INSTALLATION.md improvement close #383

note about possible location where to clone repo and put it earlier
note about apex domain and www
clarify that nginx config replacement must also occur in snippets
add loki and onions to example CSP snippets
add www. subdomain to example CSP snippets
add way to remove onion or lokinet from the CSP if not used

INSTALLATION.md

@@ -20,6 +20,7 @@
 - Separate, non-root user to run the application
 - Basic security like ssh root login disabled, key login only, firewall (ufw works) deny all incoming on ports besides http/s and ssh.
 - Set the timezone to UTC
+- Clone the repo somewhere. The homedir for the user you setup or /var/www should work.
 
 **2. Install dependencies.**
 
@@ -51,6 +52,8 @@ You may install Node.js yourself without nvm if you prefer.
 
 **6. Configure nginx**
 
+NOTE: The sample configs assume you use the apex domain and a www. subdomain.
+
 - Copy the nginx example config and snippets, and create a symlink from sites-available -> sites-enabled
 ```bash
 $ sudo cp configs/nginx/nginx.example /etc/nginx/sites-available/EXAMPLE.COM
@@ -58,17 +61,27 @@ $ sudo ln -s /etc/nginx/sites-available/EXAMPLE.COM /etc/nginx/sites-enabled/EXA
 $ sudo cp configs/nginx/snippets/* /etc/nginx/snippets
 ```
 
-- If you have a .onion or .loki address, uncomment the block in /etc/nginx/sites-available/EXAMPLE.COM
+If you have a .onion or .loki address:
+- Uncomment the block in /etc/nginx/sites-available/EXAMPLE.COM
 
 Edit/replace the following in your nginx config:
 - "/path/to/jschan" with the path of your jschan root folder
 - "example.com" with your domain name
 - "example.onion" or "example.loki" with your tor or lokinet address
 
-`sed` can be used to automate this process:
+`sed` can be used to automate this process, for example:
 ```bash
 $ sudo sed -i 's|/path/to/jschan|/path/to/your/install|g' /etc/nginx/sites-available/EXAMPLE.COM
+$ sudo sed -i 's|/path/to/jschan|/path/to/your/install|g' /etc/nginx/snippets/*
 $ sudo sed -i 's/example.com/your.example.com/g' /etc/nginx/sites-available/EXAMPLE.COM
+$ sudo sed -i 's/example.com/your.example.com/g' /etc/nginx/snippets/*
+# repeat the same for "example.onion" and "example.loki" with your addresses
+```
+
+If you don't use .onion or .loki address, remove the example domains from the content-security-policy snippet:
+```bash
+$ sudo sed -i 's/ wss:\/\/www.example.onion\/ wss:\/\/example.onion\///g' /etc/nginx/snippets/security_headers*
+$ sudo sed -i 's/ wss:\/\/www.example.loki\/ wss:\/\/example.loki\///g' /etc/nginx/snippets/security_headers*
 ```
 
 - Make sure the sites enabled folder is included by `/etc/nginx/nginx.conf` (in debian nginx package this is already done)
@@ -83,7 +96,7 @@ If you plan on using hcaptcha or google recaptcha, you will need to modify the c
 
 If you use cloudflare, please read [these](https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs-Logging-visitor-IP-addresses-with-mod-cloudflare-) [articles](https://support.cloudflare.com/hc/en-us/articles/200168236-Configuring-Cloudflare-IP-Geolocation) to setup proper IP forwarding and geolocation headers. Similar steps would apply to other CDNs/reverse proxies.
 
-**7. Clone this repo, browse to the folder and set some things up**
+**7. Get the backend setup & running**
 
 ```bash
 # copy example secrets file and edit it to fill out the details

configs/nginx/snippets/security_headers.conf

@@ -1,5 +1,5 @@
 add_header Cache-Control "public";
-add_header Content-Security-Policy "default-src 'self'; media-src 'self' blob:; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://example.com/" always;
+add_header Content-Security-Policy "default-src 'self'; media-src 'self' blob:; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://example.com/ wss://www.example.com/ wss://www.example.onion/ wss://example.onion/ wss://www.example.loki/ wss://example.loki/" always;
 add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;
 add_header X-Frame-Options "sameorigin" always;
 add_header X-Content-Type-Options "nosniff" always;

configs/nginx/snippets/security_headers_nocache.conf

@@ -1,4 +1,4 @@
-add_header Content-Security-Policy "default-src 'self'; media-src 'self' blob:; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://example.com/" always;
+add_header Content-Security-Policy "default-src 'self'; media-src 'self' blob:; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://example.com/ wss://www.example.com/ wss://www.example.onion/ wss://example.onion/ wss://www.example.loki/ wss://example.loki/" always;
 add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;
 add_header X-Frame-Options "sameorigin" always;
 add_header X-Content-Type-Options "nosniff" always;