From 9c0398a3c1e774e03d39f57e804183ebb06b2434 Mon Sep 17 00:00:00 2001 From: yuri Date: Tue, 10 Oct 2023 14:19:35 +0200 Subject: [PATCH] Update element-web and clean up configuration --- .../virtualHosts/element.nekover.se.nix | 65 +++++++------------ 1 file changed, 23 insertions(+), 42 deletions(-) diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 47c2735..f9b78d1 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,20 @@ { pkgs, ... }: let + elementWebVersion = "1.11.46"; element-web = pkgs.fetchzip { - url = "https://github.com/vector-im/element-web/releases/download/v1.11.43/element-v1.11.43.tar.gz"; - sha256 = "sha256-MxUu5dFf4RL0crQol4hG6gNE+9Qu5/vBWdpf0ENaFV0="; + url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; + sha256 = "sha256-EQ6a8WK8ILYidbS+0FGzI4XQbZFh+M6Y7eZ28YcsIrg="; }; + elementWebSecurityHeaders = '' + # Configuration best practices + # See: https://github.com/vector-im/element-web/tree/develop#configuration-best-practices + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Content-Security-Policy "frame-ancestors 'self'"; + + add_header Strict-Transport-Security "max-age=63072000" always; + ''; in { services.nginx.virtualHosts."element.nekover.se" = { @@ -16,66 +27,36 @@ in ./element-web-config ]; }; - listen = [ - { - addr = "localhost"; - port = 1234; - } # workaround for enableACME check - { - addr = "localhost"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; # Set no-cache for the version, config and index.html # so that browsers always check for a new copy of Element Web. # NB http://your-domain/ and http://your-domain/? are also covered by this locations."= /index.html" = { - extraConfig = '' + extraConfig = elementWebSecurityHeaders + '' add_header Cache-Control "no-cache"; - add_header X-Frame-Options SAMEORIGIN; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header Content-Security-Policy "frame-ancestors 'none'"; - add_header Strict-Transport-Security "max-age=63072000" always; ''; }; locations."= /version" = { - extraConfig = '' + extraConfig = elementWebSecurityHeaders + '' add_header Cache-Control "no-cache"; - add_header X-Frame-Options SAMEORIGIN; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header Content-Security-Policy "frame-ancestors 'none'"; - add_header Strict-Transport-Security "max-age=63072000" always; ''; }; # covers config.json and config.hostname.json requests as it is prefix. locations."/config" = { - extraConfig = '' + extraConfig = elementWebSecurityHeaders + '' add_header Cache-Control "no-cache"; - add_header X-Frame-Options SAMEORIGIN; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header Content-Security-Policy "frame-ancestors 'none'"; - add_header Strict-Transport-Security "max-age=63072000" always; ''; }; - extraConfig = '' + extraConfig = elementWebSecurityHeaders + '' index index.html; - # Configuration best practices - # See: https://github.com/vector-im/element-web/tree/develop#configuration-best-practices - add_header X-Frame-Options SAMEORIGIN; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header Content-Security-Policy "frame-ancestors 'self'"; - - add_header Strict-Transport-Security "max-age=63072000" always; - # redirect server error pages to the static page /50x.html error_page 500 502 503 504 /50x.html;