Protei/PromucFlow_constructor
2
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
0b669eaa02
PromucFlow_constructor/deploy/docker/templates/nginx/nginx-app-http.conf.template.sh
Shrikant Sharat Kandula 49a973381e
chore: Add X-Content-Type-Options to all downstream responses (#26128) 
So far, only calls that go to the Java backend, had the
`X-Content-Type-Options` header in the responses. This PR adds them to
all responses by

1. adding it to NGINX configuration.
2. removing it from Spring security's configuration, so we don't end up
with _two_ `X-Content-Type-Options` headers in the response.

---------

Co-authored-by: Nidhi <nidhi@appsmith.com>
2023-08-08 20:26:00 +05:30

124 lines
2.9 KiB
Bash
Raw Blame History

#!/bin/bash
set -o nounset
CUSTOM_DOMAIN="$1"
if [[ -z $CUSTOM_DOMAIN ]]; then
CUSTOM_DOMAIN=_
fi
additional_downstream_headers='
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
add_header X-Content-Type-Options "nosniff";
'
cat <<EOF
map \$http_x_forwarded_proto \$origin_scheme {
default \$http_x_forwarded_proto;
'' \$scheme;
}
map \$http_x_forwarded_host \$origin_host {
default \$http_x_forwarded_host;
'' \$host;
}
map \$http_forwarded \$final_forwarded {
default '\$http_forwarded, host=\$host;proto=\$scheme';
'' '';
}
# redirect log to stdout for supervisor to capture
access_log /dev/stdout;
server_tokens off;
server {
listen ${PORT:-80} default_server;
server_name $CUSTOM_DOMAIN;
client_max_body_size 150m;
gzip on;
gzip_types *;
root /opt/appsmith/editor;
index index.html;
error_page 404 /;
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
add_header Content-Security-Policy "frame-ancestors ${APPSMITH_ALLOWED_FRAME_ANCESTORS-'self' *}";
$additional_downstream_headers
location /.well-known/acme-challenge/ {
root /appsmith-stacks/data/certificate/certbot;
}
location = /supervisor {
return 301 /supervisor/;
}
location /supervisor/ {
proxy_http_version 1.1;
proxy_buffering off;
proxy_max_temp_file_size 0;
proxy_redirect off;
proxy_set_header Host \$http_host/supervisor/;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$origin_scheme;
proxy_set_header X-Forwarded-Host \$origin_host;
proxy_set_header Connection "";
proxy_pass http://localhost:9001/;
auth_basic "Protected";
auth_basic_user_file /etc/nginx/passwords;
}
proxy_set_header X-Forwarded-Proto \$origin_scheme;
proxy_set_header X-Forwarded-Host \$origin_host;
proxy_set_header Forwarded \$final_forwarded;
location / {
try_files /loading.html \$uri /index.html =404;
}
location ~ ^/static/(js|css|media)\b {
# Files in these folders are hashed, so we can set a long cache time.
add_header Cache-Control "max-age=31104000, immutable"; # 360 days
$additional_downstream_headers
access_log off;
}
# If the path has an extension at the end, then respond with 404 status if the file not found.
location ~ ^/(?!supervisor/).*\.[a-z]+$ {
try_files \$uri =404;
}
location /api {
proxy_read_timeout ${APPSMITH_SERVER_TIMEOUT:-60};
proxy_send_timeout ${APPSMITH_SERVER_TIMEOUT:-60};
proxy_pass http://localhost:8080;
}
location /oauth2 {
proxy_pass http://localhost:8080;
}
location /login {
proxy_pass http://localhost:8080;
}
location /rts {
proxy_pass http://localhost:${APPSMITH_RTS_PORT:-8091};
proxy_http_version 1.1;
proxy_set_header Host \$host;
proxy_set_header Connection 'upgrade';
proxy_set_header Upgrade \$http_upgrade;
}
}
EOF
Reference in New Issue View Git Blame Copy Permalink