From 023b15fa76af2921e7a09ff0569bf52f6a74784b Mon Sep 17 00:00:00 2001 From: MichaIng Date: Fri, 26 Jan 2024 17:15:10 +0100 Subject: [PATCH] v9.1 - DietPi-Software | Nextcloud: Re-add Nginx security headers for assets - META | Satisfy shellcheck --- .build/images/dietpi-installer | 4 ++-- .conf/dps_114/nginx.nextcloud.conf | 9 +++++++++ .update/patches | 2 +- dietpi/dietpi-software | 2 +- 4 files changed, 13 insertions(+), 4 deletions(-) diff --git a/.build/images/dietpi-installer b/.build/images/dietpi-installer index 975a89c2b4..b2ae757292 100755 --- a/.build/images/dietpi-installer +++ b/.build/images/dietpi-installer @@ -908,7 +908,7 @@ _EOF_ ) # Install entropy daemon on SBCs with ancient kernel: NanoPi M2/T2/Fire2, NanoPi M3/T3/Fire3, Sparky SBC - if [[ ! $G_HW_MODEL =~ ^(61|62|70)$ ]] # + if [[ ! $G_HW_MODEL =~ ^(61|62|70)$ ]] then aPACKAGES_REQUIRED_INSTALL+=('haveged') # https://github.com/MichaIng/DietPi/issues/4710 @@ -1178,7 +1178,7 @@ _EOF_ # Orange Pi Zero 3: Apply device tree adjustment for Ethernet adapter elif (( $G_HW_MODEL == 83 )) - then + then # shellcheck disable=SC2016 sed --follow-symlinks -i -e '/^setenv bootargs /s/"$/ ethernet_phy=${ethernet_phy}"/' -e '/^# Boot/i\ if test "${ethernet_phy}" = "rtl8211f"; then\ diff --git a/.conf/dps_114/nginx.nextcloud.conf b/.conf/dps_114/nginx.nextcloud.conf index c49fe0cf3d..8e38802989 100644 --- a/.conf/dps_114/nginx.nextcloud.conf +++ b/.conf/dps_114/nginx.nextcloud.conf @@ -84,7 +84,16 @@ location ^~ /nextcloud { location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map)$ { try_files $uri /nextcloud/index.php$request_uri; + # HTTP response headers borrowed from Nextcloud `.htaccess` add_header Cache-Control "public, max-age=15778463$asset_immutable"; + #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always; + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "noindex, nofollow" always; + add_header X-XSS-Protection "1; mode=block" always; access_log off; # Optional: Don't log access to assets } diff --git a/.update/patches b/.update/patches index 39e3acb830..4bc0ea4b29 100755 --- a/.update/patches +++ b/.update/patches @@ -1577,7 +1577,7 @@ Patch_9_0() # - Nginx if [[ -f '/etc/nginx/sites-dietpi/dietpi-nextcloud.conf' ]] then - echo '# Set the `immutable` cache control option for assets with a cache busting `v` argument + echo '# Set the "immutable" cache control option for assets with a cache busting "v=" argument map $arg_v $asset_immutable { "" ""; default ", immutable"; diff --git a/dietpi/dietpi-software b/dietpi/dietpi-software index 6df9ca07c8..2a2b8a3a62 100755 --- a/dietpi/dietpi-software +++ b/dietpi/dietpi-software @@ -4644,7 +4644,7 @@ url.redirect += ( elif (( ${aSOFTWARE_INSTALL_STATE[85]} > 0 )) then G_DIETPI-NOTIFY 2 'Nginx webserver found, enabling Nextcloud specific configuration.' # https://docs.nextcloud.com/server/stable/admin_manual/installation/nginx.html - echo '# Set the `immutable` cache control option for assets with a cache busting `v` argument + echo '# Set the "immutable" cache control option for assets with a cache busting "v=" argument map $arg_v $asset_immutable { "" ""; default ", immutable";