From 8ecfabd13690a4216f29f97b8ae0d80edabf83db Mon Sep 17 00:00:00 2001 From: Alexander Olofsson Date: Tue, 18 Jan 2022 13:03:26 +0100 Subject: [PATCH] element-web: Add security headers to nginx config Replaces !26 --- charts/element-web/Chart.yaml | 2 +- .../templates/configuration-nginx.yaml | 28 +++++++++++++++++++ charts/element-web/templates/deployment.yaml | 6 ++++ charts/element-web/values.yaml | 8 ++++++ 4 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 charts/element-web/templates/configuration-nginx.yaml diff --git a/charts/element-web/Chart.yaml b/charts/element-web/Chart.yaml index 421cd19..687d74a 100644 --- a/charts/element-web/Chart.yaml +++ b/charts/element-web/Chart.yaml @@ -10,7 +10,7 @@ icon: https://element.io/images/element-logo.svg appVersion: 1.9.9 type: application -version: 1.0.44 +version: 1.1.0 maintainers: - name: Alexander Olofsson diff --git a/charts/element-web/templates/configuration-nginx.yaml b/charts/element-web/templates/configuration-nginx.yaml new file mode 100644 index 0000000..098277b --- /dev/null +++ b/charts/element-web/templates/configuration-nginx.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-nginx" (include "element-web.fullname" .) | trunc 63 | trimSuffix "-" }} + labels: + {{- include "element-web.labels" . | nindent 4 }} +data: + default.conf: | + server { + listen 80; + listen [::]:80; + server_name localhost; + + root /usr/share/nginx/html; + index index.html; + +{{ .Values.nginxConfig | indent 8 }} + + # Set no-cache for the index.html only so that browsers always check for a new copy of Element Web. + location = /index.html { + add_header Cache-Control "no-cache"; + } + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + } diff --git a/charts/element-web/templates/deployment.yaml b/charts/element-web/templates/deployment.yaml index 82e9750..f13ea2b 100644 --- a/charts/element-web/templates/deployment.yaml +++ b/charts/element-web/templates/deployment.yaml @@ -16,6 +16,7 @@ spec: metadata: annotations: checksum/config: {{ include (print .Template.BasePath "/configuration.yaml") . | sha256sum }} + checksum/config-nginx: {{ include (print .Template.BasePath "/configuration-nginx.yaml") . | sha256sum }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -53,6 +54,8 @@ spec: - mountPath: /app/config.json name: config subPath: config.json + - mountPath: /etc/nginx/conf.d + name: config-nginx {{- with .Values.extraVolumeMounts }} {{- . | toYaml | nindent 12 }} {{- end }} @@ -60,6 +63,9 @@ spec: - name: config configMap: name: {{ include "element-web.fullname" . }} + - name: config-nginx + configMap: + name: {{ printf "%s-nginx" (include "element-web.fullname" .) | trunc 63 | trimSuffix "-" }} {{- with .Values.extraVolumes }} {{- . | toYaml | nindent 8 }} {{- end }} diff --git a/charts/element-web/values.yaml b/charts/element-web/values.yaml index 0d778ed..15f834a 100644 --- a/charts/element-web/values.yaml +++ b/charts/element-web/values.yaml @@ -28,6 +28,14 @@ defaultServer: ## config: {} +## Configuration to add into the nginx server object +## +nginxConfig: |- + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Content-Security-Policy "frame-ancestors 'none'"; + ## Configuration for mounting additional volumes into the application container. ## extraVolumes: {}