From d46ca5ade0b3ba1e916640db66ea823eb4b89e71 Mon Sep 17 00:00:00 2001
From: Thomas Lynch <tom@69420.me>
Date: Tue, 23 Mar 2021 00:06:54 +0000
Subject: [PATCH] make csp always for private backend, set the headers in the
 named block remove the root and use /dev/null instead of $uri to call it

---
 configs/nginx/nginx.example                   | 39 ++++++++++++-----
 configs/nginx/nginx_no_https.example          | 43 ++++++++++++++-----
 .../snippets/jschan_clearnet_routes.conf      |  2 +-
 .../nginx/snippets/jschan_common_routes.conf  |  4 +-
 configs/nginx/snippets/security_headers.conf  |  2 +-
 .../snippets/security_headers_nocache.conf    |  2 +-
 6 files changed, 65 insertions(+), 27 deletions(-)

diff --git a/configs/nginx/nginx.example b/configs/nginx/nginx.example
index 135a831d..524ff3f1 100644
--- a/configs/nginx/nginx.example
+++ b/configs/nginx/nginx.example
@@ -9,7 +9,7 @@ server {
 	server_tokens off;
 
 	add_header Cache-Control "public";
-	add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/";
+	add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/" always;
 	add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;
 	add_header X-Frame-Options "sameorigin" always;
 	add_header X-Content-Type-Options "nosniff" always;
@@ -117,7 +117,7 @@ server {
 
 	location @backend-private {
 		#no cache control public
-		add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/";
+		add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/" always;
 		add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;
 		add_header X-Frame-Options "sameorigin" always;
 		add_header X-Content-Type-Options "nosniff" always;
@@ -135,15 +135,8 @@ server {
 
 	# authed, no cache pages
 	location ~* ^/((\w+/manage/.*|globalmanage/(reports|bans|recent|boards|globallogs|news|accounts|settings))|account|create)\.(html|json)$ {
-		#no cache control public
-		add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/";
-		add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;
-		add_header X-Frame-Options "sameorigin" always;
-		add_header X-Content-Type-Options "nosniff" always;
-		add_header X-XSS-Protection "1; mode=block" always;
 		expires 0;
-		root /path/to/jschan/static/html;
-		try_files $uri @backend-private;
+		try_files /dev/null @backend-private;
 	}
 
 	# public html
@@ -241,7 +234,7 @@ server {
 #	server_tokens off;
 #
 #	add_header Cache-Control "public";
-#	add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'";
+#	add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'" always;
 #	add_header Referrer-Policy "same-origin" always;
 #	add_header X-Frame-Options "sameorigin" always;
 #	add_header X-Content-Type-Options "nosniff" always;
@@ -347,6 +340,30 @@ server {
 #		proxy_set_header Host $host;
 #	}
 #
+#	location @backend-private {
+#		#no cache control public
+#		add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/" always;
+#		add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;
+#		add_header X-Frame-Options "sameorigin" always;
+#		add_header X-Content-Type-Options "nosniff" always;
+#		add_header X-XSS-Protection "1; mode=block" always;
+#		proxy_buffering off;
+#		proxy_pass http://chan$request_uri;
+#		proxy_http_version 1.1;
+#		proxy_set_header X-Forwarded-Proto http;
+#		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#		proxy_set_header X-Real-IP $remote_addr;
+#		proxy_set_header X-Country-Code 'TOR';
+#		proxy_set_header Connection '';
+#		proxy_set_header Host $host;
+#	}
+#
+#	# authed, no cache pages
+#	location ~* ^/((\w+/manage/.*|globalmanage/(reports|bans|recent|boards|globallogs|news|accounts|settings))|account|create)\.(html|json)$ {
+#		expires 0;
+#		try_files /dev/null @backend-private;
+#	}
+#
 #	# HTML
 #	location ~* \.html$ {
 #		expires 0;
diff --git a/configs/nginx/nginx_no_https.example b/configs/nginx/nginx_no_https.example
index b17365a1..ae31d137 100644
--- a/configs/nginx/nginx_no_https.example
+++ b/configs/nginx/nginx_no_https.example
@@ -9,7 +9,7 @@ server {
 	server_tokens off;
 
 	add_header Cache-Control "public";
-	add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' ws://domain.com/";
+	add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' ws://domain.com/" always;
 	add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;
 	add_header X-Frame-Options "sameorigin" always;
 	add_header X-Content-Type-Options "nosniff" always;
@@ -116,6 +116,12 @@ server {
 	}
 
 	location @backend-private {
+		#no cache control public
+		add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/" always;
+		add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;
+		add_header X-Frame-Options "sameorigin" always;
+		add_header X-Content-Type-Options "nosniff" always;
+		add_header X-XSS-Protection "1; mode=block" always;
 		proxy_buffering off;
 		proxy_pass http://chan$request_uri;
 		proxy_http_version 1.1;
@@ -129,15 +135,8 @@ server {
 
 	# authed, no cache pages
 	location ~* ^/((\w+/manage/.*|globalmanage/(reports|bans|recent|boards|globallogs|news|accounts|settings))|account|create)\.(html|json)$ {
-		#no cache control public
-		add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/";
-		add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;
-		add_header X-Frame-Options "sameorigin" always;
-		add_header X-Content-Type-Options "nosniff" always;
-		add_header X-XSS-Protection "1; mode=block" always;
 		expires 0;
-		root /path/to/jschan/static/html;
-		try_files $uri @backend-private;
+		try_files /dev/null @backend-private;
 	}
 
 	# public html
@@ -238,7 +237,7 @@ server {
 #	}
 #
 #	add_header Cache-Control "public";
-#	add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'";
+#	add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'" always;
 #	add_header Referrer-Policy "same-origin" always;
 #	add_header X-Frame-Options "sameorigin" always;
 #	add_header X-Content-Type-Options "nosniff" always;
@@ -318,6 +317,30 @@ server {
 #		proxy_set_header Host $host;
 #	}
 #
+#	location @backend-private {
+#		#no cache control public
+#		add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/" always;
+#		add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;
+#		add_header X-Frame-Options "sameorigin" always;
+#		add_header X-Content-Type-Options "nosniff" always;
+#		add_header X-XSS-Protection "1; mode=block" always;
+#		proxy_buffering off;
+#		proxy_pass http://chan$request_uri;
+#		proxy_http_version 1.1;
+#		proxy_set_header X-Forwarded-Proto http;
+#		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#		proxy_set_header X-Real-IP $remote_addr;
+#		proxy_set_header X-Country-Code 'TOR';
+#		proxy_set_header Connection '';
+#		proxy_set_header Host $host;
+#	}
+#
+#	# authed, no cache pages
+#	location ~* ^/((\w+/manage/.*|globalmanage/(reports|bans|recent|boards|globallogs|news|accounts|settings))|account|create)\.(html|json)$ {
+#		expires 0;
+#		try_files /dev/null @backend-private;
+#	}
+#
 #	# HTML
 #	location ~* \.html$ {
 #		expires 0;
diff --git a/configs/nginx/snippets/jschan_clearnet_routes.conf b/configs/nginx/snippets/jschan_clearnet_routes.conf
index 038c5f42..1568cd69 100644
--- a/configs/nginx/snippets/jschan_clearnet_routes.conf
+++ b/configs/nginx/snippets/jschan_clearnet_routes.conf
@@ -26,7 +26,7 @@ location @backend {
 	proxy_set_header Host $host;
 }
 
-location @backend {
+location @backend-private {
 	include /etc/nginx/snippets/security_headers_nocache.conf;
 	proxy_buffering off;
 	proxy_pass http://chan$request_uri;
diff --git a/configs/nginx/snippets/jschan_common_routes.conf b/configs/nginx/snippets/jschan_common_routes.conf
index bb7589be..5f5b7027 100644
--- a/configs/nginx/snippets/jschan_common_routes.conf
+++ b/configs/nginx/snippets/jschan_common_routes.conf
@@ -44,10 +44,8 @@ location /captcha {
 
 # authed, no cache pages
 location ~* ^/((\w+/manage/.*|globalmanage/(reports|bans|recent|boards|globallogs|news|accounts|settings))|account|create)\.(html|json)$ {
-        include /etc/nginx/snippets/security_headers_nocache.conf;
         expires 0;
-        root /path/to/jschan/static/html;
-        try_files $uri @backend-private;
+        try_files /dev/null @backend-private;
 }
 
 # public html
diff --git a/configs/nginx/snippets/security_headers.conf b/configs/nginx/snippets/security_headers.conf
index 3e595610..bca0c26f 100644
--- a/configs/nginx/snippets/security_headers.conf
+++ b/configs/nginx/snippets/security_headers.conf
@@ -1,5 +1,5 @@
 add_header Cache-Control "public";
-add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/";
+add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/" always;
 add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;
 add_header X-Frame-Options "sameorigin" always;
 add_header X-Content-Type-Options "nosniff" always;
diff --git a/configs/nginx/snippets/security_headers_nocache.conf b/configs/nginx/snippets/security_headers_nocache.conf
index 249d5c89..9332c9d9 100644
--- a/configs/nginx/snippets/security_headers_nocache.conf
+++ b/configs/nginx/snippets/security_headers_nocache.conf
@@ -1,4 +1,4 @@
-add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/";
+add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/" always;
 add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;
 add_header X-Frame-Options "sameorigin" always;
 add_header X-Content-Type-Options "nosniff" always;