rnsrk/wisski-cloud-distillery
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add support for Content-Security-Policy in images

Browse source 
This commit adds support for the "Content-Security-Policy" header in the
barrel images.
This commit is contained in:
Tom 2023-07-13 23:26:37 +02:00
parent 17d64826df
commit 760aae0dc1
32 changed files with 162 additions and 48 deletions
Download patch file Download diff file Expand all files Collapse all files

2
internal/wisski/ingredient/barrel/barrel/.dockerignore
View file

@ -2,7 +2,7 @@
*
# allow the following files:
!conf/*
!apache.d/*
!scripts/*
!ssh/*
!php.ini.d/*

8
internal/wisski/ingredient/barrel/barrel/Dockerfile
View file

@ -76,7 +76,7 @@ RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
docker-php-source delete
# enable the apache rewrite mod
RUN a2enmod rewrite
RUN a2enmod rewrite headers
# Install composer.
@ -94,6 +94,8 @@ ADD php.ini.d/wisski.ini /usr/local/etc/php/conf.d/wisski.ini
ARG OPCACHE_MODE=prod
ADD php.ini.d/opcache-$OPCACHE_MODE.ini /usr/local/etc/php/conf.d/opcache.ini
ARG CONTENT_SECURITY_POLICY=
ENV CONTENT_SECURITY_POLICY=${CONTENT_SECURITY_POLICY}
# Configure Apache.
@ -102,8 +104,8 @@ RUN rm /etc/apache2/sites-available/*.conf && \
rm /etc/apache2/sites-enabled/*.conf
# Then add the WissKI site
ADD conf/ports.conf /etc/apache2/ports.conf
ADD conf/wisski.conf /etc/apache2/sites-available/wisski.conf
ADD apache.d/conf/ports.conf /etc/apache2/ports.conf
ADD apache.d/sites-available/wisski.conf /etc/apache2/sites-available/wisski.conf
# And enable it
RUN a2ensite wisski

0
internal/wisski/ingredient/barrel/barrel/conf/ports.conf → internal/wisski/ingredient/barrel/barrel/apache.d/conf/ports.conf
View file

5
internal/wisski/ingredient/barrel/barrel/conf/wisski.conf → internal/wisski/ingredient/barrel/barrel/apache.d/sites-available/wisski.conf
View file

@ -19,6 +19,11 @@
Require all granted
</Directory>
# Read the CONTENT_SECURITY_POLICY from the environment!
PassEnv CONTENT_SECURITY_POLICY
Header set Content-Security-Policy %{CONTENT_SECURITY_POLICY}e "expr=-n osenv('CONTENT_SECURITY_POLICY')"
# Don't low to allow ignoring everything
ErrorLog /dev/stderr
CustomLog /dev/stdout combined
</VirtualHost>

2
internal/wisski/ingredient/barrel/barrel/docker-compose.yml
View file

@ -7,6 +7,8 @@ services:
args:
BARREL_BASE_IMAGE: ${BARREL_BASE_IMAGE}
OPCACHE_MODE: ${OPCACHE_MODE}
CONTENT_SECURITY_POLICY: ${CONTENT_SECURITY_POLICY}
logging:
driver: none

5
internal/wisski/ingredient/barrel/stack.go
View file

@ -31,8 +31,9 @@ func (barrel *Barrel) Stack() component.StackWithResources {
"DATA_PATH": filepath.Join(barrel.FilesystemBase, "data"),
"RUNTIME_DIR": barrel.Malt.Config.Paths.RuntimeDir(),
"BARREL_BASE_IMAGE": barrel.GetDockerBaseImage(),
"OPCACHE_MODE": barrel.OpCacheMode(),
"BARREL_BASE_IMAGE": barrel.GetDockerBaseImage(),
"OPCACHE_MODE": barrel.OpCacheMode(),
"CONTENT_SECURITY_POLICY": barrel.ContentSecurityPolicy,
},
MakeDirs: []string{"data", ".composer"},

2
internal/wisski/ingredient/barrel/system/system.go
View file

@ -32,6 +32,8 @@ func (smanager *SystemManager) Apply(ctx context.Context, progress io.Writer, sy
return err
}
// TODO: Apply Content-Security-Policy!
// and rebuild
return smanager.Dependencies.Barrel.Build(ctx, progress, start)
}