From 9e13f12a1d747776506fcd36c844c3cc63c342bd Mon Sep 17 00:00:00 2001
From: Stuart MacKay <smackay@flagstonesoftware.com>
Date: Sun, 5 Aug 2018 08:19:25 +0100
Subject: [PATCH 1/2] Renamed template for nginx config.

Renamed the file used as a template for the nginx configuration for the site
from youtubedl.j2 to nginx_config.js. Why?

1. The name follows the convention for other config related templates, e.g.
   supervisor_config.j2

2. It is one less thing to change when adapting the playbook to run with
   another project.
---
 roles/nginx/tasks/main.yml                               | 2 +-
 roles/nginx/templates/{youtubeadl.j2 => nginx_config.j2} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename roles/nginx/templates/{youtubeadl.j2 => nginx_config.j2} (100%)

diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index 91b67b5e..e61e59a2 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -19,7 +19,7 @@
   when: nginx_strong_dh_group is defined and nginx_strong_dh_group
 
 - name: Create the Nginx configuration file
-  template: src={{ application_name }}.j2
+  template: src=nginx_config.j2
             dest=/etc/nginx/sites-available/{{ application_name }}
             backup=yes
   notify: reload nginx
diff --git a/roles/nginx/templates/youtubeadl.j2 b/roles/nginx/templates/nginx_config.j2
similarity index 100%
rename from roles/nginx/templates/youtubeadl.j2
rename to roles/nginx/templates/nginx_config.j2

From d6a9726e7e77f241fd6ba523430097129d5f48cf Mon Sep 17 00:00:00 2001
From: Stuart MacKay <smackay@flagstonesoftware.com>
Date: Wed, 24 Jun 2020 13:15:11 +0100
Subject: [PATCH 2/2] Updated nginx config template to match version on master.

When the name of the template was changed to make it application agnostic
the contents remained untouched. This commit simply updates the content
to match the version from master and so remove the conflicts that are
blocking the PR from being merged.
---
 roles/nginx/templates/nginx_config.j2 | 59 +++++++++++++++++++++++----
 1 file changed, 52 insertions(+), 7 deletions(-)

diff --git a/roles/nginx/templates/nginx_config.j2 b/roles/nginx/templates/nginx_config.j2
index 1f8decae..9d270338 100644
--- a/roles/nginx/templates/nginx_config.j2
+++ b/roles/nginx/templates/nginx_config.j2
@@ -9,13 +9,14 @@ upstream {{ application_name }}_wsgi_server {
 server {
     listen      80;
     server_name {{ nginx_server_name }};
-    rewrite     ^ https://$server_name$request_uri? permanent;
+    server_tokens off;
+    return 301  https://$server_name$request_uri;
 }
 
 server {
-    listen              443;
+    listen              443 ssl;
     server_name         {{ nginx_server_name }};
-    ssl on;
+    server_tokens       off;
     {% if nginx_use_letsencrypt %}
     ssl_certificate     {{ letsencrypt_dir }}/{{ letsencrypt_cert_filename }};
     ssl_certificate_key {{ letsencrypt_dir }}/{{ letsencrypt_privkey_filename }};
@@ -23,17 +24,61 @@ server {
     ssl_certificate     {{ nginx_ssl_dest_dir }}/{{ application_name }}.crt;
     ssl_certificate_key {{ nginx_ssl_dest_dir }}/{{ application_name }}.key;
     {% endif %}
-    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+    ssl_protocols       TLSv1.2;
     ssl_ciphers         'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
     ssl_prefer_server_ciphers on;
     {% if nginx_strong_dh_group %}
     ssl_dhparam          /etc/ssl/certs/dhparams.pem;
     {% endif %}
 
-    client_max_body_size 4G;
+    # Prevent MIME type sniffing for security
+    add_header X-Content-Type-Options "nosniff";
+
+    # Enable XSS Protection in case user's browser has disabled it
+    add_header X-XSS-Protection "1; mode=block";
+
+
+    # ----------- Recommended headers (without default settings) ----------- #
+    #     It is recommended that all web applications set these headers.     #
+    #         However, this template does not prescribe any defaults.        #
+
+    #### Content-Security-Policy ####
+    # Recommended security-conscious defaults:
+    # ---------------------     --------------------------------------------------
+    # default-src https:        By default, all content must be loaded over HTTPS
+    # form-action 'self'        Disallow form submission to external URLs
+    # frame-ancestors 'none'    Disable loading the site in a frame (similar to `X-Frame-Options: DENY)
+    #
+    # If all content is self-hosted (no JavaScript, CSS, fonts, etc. loaded from CDNs),
+    # it's wise to use your CSP to prevent content loading from other sources:
+    #   script-src: 'self'; style-src: 'self'; font-src: 'self'; media-src: 'self'; object-src: 'self'
+    #
+    # For more information (including additional directives not defined here), see:
+    #  https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+    #
+    # Alternatively, set Content-Security-Policy-Report-Only to report violations, but not block content loading
+    # add_header Content-Security-Policy "default-src https:; form-action 'self'; frame-ancestors 'none'";
 
-    access_log {{ nginx_access_log_file }};
-    error_log {{ nginx_error_log_file }};
+    #### Referrer-Policy ####
+    # Recommended reading on the security concerns behind a default referrer policy:
+    #   https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns
+    # Don't leak referring URL when following external links (protects user privacy by reducing tracking opportunities)
+    # Setting "no-referrer" is the most privacy-conscious choice.
+    # However, some frameworks (e.g. Django) rely on same-origin referrer information for CSRF protection
+    #add_header Referrer-Policy "same-origin";
+
+    #### Feature-Policy ####
+    # This experimental header enumerates exactly which browser features your application will and will not use.
+    # Feature policies apply to embedded content and can thus help protect your users from malicious third parties.
+    # Note that there is currently no way to deny all features by default.
+    # The below policy disables all known features at time of writing. Consult MDN for an up-to-date feature list:
+    #   https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
+    #add_header Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; usb 'none'; vr 'none';";
+
+    # ---------------------- End recommended headers ---------------------- #
+
+
+    client_max_body_size 4G;
 
     location /static/ {
         alias   {{ nginx_static_dir }};