Merge branch 'master' into new-dev

configs/nginx/nginx.example

@@ -9,7 +9,7 @@ server {
 	server_tokens off;
 
 	add_header Cache-Control "public";
-	add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/";
+	add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/" always;
 	add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;
 	add_header X-Frame-Options "sameorigin" always;
 	add_header X-Content-Type-Options "nosniff" always;
@@ -117,7 +117,7 @@ server {
 
 	location @backend-private {
 		#no cache control public
-		add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/";
+		add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/" always;
 		add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;
 		add_header X-Frame-Options "sameorigin" always;
 		add_header X-Content-Type-Options "nosniff" always;
@@ -135,15 +135,8 @@ server {
 
 	# authed, no cache pages
 	location ~* ^/((\w+/manage/.*|globalmanage/(reports|bans|recent|boards|globallogs|news|accounts|settings))|account|create)\.(html|json)$ {
-		#no cache control public
-		add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/";
-		add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;
-		add_header X-Frame-Options "sameorigin" always;
-		add_header X-Content-Type-Options "nosniff" always;
-		add_header X-XSS-Protection "1; mode=block" always;
 		expires 0;
-		root /path/to/jschan/static/html;
-		try_files $uri @backend-private;
+		try_files /dev/null @backend-private;
 	}
 
 	# public html
@@ -241,7 +234,7 @@ server {
 #	server_tokens off;
 #
 #	add_header Cache-Control "public";
-#	add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'";
+#	add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'" always;
 #	add_header Referrer-Policy "same-origin" always;
 #	add_header X-Frame-Options "sameorigin" always;
 #	add_header X-Content-Type-Options "nosniff" always;
@@ -347,6 +340,30 @@ server {
 #		proxy_set_header Host $host;
 #	}
 #
+#	location @backend-private {
+#		#no cache control public
+#		add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/" always;
+#		add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;
+#		add_header X-Frame-Options "sameorigin" always;
+#		add_header X-Content-Type-Options "nosniff" always;
+#		add_header X-XSS-Protection "1; mode=block" always;
+#		proxy_buffering off;
+#		proxy_pass http://chan$request_uri;
+#		proxy_http_version 1.1;
+#		proxy_set_header X-Forwarded-Proto http;
+#		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#		proxy_set_header X-Real-IP $remote_addr;
+#		proxy_set_header X-Country-Code 'TOR';
+#		proxy_set_header Connection '';
+#		proxy_set_header Host $host;
+#	}
+#
+#	# authed, no cache pages
+#	location ~* ^/((\w+/manage/.*|globalmanage/(reports|bans|recent|boards|globallogs|news|accounts|settings))|account|create)\.(html|json)$ {
+#		expires 0;
+#		try_files /dev/null @backend-private;
+#	}
+#
 #	# HTML
 #	location ~* \.html$ {
 #		expires 0;

configs/nginx/nginx_no_https.example

@@ -9,7 +9,7 @@ server {
 	server_tokens off;
 
 	add_header Cache-Control "public";
-	add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' ws://domain.com/";
+	add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' ws://domain.com/" always;
 	add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;
 	add_header X-Frame-Options "sameorigin" always;
 	add_header X-Content-Type-Options "nosniff" always;
@@ -116,6 +116,12 @@ server {
 	}
 
 	location @backend-private {
+		#no cache control public
+		add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/" always;
+		add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;
+		add_header X-Frame-Options "sameorigin" always;
+		add_header X-Content-Type-Options "nosniff" always;
+		add_header X-XSS-Protection "1; mode=block" always;
 		proxy_buffering off;
 		proxy_pass http://chan$request_uri;
 		proxy_http_version 1.1;
@@ -129,15 +135,8 @@ server {
 
 	# authed, no cache pages
 	location ~* ^/((\w+/manage/.*|globalmanage/(reports|bans|recent|boards|globallogs|news|accounts|settings))|account|create)\.(html|json)$ {
-		#no cache control public
-		add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/";
-		add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;
-		add_header X-Frame-Options "sameorigin" always;
-		add_header X-Content-Type-Options "nosniff" always;
-		add_header X-XSS-Protection "1; mode=block" always;
 		expires 0;
-		root /path/to/jschan/static/html;
-		try_files $uri @backend-private;
+		try_files /dev/null @backend-private;
 	}
 
 	# public html
@@ -238,7 +237,7 @@ server {
 #	}
 #
 #	add_header Cache-Control "public";
-#	add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'";
+#	add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'" always;
 #	add_header Referrer-Policy "same-origin" always;
 #	add_header X-Frame-Options "sameorigin" always;
 #	add_header X-Content-Type-Options "nosniff" always;
@@ -318,6 +317,30 @@ server {
 #		proxy_set_header Host $host;
 #	}
 #
+#	location @backend-private {
+#		#no cache control public
+#		add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/" always;
+#		add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;
+#		add_header X-Frame-Options "sameorigin" always;
+#		add_header X-Content-Type-Options "nosniff" always;
+#		add_header X-XSS-Protection "1; mode=block" always;
+#		proxy_buffering off;
+#		proxy_pass http://chan$request_uri;
+#		proxy_http_version 1.1;
+#		proxy_set_header X-Forwarded-Proto http;
+#		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#		proxy_set_header X-Real-IP $remote_addr;
+#		proxy_set_header X-Country-Code 'TOR';
+#		proxy_set_header Connection '';
+#		proxy_set_header Host $host;
+#	}
+#
+#	# authed, no cache pages
+#	location ~* ^/((\w+/manage/.*|globalmanage/(reports|bans|recent|boards|globallogs|news|accounts|settings))|account|create)\.(html|json)$ {
+#		expires 0;
+#		try_files /dev/null @backend-private;
+#	}
+#
 #	# HTML
 #	location ~* \.html$ {
 #		expires 0;

configs/nginx/snippets/jschan_clearnet_routes.conf

@@ -26,7 +26,7 @@ location @backend {
 	proxy_set_header Host $host;
 }
 
-location @backend {
+location @backend-private {
 	include /etc/nginx/snippets/security_headers_nocache.conf;
 	proxy_buffering off;
 	proxy_pass http://chan$request_uri;

configs/nginx/snippets/jschan_common_routes.conf

@@ -44,10 +44,8 @@ location /captcha {
 
 # authed, no cache pages
 location ~* ^/((\w+/manage/.*|globalmanage/(reports|bans|recent|boards|globallogs|news|accounts|settings))|account|create)\.(html|json)$ {
-        include /etc/nginx/snippets/security_headers_nocache.conf;
         expires 0;
-        root /path/to/jschan/static/html;
-        try_files $uri @backend-private;
+        try_files /dev/null @backend-private;
 }
 
 # public html

configs/nginx/snippets/security_headers.conf

@@ -1,5 +1,5 @@
 add_header Cache-Control "public";
-add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/";
+add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/" always;
 add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;
 add_header X-Frame-Options "sameorigin" always;
 add_header X-Content-Type-Options "nosniff" always;

configs/nginx/snippets/security_headers_nocache.conf

@@ -1,4 +1,4 @@
-add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/";
+add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/" always;
 add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;
 add_header X-Frame-Options "sameorigin" always;
 add_header X-Content-Type-Options "nosniff" always;