nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-01-21 07:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

apache: Also configure to serve on /freedombox

Browse Source 
This is useful mostly for future when we may switch from /plinth to /freedombox.

Tests:

- Accessing /freedombox/app/transmission works. Although redirects generated by
the FreedomBox web service still redirect to /plinth. For example, redirection
after logout and auto-redirection to login page.

- Accessing pages of FreedomBox works as usual on /plinth and /freedombox.
Content-Security-Policy is set.

- Accessing /foo/plinth/app/transmission throws 404.

- Accessing http:// redirects to https:// for /plinth and /freedombox.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
This commit is contained in:
Sunil Mohan Adapa 2022-07-10 07:54:38 -07:00 committed by James Valleroy
parent f8f7dd22b5
commit d6131df6a8
No known key found for this signature in database
GPG Key ID: 77C0C75E7B650808
2 changed files with 10 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
data/etc/apache2/conf-available/freedombox-tls.conf
View File

@ -7,11 +7,11 @@
## mod_rewrite
## mod_ssl
##
<Location /plinth>
<LocationMatch "^/(plinth|freedombox)">
RewriteEngine on
# Don't redirect for onion sites as it is not needed and leads to
# unnecessary warning.
RewriteCond %{HTTP_HOST} !^.*\.onion$ [NC]
ReWriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</Location>
</LocationMatch>

12
data/etc/apache2/conf-available/freedombox.conf
View File

@ -44,7 +44,6 @@
## other services.
##
RedirectMatch "^/$" "/plinth"
RedirectMatch "^/freedombox" "/plinth"
##
## Disable sending Referer (sic) header from FreedomBox web interface to
@ -79,11 +78,11 @@ RedirectMatch "^/freedombox" "/plinth"
## Disable browser guessing of MIME types. FreedoBox already sets good content
## types for all the common file types.
##
<Location /plinth>
<LocationMatch "^/(plinth|freedombox)">
Header set Referrer-Policy 'same-origin'
Header set Content-Security-Policy "font-src 'self'; frame-src 'none'; img-src 'self'; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'self'; style-src 'self'; worker-src 'self'; default-src 'self'; base-uri 'none'; sandbox allow-scripts allow-popups allow-forms allow-same-origin allow-downloads; form-action 'self'; frame-ancestors 'none'; block-all-mixed-content;"
Header set X-Content-Type-Options 'nosniff'
</Location>
</LocationMatch>
##
## On all sites, provide FreedomBox on a default path: /plinth
@ -93,7 +92,7 @@ RedirectMatch "^/freedombox" "/plinth"
## mod_proxy
## mod_proxy_http
##
<Location /plinth>
<Location /freedombox>
ProxyPass http://127.0.0.1:8000/plinth
## Send the scheme from user's request to enable Plinth to redirect
## URLs, set cookies, set absolute URLs (if any) properly.
@ -107,6 +106,11 @@ RedirectMatch "^/freedombox" "/plinth"
## https://github.com/jazzband/django-axes/issues/286
RequestHeader unset X-Forwarded-For
</Location>
<Location /plinth>
ProxyPass http://127.0.0.1:8000/plinth
RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
RequestHeader unset X-Forwarded-For
</Location>
##
## Serve FreedomBox icon as /favicon.ico for apps that don't present their own