Skip to content

Commit

Permalink
fix(nginx): add option to easy manage HEADERS (make it possible to se…
Browse files Browse the repository at this point in the history
…t HSTS)

Signed-off-by: WrenIX <[email protected]>
  • Loading branch information
wrenix committed Oct 22, 2024
1 parent 3226e00 commit 06726fe
Show file tree
Hide file tree
Showing 4 changed files with 53 additions and 11 deletions.
2 changes: 1 addition & 1 deletion charts/nextcloud/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: v2
name: nextcloud
version: 6.1.1
version: 6.2.0
appVersion: 30.0.1
description: A file sharing server that puts the control and security of your own data back into your hands.
keywords:
Expand Down
29 changes: 29 additions & 0 deletions charts/nextcloud/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ helm install my-release nextcloud/nextcloud
* [Object Storage as Primary Storage Configuration](#object-storage-as-primary-storage-configuration)
* [Persistence Configurations](#persistence-configurations)
* [Metrics Configurations](#metrics-configurations)
* [Headers set on nginx](#headers-set-on-nginx)
* [Probes Configurations](#probes-configurations)
* [Cron jobs](#cron-jobs)
* [Using the nextcloud docker image auto-configuration via env vars](#using-the-nextcloud-docker-image-auto-configuration-via-env-vars)
Expand Down Expand Up @@ -399,6 +400,34 @@ helm install --name my-release -f values.yaml nextcloud/nextcloud
> **Tip**: You can use the default [values.yaml](values.yaml)
### Headers set on NGINX
It is possible to set any additional header
| Parameter | Description | Default |
|------------------------------|-------------------------------------|-----------|
| `nginx.config.headers.<key>` | Headers which are added with nginx | |
Following keys are already set with this values:
- Referrer-Policy: `no-referrer`
- X-Content-Type-Options: `nosniff`
- X-Download-Options: `noopen`
- X-Frame-Options: `SAMEORIGIN`
- X-Permitted-Cross-Domain-Policies: `none`
- X-Robots-Tag: `noindex, nofollow`
- X-XSS-Protection: `1; mode=block`
Maybe you like to set:
- Strict-Transport-Security: `max-age=15768000; includeSubDomains; preload;`
> [!WARNING]
> Only add the preload option once you read about
> the consequences in https://hstspreload.org/. This option
> will add the domain to a hardcoded list that is shipped
> in all major browsers and getting removed from this list
> could take several months.
### Probes Configurations
The nextcloud deployment includes a series of different probes you can use to determine if a pod is ready or not. You can learn more in the [Configure Liveness, Readiness and Startup Probes Kubernetes docs](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/).
Expand Down
15 changes: 5 additions & 10 deletions charts/nextcloud/files/nginx.config.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,11 @@ server {
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
{{- range $name, $value := .Values.nginx.config.headers }}
{{- if $value }}
add_header {{ $name }} {{ $value | quote }} always;
{{- end }}
{{- end }}

# set max upload size
client_max_body_size 10G;
Expand All @@ -38,15 +42,6 @@ server {
# with the `ngx_pagespeed` module, uncomment this line to disable it.
#pagespeed off;

# HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-XSS-Protection "1; mode=block" always;

# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;

Expand Down
18 changes: 18 additions & 0 deletions charts/nextcloud/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -331,6 +331,24 @@ nginx:
config:
# This generates the default nginx config as per the nextcloud documentation
default: true
headers:
# -- HSTS settings
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
# Example:
# "Strict-Transport-Security": "max-age=15768000; includeSubDomains; preload;"
"Strict-Transport-Security": ""
"Referrer-Policy": "no-referrer"
"X-Content-Type-Options": "nosniff"
"X-Download-Options": "noopen"
"X-Frame-Options": "SAMEORIGIN"
"X-Permitted-Cross-Domain-Policies": "none"
"X-Robots-Tag": "noindex, nofollow"
"X-XSS-Protection": "1; mode=block"

custom:
# custom: |-
# worker_processes 1;..
Expand Down

0 comments on commit 06726fe

Please sign in to comment.