From f6a8725e01fa69952331ac307e8d9ce2c204772c Mon Sep 17 00:00:00 2001 From: Klaus Lungwitz Date: Thu, 5 Dec 2024 12:17:24 -0300 Subject: [PATCH 1/4] Add SSL termination to the explorer --- explorer/config/runtime.exs | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/explorer/config/runtime.exs b/explorer/config/runtime.exs index 2f21e4460..38e4a4a0d 100644 --- a/explorer/config/runtime.exs +++ b/explorer/config/runtime.exs @@ -35,11 +35,22 @@ if config_env() == :prod do host = System.get_env("PHX_HOST") || "http://localhost:4000" port = String.to_integer(System.get_env("PORT") || "4000") + port_ssl = String.to_integer(System.get_env("PORT_SSL") || "443") config :explorer, :dns_cluster_query, System.get_env("DNS_CLUSTER_QUERY") config :explorer, ExplorerWeb.Endpoint, - url: [host: host, port: 443, scheme: "https"], + url: [ + scheme: "https", + port: port_ssl, + host: host + ], + https: [ + port: port_ssl, + cipher_suite: :strong, + keyfile: System.get_env("KEYFILE_PATH"), + certfile: System.get_env("CERTFILE_PATH"), + ], http: [ # Enable IPv6 and bind on all interfaces. # Set it to {0, 0, 0, 0, 0, 0, 0, 1} for local network only access. From 569b4bad405682b44436f3415d8b585e84ea1373 Mon Sep 17 00:00:00 2001 From: Klaus Lungwitz Date: Thu, 5 Dec 2024 12:17:36 -0300 Subject: [PATCH 2/4] Make CSP less strict --- explorer/lib/explorer_web/router.ex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/explorer/lib/explorer_web/router.ex b/explorer/lib/explorer_web/router.ex index db5fcd1b4..e2931b83c 100644 --- a/explorer/lib/explorer_web/router.ex +++ b/explorer/lib/explorer_web/router.ex @@ -7,7 +7,7 @@ defmodule ExplorerWeb.Router do @content_security_policy (case Mix.env() do :prod -> - "default-src 'self';connect-src wss://#{@host};img-src 'self' blob:;" + "default-src 'self' 'unsafe-inline';connect-src wss://#{@host};img-src https://w3.org blob: data:;" _ -> "default-src 'self' 'unsafe-eval' 'unsafe-inline';" <> From edf3d26f2c9a14cc1209d71d5ec70ee7d7217045 Mon Sep 17 00:00:00 2001 From: Klaus Lungwitz Date: Mon, 9 Dec 2024 16:42:07 -0300 Subject: [PATCH 3/4] Add http://raw.githubusercontent.com/ to allowed content in CSP --- explorer/lib/explorer_web/router.ex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/explorer/lib/explorer_web/router.ex b/explorer/lib/explorer_web/router.ex index e2931b83c..744ef15ef 100644 --- a/explorer/lib/explorer_web/router.ex +++ b/explorer/lib/explorer_web/router.ex @@ -7,7 +7,7 @@ defmodule ExplorerWeb.Router do @content_security_policy (case Mix.env() do :prod -> - "default-src 'self' 'unsafe-inline';connect-src wss://#{@host};img-src https://w3.org blob: data:;" + "default-src 'self' 'unsafe-inline';connect-src wss://#{@host};img-src https://w3.org http://raw.githubusercontent.com blob: data:;" _ -> "default-src 'self' 'unsafe-eval' 'unsafe-inline';" <> From 0b4547ca43c868e55b6291db00f6105dedb0530a Mon Sep 17 00:00:00 2001 From: Klaus Lungwitz Date: Mon, 9 Dec 2024 17:33:54 -0300 Subject: [PATCH 4/4] Allow images from https://*.github.io --- explorer/lib/explorer_web/router.ex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/explorer/lib/explorer_web/router.ex b/explorer/lib/explorer_web/router.ex index 744ef15ef..1f8abef23 100644 --- a/explorer/lib/explorer_web/router.ex +++ b/explorer/lib/explorer_web/router.ex @@ -7,7 +7,7 @@ defmodule ExplorerWeb.Router do @content_security_policy (case Mix.env() do :prod -> - "default-src 'self' 'unsafe-inline';connect-src wss://#{@host};img-src https://w3.org http://raw.githubusercontent.com blob: data:;" + "default-src 'self' 'unsafe-inline';connect-src wss://#{@host};img-src https://w3.org http://raw.githubusercontent.com https://*.github.io blob: data:;" _ -> "default-src 'self' 'unsafe-eval' 'unsafe-inline';" <>