diff --git a/files/nginx/odk.conf.dev.template b/files/nginx/odk.conf.dev.template new file mode 100644 index 00000000..c693bf9f --- /dev/null +++ b/files/nginx/odk.conf.dev.template @@ -0,0 +1,64 @@ +server { + listen 8989; + server_name localhost; + + server_tokens off; + + include /usr/share/odk/nginx/common-headers.conf; + + client_max_body_size 100m; + + gzip on; + gzip_vary on; + gzip_min_length 1280; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/x-javascript text/xml text/csv; + + location /- { + proxy_pass http://localhost:8005; + proxy_redirect off; + proxy_set_header Host $host; + + # More lax CSP for enketo-express: + # Google Maps API: https://developers.google.com/maps/documentation/javascript/content-security-policy + add_header Content-Security-Policy-Report-Only "default-src 'none'; connect-src 'self' blob: https://maps.googleapis.com/maps/ https://maps.google.com/ https://maps.gstatic.com/mapfiles/ https://fonts.gstatic.com/ https://fonts.googleapis.com/; font-src 'self' https://fonts.gstatic.com/; frame-src 'none'; img-src data: blob: jr: 'self' https://maps.google.com/maps/ https://maps.gstatic.com/mapfiles/ https://maps.googleapis.com/maps/; manifest-src 'none'; media-src blob: jr: 'self'; object-src 'none'; script-src 'unsafe-inline' 'self' https://maps.googleapis.com/maps/api/js/ https://maps.google.com/maps/ https://maps.google.com/maps-api-v3/api/js/; style-src 'unsafe-inline' 'self' https://fonts.googleapis.com/css; style-src-attr 'none'; report-uri /csp-report"; + # + # Rules set to 'none' here would fallback to default-src if excluded. + # They are included here to ease interpretation of violation reports. + # + # Other security headers are identical to those in common-headers.conf; + # We can't just include that file here though, as it will set two Content-Security-Policy* headers + add_header Referrer-Policy same-origin; + add_header Strict-Transport-Security "max-age=63072000" always; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Content-Type-Options nosniff; + } + + location ~ ^/v\d { + proxy_set_header X-Forwarded-Proto https; + proxy_pass http://localhost:8383; + proxy_redirect off; + + # buffer requests, but not responses, so streaming out works. + proxy_request_buffering on; + proxy_buffering off; + proxy_read_timeout 2m; + } + + location / { + root /usr/share/nginx/html; + + location /version.txt { + include /usr/share/odk/nginx/common-headers.conf; + add_header Cache-Control no-cache; + } + location /index.html { + include /usr/share/odk/nginx/common-headers.conf; + add_header Cache-Control no-cache; + } + } + + location /csp-report { + proxy_pass https://${SENTRY_ORG_SUBDOMAIN}.ingest.sentry.io/api/${SENTRY_PROJECT}/security/?sentry_key=${SENTRY_KEY}; + } +} diff --git a/files/nginx/setup-odk.sh b/files/nginx/setup-odk.sh index 8e813a1d..856e3044 100644 --- a/files/nginx/setup-odk.sh +++ b/files/nginx/setup-odk.sh @@ -15,12 +15,17 @@ if [ "$SSL_TYPE" = "selfsign" ] && [ ! -s "$SELFSIGN_PATH/privkey.pem" ]; then -days 3650 -nodes -sha256 fi +TEMPLATE_PATH=/usr/share/odk/nginx/odk.conf.template +if [ "$ENV" = "DEV" ]; then + TEMPLATE_PATH=/usr/share/odk/nginx/odk.conf.dev.template +fi + # start from fresh templates in case ssl type has changed echo "writing fresh nginx templates..." cp /usr/share/odk/nginx/redirector.conf /etc/nginx/conf.d/redirector.conf CNAME=$( [ "$SSL_TYPE" = "customssl" ] && echo "local" || echo "$DOMAIN") \ envsubst '$SSL_TYPE $CNAME $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT' \ - < /usr/share/odk/nginx/odk.conf.template \ + < $TEMPLATE_PATH \ > /etc/nginx/conf.d/odk.conf if [ "$SSL_TYPE" = "letsencrypt" ]; then @@ -38,6 +43,11 @@ else else # remove letsencrypt challenge reply, but keep 80 to 443 redirection perl -i -ne 'print if $. < 7 || $. > 14' /etc/nginx/conf.d/redirector.conf + + if [ "$ENV" = "DEV" ]; then + rm -f /etc/nginx/conf.d/redirector.conf + fi + echo "starting nginx for custom ssl and self-signed certs..." fi exec nginx -g "daemon off;"