teutat3s
02d578bfa9
Merge branch 'master' into pub.solar
2021-06-27 18:06:08 +02:00
sakkiii
0217644b48
Content-Security-Policy For Element Web
...
https://github.com/vector-im/element-web#configuration-best-practices
2021-06-18 23:27:23 +05:30
teutat3s
8d67ccfae0
Merge branch 'master' into pub.solar
2021-06-18 16:35:44 +02:00
Slavi Pantaleev
963f38ee7b
Upgrade certbot (v1.14.0 -> v1.16.0)
2021-06-10 12:18:42 +03:00
teutat3s
061cf83998
Merge branch 'master' into pub.solar
2021-06-06 15:33:23 +02:00
pushytoxin
bee14550ab
Fix local/bin scripts autocompletion by adding rx perms to everyone
...
It's mildly annoying when trying to execute these scripts while logged
in as a regular user, as the missing execute permissions will hinder
autocompletion even when trying to use with sudo.
These shell scripts don't contain secrets, but may fail when ran by a
regular user. The failure is due to the lack of access to the /matrix
directory, and does not result in any damage.
2021-05-28 10:39:27 +02:00
Slavi Pantaleev
4880dcceb0
Fix OCSP-stapling-related errors due to missing resolver
...
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057
2021-05-28 11:14:33 +03:00
rakshazi
4ddd8bbb84
Updated nginx-proxy (1.20.0 -> 1.21.0)
2021-05-25 17:06:39 +00:00
Slavi Pantaleev
1ed0857019
Fix syntax error
...
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1024
2021-05-25 11:45:17 +03:00
sakkiii
4a4a7f136e
changes added to hydrogen client
2021-05-25 11:42:51 +05:30
sakkiii
25e67b51d1
Merge branch 'spantaleev:master' into master
2021-05-25 11:40:56 +05:30
sakkiii
3436f9c10a
rename to matrix_nginx_proxy_hsts_preload_enabled
2021-05-25 00:56:59 +05:30
sakkiii
7cc5328ede
Comments & Ref
2021-05-24 17:20:54 +05:30
sakkiii
df2d91970d
matrix_nginx_proxy_xss_protection
2021-05-24 17:02:47 +05:30
teutat3s
3da97e4750
Merge branch 'master' into pub.solar
2021-05-22 17:51:13 +02:00
Slavi Pantaleev
6f80292745
Add OCSP stapling support and other SSL optimizations to Hydrogen vhost
...
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1061
and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057
2021-05-21 13:40:37 +03:00
Slavi Pantaleev
d0de21ab34
Delete Hydrogen nginx configuration file when disabled
2021-05-21 12:58:32 +03:00
Aaron Raimist
04548f8df2
Merge branch 'master' into hydrogen
2021-05-21 04:09:18 -05:00
Aaron Raimist
9437f78c9e
Build using custom config.json, add CSP, update to 0.1.53
2021-05-21 03:45:21 -05:00
teutat3s
431fcfd9d3
Merge branch 'master' into pub.solar
2021-05-19 02:40:02 +02:00
sakkiii
e9b878b9e9
Optimize SSL session
2021-05-18 19:39:43 +05:30
Slavi Pantaleev
e6afa05f7b
Enable OCSP stapling for the federation port
...
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057
Not sure if this is beneficial though.
2021-05-18 08:15:42 +03:00
Slavi Pantaleev
57a6a98a50
Fix incorrect SSL certificate path
...
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057
2021-05-18 07:58:47 +03:00
Slavi Pantaleev
b9c4e8ce16
Merge pull request #1057 from sakkiii/ssl_staple
...
Enable OCSP Stapling
2021-05-18 07:50:35 +03:00
sakkiii
d31b55b2a7
SSL-enabled block only
2021-05-18 03:24:06 +05:30
Slavi Pantaleev
e4dd933cf0
Make missing /_synapse/admin correctly return 404 responses
...
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1058
We may try to capture such calls and return a friendlier response (HTML
or JSON) saying "The Synapse Admin API is not enabled", but that may not
be desirable.
For now, we stick to what "upstream" recommends: "simply
don't proxy these APIs", which should lead to the same kind of 404 that
we have now.
See here: 6660912226/docs/reverse_proxy.md (synapse-administration-endpoints)
2021-05-17 11:45:35 +03:00
sakkiii
2c3da6599b
Added warning
2021-05-15 16:07:52 +05:30
sakkiii
0dd4459799
matrix_nginx_proxy_ocsp_stapling_enabled variable added
2021-05-15 16:01:49 +05:30
sakkiii
c05021640d
Enable OCSP Stapling
2021-05-15 15:57:05 +05:30
Aaron Raimist
ca361af616
Add Hydrogen
2021-05-15 04:23:36 -05:00
Jhonas Wernery
f1d6fbce35
Merge branch 'master' into pub.solar
2021-05-11 01:40:47 +02:00
sakkiii
29cf6a0087
Merge branch 'spantaleev:master' into master
2021-05-10 15:10:18 +05:30
sakkiii
bb0810302d
Merge branch 'spantaleev:master' into master
2021-05-07 23:03:55 +05:30
Béla Becker
b10655ebb1
Jitsi XMPP Websocket support
...
Jitsi-meet enabled websockets by default, claiming better reliability.
Matrix-nginx-proxy configuration has been set up according to the
Prosody documentation: https://prosody.im/doc/websocket
2021-05-05 19:10:58 +02:00
Dan Arnfield
cfaa3e598a
Update nginx (1.19.10 -> 1.20.0)
2021-05-03 16:00:11 -05:00
Jhonas Wernery
be8e588001
Merge branch 'master' into pub.solar
2021-05-03 21:58:28 +02:00
sakkiii
40fe6bd5c1
variable matrix_nginx_proxy_hsts_preload_enable added
2021-04-24 20:04:20 +05:30
Slavi Pantaleev
389dc26615
Fix Synapse generic worker balancing
...
Potentially fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1022
2021-04-24 11:52:45 +03:00
sakkiii
5b4fdf9b87
Merge branch 'master' of https://github.com/sakkiii/matrix-docker-ansible-deploy
2021-04-24 12:15:34 +05:30
sakkiii
0ccf0fbf1c
HSTS preload + X-XSS enables
...
**HSTS Preloading:**
In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts ) includes all subdomains, and indicates a willingness to be “preloaded” into browsers:
`Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
**X-Xss-Protection:**
`1; mode=block` which tells the browser to block the response if it detects an attack rather than sanitising the script.
2021-04-24 12:12:34 +05:30
sakkiii
3564635f0f
Merge branch 'master' into master
2021-04-24 11:46:52 +05:30
sakkiii
29bba5161b
Element More security headers
...
More Production ready nginx headers for Matrix client element.
2021-04-24 11:10:40 +05:30
Slavi Pantaleev
d691cc0920
Move variable definition a bit
2021-04-21 13:59:20 +03:00
Slavi Pantaleev
e00ef04b57
Add opt-out-of-FLoC headers by default
2021-04-21 13:58:24 +03:00
Slavi Pantaleev
4a1739f604
Merge pull request #1007 from teutat3s/fix/nginx-dont-send-version
...
Don't expose nginx version with each response
2021-04-18 21:33:11 +03:00
teutat3s
2bf7c26cfa
Don't expose nginx version with each response
2021-04-18 16:24:13 +02:00
sakkiii
1958d0792d
Update matrix-client-element.conf.j2
2021-04-17 21:33:07 +05:30
sakkiii
b6d45c5fd8
Merge branch 'master' of https://github.com/sakkiii/matrix-docker-ansible-deploy
2021-04-17 21:03:26 +05:30
sakkiii
05042f5ff1
Improve security grafana
...
- duplicate X-Content-Type-Options
- X-Frame-Options header
- Referrer-Policy [Might consider adding variable]
- Secure flag with cookies
- matrix_grafana_content_security_policy variable for [Content Security Policy](https://grafana.com/docs/grafana/latest/administration/configuration/#content_security_policy )
2021-04-17 21:03:05 +05:30
sakkiii
5dc642ace1
Nginx element web: XSS protection & nosniff header
...
X-XSS-Protection: 1; mode=block; header, for basic XSS protection in legacy browsers.
X-Content-Type-Options: nosniff header, to disable MIME sniffing
2021-04-16 14:45:04 +05:30