecomment-535020600 # variables are inserted into the nginx config -CMD envsubst '$$PORT $$COUCHDB_URL $$NOMINATIM_URL $$LOGGING_URL $$CSP_SRC_ALLOW $$CSP_OVERRIDE $$CSP_REPORT_URI' < /etc/nginx/templates/default.conf > /etc/nginx/conf.d/default.conf &&\ +CMD envsubst '$$PORT $$COUCHDB_URL $$NOMINATIM_URL $$LOGGING_URL $$CSP $$CSP_REPORT_URI' < /etc/nginx/templates/default.conf > /etc/nginx/conf.d/default.conf &&\ nginx -g 'daemon off;' From 23c5761b41d8c18312df01b51f65454cf261ba91 Mon Sep 17 00:00:00 2001 From: Sebastian Leidig Date: Thu, 20 Jul 2023 13:34:56 +0200 Subject: [PATCH 12/14] final tweaks - now fully tested --- build/Dockerfile | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index a2c2b6576f..7f2cfa5bb3 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -78,8 +78,10 @@ ENV LOGGING_URL="" # content security policy headers ENV CSP_REPORT_URI="" -## (optional) complete override of Content-Security-Policy headers -ENV CSP="default-src 'self' 'unsafe-eval' https://sentry.io https://b.tile.openstreetmap.org/ https://matomo.aam-digital.org https://*.aam-digital.com https://api.github.com/repos/Aam-Digital/ 'sha256-Sh1PNRUktjifFwuOicavxmlAcFpZMbUqQGiCIoKhDI8='; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:" +# overwrite the Content-Security-Policy rules (report-uri is added automatically) +## default includes all required whitelists for production server +## to disable any CSP blocking, set to "default-src * data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval'" +ENV CSP="default-src 'self' 'unsafe-eval' https://sentry.io https://matomo.aam-digital.org https://*.aam-digital.com https://api.github.com/repos/Aam-Digital/ 'sha256-Sh1PNRUktjifFwuOicavxmlAcFpZMbUqQGiCIoKhDI8='; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://*.tile.openstreetmap.org/; font-src 'self' data:" ### 'sha256-Sh1PNRUktjifFwuOicavxmlAcFpZMbUqQGiCIoKhDI8=' for index.html writing browser details ### 'unsafe-eval' required for pouchdb https://github.com/pouchdb/pouchdb/issues/7853#issuecomment-535020600 From 66f516e64857c2a1535774d96caaaebb5655945d Mon Sep 17 00:00:00 2001 From: Simon Date: Tue, 25 Jul 2023 14:36:20 +0200 Subject: [PATCH 13/14] removed unnecessary things --- build/Dockerfile | 4 +--- src/environments/environment.ts | 3 +-- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index 7f2cfa5bb3..5b6e933e7d 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -73,8 +73,6 @@ ENV PORT=80 ENV COUCHDB_URL="http://localhost" # The url to a nominatim instance, see https://nominatim.org/ ENV NOMINATIM_URL="https://nominatim.openstreetmap.org" -# url to be reverse-proxied for logging endpoint (e.g. sentry.io) -ENV LOGGING_URL="" # content security policy headers ENV CSP_REPORT_URI="" @@ -86,5 +84,5 @@ ENV CSP="default-src 'self' 'unsafe-eval' https://sentry.io https://matomo.aam-d ### 'unsafe-eval' required for pouchdb https://github.com/pouchdb/pouchdb/issues/7853#issuecomment-535020600 # variables are inserted into the nginx config -CMD envsubst '$$PORT $$COUCHDB_URL $$NOMINATIM_URL $$LOGGING_URL $$CSP $$CSP_REPORT_URI' < /etc/nginx/templates/default.conf > /etc/nginx/conf.d/default.conf &&\ +CMD envsubst '$$PORT $$COUCHDB_URL $$NOMINATIM_URL $$CSP $$CSP_REPORT_URI' < /etc/nginx/templates/default.conf > /etc/nginx/conf.d/default.conf &&\ nginx -g 'daemon off;' diff --git a/src/environments/environment.ts b/src/environments/environment.ts index 818fc3f461..a5faf9fac6 100644 --- a/src/environments/environment.ts +++ b/src/environments/environment.ts @@ -30,8 +30,7 @@ export const environment = { production: false, appVersion: "0.0.0", // replaced automatically during docker build repositoryId: "Aam-Digital/ndb-core", - remoteLoggingDsn: - "https://bd6aba79ca514d35bb06a4b4e0c2a21e@sentry.io/1242399", // only set for production mode in environment.prod.ts + remoteLoggingDsn: undefined, // only set for production mode in environment.prod.ts /** The following settings can be overridden by the `config.json` if present, see {@link AppSettings} */ demo_mode: true, session_type: SessionType.mock, From ad0590f56a8211f2485f5b9ecc1f1d994b777822 Mon Sep 17 00:00:00 2001 From: Simon Date: Tue, 25 Jul 2023 15:33:34 +0200 Subject: [PATCH 14/14] changed docker command --- build/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/README.md b/build/README.md index 50a0b75012..642f6f2e12 100644 --- a/build/README.md +++ b/build/README.md @@ -15,7 +15,7 @@ Run the following commands from the root folder to build, run and kill the appli ``` docker build -f build/Dockerfile -t aam/digital:latest . docker run -p=80:80 --name aam-digital aam/digital:latest -docker kill aam-digital +docker stop aam-digital ``` ## How does the official release process work?