updated docs for nginx config with working values

2022-03-18 20:57:05 +00:00
parent 198a65fe67
commit 29e0ee962f
2 changed files with 23 additions and 2 deletions
--- a/devdocs/todo.txt
+++ b/devdocs/todo.txt
@@ -1,8 +1,10 @@
 # now

+proper most secure nginx settings for all ayanova installs?
+keepass proper way to use and how to split for security etc?
 trialing plan for setting up server, do we charge?  how much, what questions do we need answered to set up droplet
 can a site be in a sufolder so I don't need a domain name or key, just hang them all off helloayanova.com/s/siteb?
-	proxy if path?
+	proxy if path? https://stackoverflow.com/questions/26449466/nginx-proxy-pass-to-a-directory


 Key name and passphrase to unlock it
@@ -196,7 +198,9 @@ todo: 2 or 3 category team view color based on user color?
 todo: 2 create workorder, quote, pm from customer record??
 	was that a v7 feature? make it so? v.next?

-
+todo: 2/3 cant' use CSP with ayanova without opening it up considerably and allowing unsafe-inline
+	sounds like it's theoretically possible to work but the fontawesome fonts would need to be static or something and styles would need a nonce and etc
+	
 todo:3 profiler page has columns: Request Start 	Response Start 	Dom Complete which are all empty, somethjing new added that needs to be disabled maybe??


--- a/docs/8.0/ayanova/docs/ops-install-linux-server.md
+++ b/docs/8.0/ayanova/docs/ops-install-linux-server.md
@@ -379,6 +379,12 @@ If you are already using NGINX for other services then a site configuration file
 server {
        server_name   ayanova.example.com www.ayanova.example.com;
    location / {
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header Referrer-Policy "strict-origin" always;
+
        proxy_pass         http://127.0.0.1:7575;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
@@ -434,6 +440,12 @@ server {
    listen        80;
    #server_name   ayanova.example.com;
    location / {
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header Referrer-Policy "strict-origin" always;
+
        proxy_pass         http://127.0.0.1:7575;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
@@ -519,6 +531,11 @@ The NGINX default config file will now have new entries looking something like t
 server {
        server_name   ayanova.example.com;
    location / {
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header Referrer-Policy "strict-origin" always;
        proxy_pass         http://127.0.0.1:7575;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;