PHRAS-3892 set content security policies (csp) as env vars

.env

@@ -71,7 +71,7 @@
 # - "pullAssets"
 # - "recordsActions"
 # - "subdefCreation"
-# - "subtitle" Not working (fixed in a future version)
+# - "subtitle"
 # - "validationReminder"
 # - "webhook"
 # - "writeMetadatas"
@@ -90,7 +90,7 @@
 # - COMPOSE_FILE=docker-compose.yml:docker-compose.datastores.yml:docker-compose.tools.yml:docker-compose.override.yml
 # - COMPOSE_PROFILES=app,setup,db,pma,elasticsearch,redis,redis-session,rabbitmq,workers,mailhog,builder,gateway-classic
 #
-# For testing with tools:
+# For testing with debug:
 # - COMPOSE_FILE=docker-compose.yml:docker-compose.datastores.yml:docker-compose.tools.yml
 # - COMPOSE_PROFILES=app,setup,db,pma,elasticsearch,rabbitmq,redis,redis-session,worker,workers,mailhog,gateway-classic
 #
@@ -106,7 +106,7 @@
 # - COMPOSE_FILE=docker-compose.yml:docker-compose.datastores.yml:docker-compose.tools.yml
 # - COMPOSE_PROFILES=app,setup,gateway-classic,db,elasticsearch,redis,redis-session,rabbitmq,pma,mailhog,assetsInjest,createRecord,deleteRecord,editRecord,
 #                    exportMail,exposeUpload,exportFtp,mainQueue,populateIndex,pullAssets,recordsActions,subdefCreation,
-#                    validationReminder,webhook,writeMetadatas,shareBasket,scheduler,elk,db-backup,phraseanet-saml-sp
+#                    subtitle,validationReminder,webhook,writeMetadatas,shareBasket,scheduler,elk,db-backup,phraseanet-saml-sp
 #
 
 
@@ -194,6 +194,11 @@ GATEWAY_USERS=
 # @run
 GATEWAY_FASTCGI_HTTPS=off
 
+# Content Security Policy (CSP)
+# security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting
+## @run 
+GATEWAY_CSP="default-src 'self' 127.0.0.1 https://apiws.carrick-skills.com:8443 https://apiws.carrick-flow.com:8443 https://fonts.gstatic.com *.tiles.mapbox.com https://api.mapbox.com https://events.mapbox.com *.axept.io *.matomo.cloud *.newrelic.com *.nr-data.net https://www.googletagmanager.com *.google-analytics.com *.phrasea.io https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443 data: ;script-src 'unsafe-inline' 'unsafe-eval' 'self' https://www.gstatic.com *.alchemyasp.com *.axept.io *.matomo.cloud *.newrelic.com https://www.googletagmanager.com https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443 ;style-src 'self' 'unsafe-inline' https://fonts.gstatic.com https://fonts.googleapis.com https://www.google.com https://www.gstatic.com https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443;img-src 'self' data: blob: *.tiles.mapbox.com https://axeptio.imgix.net *.cloudfront.net *.phrasea.io *.amazonaws.com https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443 ; object-src 'self';frame-ancestors 'self'"
+
 # --- RabbitMQ settings ------------------------------------------------------------------------------------------------
 
 # RabbitMQ user account : create an account in RabbitMQ container and use it

docker-compose.yml

@@ -35,6 +35,7 @@ services:
     - GATEWAY_ALLOWED_IPS                      
     - GATEWAY_DENIED_IPS 
     - GATEWAY_USERS
+    - GATEWAY_CSP
     ports:
       - ${PHRASEANET_APP_PORT}:80
     networks:
@@ -68,6 +69,7 @@ services:
     - GATEWAY_DENIED_IPS
     - GATEWAY_USERS
     - GATEWAY_FASTCGI_HTTPS
+    - GATEWAY_CSP
     networks:
       - internal
     labels:
@@ -470,7 +472,6 @@ services:
     - OPCACHE_ENABLED
     - SESSION_CACHE_LIMITER
     - PHP_LOG_LEVEL
-    - PHP_CLI_MEMORY_LIMIT
     - LC_MESSAGES=C.UTF-8
     - LC_COLLATE=C.UTF-8
     - LC_IDENTIFICATION=C.UTF-8
@@ -525,7 +526,6 @@ services:
     - OPCACHE_ENABLED
     - SESSION_CACHE_LIMITER
     - PHP_LOG_LEVEL
-    - PHP_CLI_MEMORY_LIMIT
     - LC_MESSAGES=C.UTF-8
     - LC_COLLATE=C.UTF-8
     - LC_IDENTIFICATION=C.UTF-8
@@ -687,7 +687,6 @@ services:
     - OPCACHE_ENABLED
     - SESSION_CACHE_LIMITER
     - PHP_LOG_LEVEL
-    - PHP_CLI_MEMORY_LIMIT
     - LC_MESSAGES=C.UTF-8
     - LC_COLLATE=C.UTF-8
     - LC_IDENTIFICATION=C.UTF-8
@@ -795,7 +794,6 @@ services:
     - OPCACHE_ENABLED
     - SESSION_CACHE_LIMITER
     - PHP_LOG_LEVEL
-    - PHP_CLI_MEMORY_LIMIT
     - LC_MESSAGES=C.UTF-8
     - LC_COLLATE=C.UTF-8
     - LC_IDENTIFICATION=C.UTF-8
@@ -849,7 +847,6 @@ services:
     - OPCACHE_ENABLED
     - SESSION_CACHE_LIMITER
     - PHP_LOG_LEVEL
-    - PHP_CLI_MEMORY_LIMIT
     - LC_MESSAGES=C.UTF-8
     - LC_COLLATE=C.UTF-8
     - LC_IDENTIFICATION=C.UTF-8
@@ -1014,7 +1011,6 @@ services:
     - OPCACHE_ENABLED
     - SESSION_CACHE_LIMITER
     - PHP_LOG_LEVEL
-    - PHP_CLI_MEMORY_LIMIT
     - LC_MESSAGES=C.UTF-8
     - LC_COLLATE=C.UTF-8
     - LC_IDENTIFICATION=C.UTF-8
@@ -1059,7 +1055,7 @@ services:
         - SSH_PRIVATE_KEY=${PHRASEANET_SSH_PRIVATE_KEY}
         - PHRASEANET_PLUGINS=${PHRASEANET_PLUGINS}
     image: $PHRASEANET_DOCKER_REGISTRY/phraseanet-worker:$PHRASEANET_DOCKER_TAG
-    profiles: ["subtitle"]
+    profiles: ["workers", "subtitle"]
     restart: on-failure
     depends_on:
     - phraseanet

docker/nginx/root/entrypoint.sh

@@ -25,6 +25,16 @@ else
   GATEWAY_FASTCGI_HTTPS="fastcgi_param HTTPS on;fastcgi_param SERVER_PORT 443;"
 fi
 
+if [ ! -z "$GATEWAY_CSP" ]; then
+  echo "Content Security policies is defined to : $GATEWAY_CSP"
+  envsubst < "/securitycontentpolicies.sample.conf" > /etc/nginx/conf.d/securitycontentpolicies.conf
+else
+  echo "Content Security policies is defined"
+  export GATEWAY_CSP="default-src 'self' 127.0.0.1 https://apiws.carrick-skills.com:8443 https://apiws.carrick-flow.com:8443 https://fonts.gstatic.com *.tiles.mapbox.com https://api.mapbox.com https://events.mapbox.com *.axept.io *.matomo.cloud *.newrelic.com *.nr-data.net https://www.googletagmanager.com *.google-analytics.com *.phrasea.io https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443 data: ;script-src 'unsafe-inline' 'unsafe-eval' 'self' https://www.gstatic.com *.alchemyasp.com *.axept.io *.matomo.cloud *.newrelic.com https://www.googletagmanager.com https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443 ;style-src 'self' 'unsafe-inline' https://fonts.gstatic.com https://fonts.googleapis.com https://www.google.com https://www.gstatic.com https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443;img-src 'self' data: blob: *.tiles.mapbox.com https://axeptio.imgix.net *.cloudfront.net *.phrasea.io *.amazonaws.com https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443 ; object-src 'self';frame-ancestors 'self'"
+  echo "setting Security policies to : " $GATEWAY_CSP
+  envsubst < "/securitycontentpolicies.sample.conf" > /etc/nginx/conf.d/securitycontentpolicies.conf
+fi
+
 cat /nginx.conf.sample | sed "s/\$MAX_BODY_SIZE/$MAX_BODY_SIZE/g" | sed "s/\$GATEWAY_SEND_TIMEOUT/$GATEWAY_SEND_TIMEOUT/g"  | sed "s/\$GATEWAY_FASTCGI_TIMEOUT/$GATEWAY_FASTCGI_TIMEOUT/g" | sed "s/\$MAX_BODY_SIZE/$MAX_BODY_SIZE/g" | sed "s/\$GATEWAY_PROXY_TIMEOUT/$GATEWAY_PROXY_TIMEOUT/g"  | sed "s/\$NEW_TARGET/$NEW_TARGET/g"  | sed "s/\$NEW_RESOLVER/$NEW_RESOLVER/g" | sed "s/\$GATEWAY_FASTCGI_HTTPS/$GATEWAY_FASTCGI_HTTPS/g" > /etc/nginx/conf.d/default.conf
 cat /fastcgi_timeout.conf  | sed "s/\$GATEWAY_FASTCGI_TIMEOUT/$GATEWAY_FASTCGI_TIMEOUT/g" > /etc/nginx/fastcgi_extended_params
 

docker/nginx/root/etc/nginx/nginx.conf

@@ -11,6 +11,7 @@ events {
 
 http {
     include       /etc/nginx/mime.types;
+
     default_type  application/octet-stream;
 
     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
@@ -23,13 +24,6 @@ http {
     #tcp_nopush     on;
     server_tokens off;
     #gzip  on;
-    ## Security headers for Nginx ##
-    add_header Strict-Transport-Security "max-age=15768000" always;
-    add_header X-Content-Type-Options "nosniff" always;
-    add_header X-Frame-Options "SAMEORIGIN" always;
-    add_header X-Xss-Protection "1; mode=block" always;
-    add_header Referrer-Policy  strict-origin-when-cross-origin;
-    add_header Content-Security-Policy  "default-src 'self' 127.0.0.1 https://fonts.gstatic.com *.tiles.mapbox.com https://api.mapbox.com https://events.mapbox.com *.axept.io *.matomo.cloud *.newrelic.com *.nr-data.net https://www.googletagmanager.com *.google-analytics.com *.phrasea.io data: ;script-src 'unsafe-inline' 'unsafe-eval' 'self' https://www.gstatic.com *.alchemyasp.com *.axept.io *.matomo.cloud *.newrelic.com https://www.googletagmanager.com ;style-src 'self' 'unsafe-inline' https://fonts.gstatic.com https://fonts.googleapis.com https://www.google.com https://www.gstatic.com ;img-src 'self' data: blob: *.tiles.mapbox.com https://axeptio.imgix.net *.cloudfront.net *.phrasea.io *.amazonaws.com ; object-src 'self';frame-ancestors 'self' ";
     include /etc/nginx/conf.d/*.conf;
 
 }

docker/nginx/root/securitycontentpolicies.sample.conf

@@ -0,0 +1,7 @@
+    ## Security headers for Nginx ##
+    add_header Strict-Transport-Security "max-age=15768000" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Xss-Protection "1; mode=block" always;
+    add_header Referrer-Policy  strict-origin-when-cross-origin;
+    add_header Content-Security-Policy  "$GATEWAY_CSP";