b12f/nixpkgs
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

nixos/nextcloud: Add option for max-age HSTS directive

Browse source 
* Add an option services.nextcloud.nginx.hstsMaxAge for setting the max-age
  directive of the Strict-Transport-Security HTTP header.

* Make the Strict-Transport-Security HTTP header in the Nginx virtualhost block
  dependant upon the option services.nextcloud.https instead of
  services.nextcloud.nginx.recommendedHttpHeaders, as this header makes no sense
  when not using HTTPS.  (Closes #169465)
This commit is contained in:
Aidan Gauland 2022-05-14 08:12:36 +12:00
parent c0b9099f13
commit 59244e07f0
No known key found for this signature in database
GPG key ID: 16E68DD2D0E77C91
3 changed files with 32 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
View file

@ -2514,6 +2514,16 @@ cp /var/lib/redis/dump.rdb "/var/lib/redis-mastodon/dump.rdb"
enabled. enabled.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
The Nextcloud module now allows setting the value of the
<literal>max-age</literal> directive of the
<literal>Strict-Transport-Security</literal> HTTP header,
which is now controlled by the
<literal>services.nextcloud.https</literal> option, rather
than <literal>services.nginx.recommendedHttpHeaders</literal>.
</para>
</listitem>
<listitem> <listitem>
<para> <para>
The <literal>spark3</literal> package has been updated from The <literal>spark3</literal> package has been updated from

2
nixos/doc/manual/release-notes/rl-2205.section.md
View file

@ -892,6 +892,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- The Nextcloud module now supports to create a Mysql database automatically - The Nextcloud module now supports to create a Mysql database automatically
with `services.nextcloud.database.createLocally` enabled. with `services.nextcloud.database.createLocally` enabled.
- The Nextcloud module now allows setting the value of the `max-age` directive of the `Strict-Transport-Security` HTTP header, which is now controlled by the `services.nextcloud.https` option, rather than `services.nginx.recommendedHttpHeaders`.
- The `spark3` package has been updated from 3.1.2 to 3.2.1 ([#160075](https://github.com/NixOS/nixpkgs/pull/160075)): - The `spark3` package has been updated from 3.1.2 to 3.2.1 ([#160075](https://github.com/NixOS/nixpkgs/pull/160075)):
- Testing has been enabled for `aarch64-linux` in addition to `x86_64-linux`. - Testing has been enabled for `aarch64-linux` in addition to `x86_64-linux`.

25
nixos/modules/services/web-apps/nextcloud.nix
View file

@ -546,10 +546,23 @@ in {
''; '';
}; };
nginx.recommendedHttpHeaders = mkOption { nginx = {
type = types.bool; recommendedHttpHeaders = mkOption {
default = true; type = types.bool;
description = "Enable additional recommended HTTP response headers"; default = true;
description = "Enable additional recommended HTTP response headers";
};
hstsMaxAge = mkOption {
type = types.ints.positive;
default = 15552000;
description = ''
Value for the <code>max-age</code> directive of the HTTP
<code>Strict-Transport-Security</code> header.
See section 6.1.1 of IETF RFC 6797 for detailed information on this
directive and header.
'';
};
}; };
}; };
@ -983,7 +996,9 @@ in {
add_header X-Permitted-Cross-Domain-Policies none; add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Frame-Options sameorigin; add_header X-Frame-Options sameorigin;
add_header Referrer-Policy no-referrer; add_header Referrer-Policy no-referrer;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; ''}
${optionalString (cfg.https) ''
add_header Strict-Transport-Security "max-age=${toString cfg.nginx.hstsMaxAge}; includeSubDomains" always;
''} ''}
client_max_body_size ${cfg.maxUploadSize}; client_max_body_size ${cfg.maxUploadSize};
fastcgi_buffers 64 4K; fastcgi_buffers 64 4K;