nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-04-15 09:51:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
FreedomBox/data/etc/apache2/conf-available/freedombox.conf
Sunil Mohan Adapa 4fc1844d89
apache: Don't set HSTS for .onion domain 
Fixes: #2174.

When HSTS is set, there is no way to override the certificate warnings. LE does
not yet issue certificates for .onion domains. Certificate warnings are
certainly show there. Although browsers don't accept HSTS headers when the
certificate is invalid, it is best be safe and not set them for .onion domains.

Tests:

- Without the patch, on normal and .onion domains, HSTS is set only when using
HTTPS.

- With the patch, HSTS is set only when using HTTPS but only for normal domains
but not .onion domains.

- The patch works when tested with .onion and .ONION hosts.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
2022-01-30 17:00:54 -05:00

105 lines
4.2 KiB
Plaintext
Raw Blame History

## SPDX-License-Identifier: AGPL-3.0-or-later
##
## DO NOT EDIT. If you do, FreedomBox will not automatically upgrade.
##
## Apache configuration managed by FreedomBox. If customization is needed,
## create a new configuration file with higher priority and override directives.
##
##
## TLS configuration as recommended by Mozilla's SSL Configuration Generator
## with 'Intermediate' configuration. See:
## https://wiki.mozilla.org/Security/Server_Side_TLS
##
<IfModule mod_ssl.c>
# Disable ciphers that are weak or without forward secrecy.
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
# Allow client to choose ciphers as they will know best if they have support
# for hardware-accelerated AES.
SSLHonorCipherOrder off
# TLS session tickets (RFC 5077) require restarting web server with an
# appropriate frequency. See:
# https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslsessiontickets
SSLSessionTickets off
# Send OCSP responses to the client and reduce their round trips.
<IfModule mod_socache_shmcb.c>
SSLUseStapling On
SSLStaplingCache "shmcb:${APACHE_RUN_DIR}/ssl_stapling(32768)"
</IfModule>
</IfModule>
##
## Enable HSTS, even for subdomains.
##
<If "%{HTTP_HOST} !~ /^.*\.onion$/i">
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
</If>
##
## Redirect traffic on home to /plinth as part of turning the machine
## into FreedomBox server. Plinth then acts as a portal to reach all
## other services.
##
RedirectMatch "^/$" "/plinth"
RedirectMatch "^/freedombox" "/plinth"
##
## Disable sending Referer (sic) header from FreedomBox web interface to
## external websites. This improves privacy by not disclosing FreedomBox
## domains/URLs to external domains. Apps such as blogs which want to popularize
## themselves with referrer header may still do so.
##
## A strict Content Security Policy.
## - @fonts are allowed only from FreedomBox itself.
## - <frame>/<iframe> sources are disabled.
## - <img> sources are allowed only from FreedomBox itself.
## - Manifest file is not allowed as there is none yet.
## - <audio>, <video>, <track> tags are not allowed yet.
## - <object>, <embed>, <applet> tags are not allowed yet.
## - Allow JS from FreedomBox itself (no inline and attribute scripts).
## - Allow inline CSS and CSS files from Freedombox itself.
## - Web worker sources are allowed only from FreedomBox itself (for JSXC).
## - All other fetch sources including Ajax are not allowed from FreedomBox
## itself.
## - <base> tag is not allowed.
## - No plugins types are alllowed since object-src is 'none'.
## - Form action should be to FreedomBox itself.
## - This interface may be not embedded in <frame>, <iframe>, etc. tags.
## - When serving HTTPS, don't allow HTTP assets.
##
## Enable strict sandboxing enabled with some exceptions:
## - Allow running Javascript.
## - Allow popups as sometimes we use <a target=_blank>
## - Allow forms to support configuration forms.
## -
##
## Disable browser guessing of MIME types. FreedoBox already sets good content
## types for all the common file types.
##
<Location /plinth>
Header set Referrer-Policy 'same-origin'
Header set Content-Security-Policy "font-src 'self'; frame-src 'none'; img-src 'self'; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'self'; style-src 'self'; worker-src 'self'; default-src 'self'; base-uri 'none'; sandbox allow-scripts allow-popups allow-forms allow-same-origin allow-downloads; form-action 'self'; frame-ancestors 'none'; block-all-mixed-content;"
Header set X-Content-Type-Options 'nosniff'
</Location>
##
## Serve FreedomBox icon as /favicon.ico for apps that don't present their own
## icon using <link rel=''>.
##
<Location ~ ^/favicon\.ico$>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule /favicon\.ico$ "/plinth/static/theme/img/favicon.ico" [PT]
</IfModule>
</Location>
##
## Serve SVG files compressed using gzip.
##
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE image/svg+xml
</IfModule>
Reference in New Issue View Git Blame Copy Permalink