diff --git a/www/nginx/Makefile b/www/nginx/Makefile index 87191c8e4..1263c9d33 100644 --- a/www/nginx/Makefile +++ b/www/nginx/Makefile @@ -1,8 +1,7 @@ PLUGIN_NAME= nginx -PLUGIN_VERSION= 0.4 +PLUGIN_VERSION= 1.1 PLUGIN_COMMENT= Nginx HTTP server and reverse proxy PLUGIN_DEPENDS= nginx PLUGIN_MAINTAINER= franz.fabian.94@gmail.com -PLUGIN_DEVEL= yes .include "../../Mk/plugins.mk" diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php index 28f5eb716..bc9045993 100644 --- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php +++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php @@ -278,4 +278,31 @@ class SettingsController extends ApiMutableModelControllerBase { return $this->setBase('httprewrite', 'http_rewrite', $uuid); } + + // http security headers + public function searchsecurity_headerAction() + { + return $this->searchBase('security_header', array('description')); + } + + public function getsecurity_headerAction($uuid = null) + { + $this->sessionClose(); + return $this->getBase('security_header', 'security_header', $uuid); + } + + public function addsecurity_headerAction() + { + return $this->addBase('security_header', 'security_header'); + } + + public function delsecurity_headerAction($uuid) + { + return $this->delBase('security_header', $uuid); + } + + public function setsecurity_headerAction($uuid) + { + return $this->setBase('security_header', 'security_header', $uuid); + } } diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/IndexController.php b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/IndexController.php index d6a445284..027d7c216 100644 --- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/IndexController.php +++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/IndexController.php @@ -49,6 +49,7 @@ class IndexController extends \OPNsense\Base\IndexController $this->view->httprewrite = $this->getForm("httprewrite"); $this->view->naxsi_rule = $this->getForm("naxsi_rule"); $this->view->naxsi_custom_policy = $this->getForm("naxsi_custom_policy"); + $this->view->security_headers = $this->getForm("security_headers"); $this->view->pick('OPNsense/Nginx/index'); } } diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml index 1a455d735..67e2eb3c4 100644 --- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml +++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml @@ -89,4 +89,9 @@ checkbox Allow the daemon to use the sendfile function. + + httpserver.security_header + + dropdown + diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/security_headers.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/security_headers.xml new file mode 100644 index 000000000..78e7c40dd --- /dev/null +++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/security_headers.xml @@ -0,0 +1,547 @@ +
+ + security_header.description + + text + This is only for your reference. + + + security_header.referrer + + + dropdown + +
  • Same Origin: The header will be sent if you stay on the same server using the same protocol (no data leak)
    • +
  • No Referrer When Downgrade: Prevents sending a referrer when switching from HTTPS to HTTP
    • +
  • Origin, Strict-Origin: Always send the header but no path or query information. Strict Origin additionally suppressed the header on downgrades.
    • +
  • (Strict) Origin When Cross Origin: Full Referrer on the same origin, and like (Strict) Origin when cross domain.
    • +
  • Unsafe URL: Sends the full URL to all pages
    • + ]]>     +     + + security_header.xssprotection + + + dropdown + +
  • Block: The browser should block the response
    • +
  • Off: Allow Anything
    • +
  • On: The Browser decides how to handle it.
    • + ]]>     +     + + security_header.content_type_options + + checkbox + + + security_header.strict_transport_security_time + + text + A time in seconds in which the transport security (TLS) should be enforced. + + + security_header.strict_transport_security_include_subdomains + + checkbox + If checked, also subdomains are affected. + + + security_header.hpkp_keys + + select_multiple + + true + Mozilla Wiki. + It is not recommended to use this feature with short lived certificates.]]> + + + security_header.hpkp_report_only + + checkbox + If you only want to test it, you can check this box (policy will be deployed but not enforced). + + + security_header.hpkp_time + + text + + + security_header.hpkp_include_subdomains + + checkbox + If checked, also subdomains are affected. + + + security_header.enable_csp + + checkbox + If checked, the CSP is enabled. + + + header + + + + security_header.csp_default_src_enabled + + checkbox + If checked, this part of the CSP is enabled. + + + security_header.csp_default_src_data_urls + + Data URLs are used to embed files into HTML (for example images written directly into the src attribute). + checkbox + + + security_header.csp_default_src_http_urls + + select_multiple + true + + Allow loading files over HTTP(S) allows downloading of content over other domains or CDNs. + You can use wildcards here like https://*.exmaple.com. + + + security_header.csp_default_src_inline + + checkbox + Checking this directive allows to use scripts or styles directly embedded in in the HTML content. + Examples are the script and the style tags. + + + security_header.csp_default_src_eval + + checkbox + Checking this box allows functions like eval or createFunction in JS, or style attributes for CSS. + + + security_header.csp_default_src_self + + checkbox + Allows everything from the same site (path can differ, but host, protocol and port need to be the same). + + + security_header.csp_default_src_blob + + checkbox + Allows to use blobs as a data source. This usually is content, which is somehow generated in JavaScript. + + + security_header.csp_default_src_mediastream + + checkbox + + + security_header.csp_default_src_filesystem + + checkbox + + + security_header.csp_default_src_none + + checkbox + If this checkbox is checked, all other settings for this directive are ignored and everything will be forbidden. + + + header + + + + security_header.csp_script_src_enabled + + checkbox + If checked, this part of the CSP is enabled. + + + security_header.csp_script_src_data_urls + + Data URLs are used to embed files into HTML (for example images written directly into the src attribute). + checkbox + + + security_header.csp_script_src_http_urls + + select_multiple + true + + Allow loading files over HTTP(S) allows downloading of content over other domains or CDNs. + You can use wildcards here like https://*.exmaple.com. + + + security_header.csp_script_src_inline + + checkbox + Checking this directive allows to use scripts or styles directly embedded in in the HTML content. + Examples are the script and the style tags. + + + security_header.csp_script_src_eval + + checkbox + Checking this box allows functions like eval or createFunction in JS, or style attributes for CSS. + + + security_header.csp_script_src_self + + checkbox + Allows everything from the same site (path can differ, but host, protocol and port need to be the same). + + + security_header.csp_script_src_blob + + checkbox + Allows to use blobs as a data source. This usually is content, which is somehow generated in JavaScript. + + + security_header.csp_script_src_mediastream + + checkbox + + + security_header.csp_script_src_filesystem + + checkbox + + + security_header.csp_script_src_none + + checkbox + If this checkbox is checked, all other settings for this directive are ignored and everything will be forbidden. + + + header + + + + security_header.csp_img_src_enabled + + checkbox + If checked, this part of the CSP is enabled. + + + security_header.csp_img_src_data_urls + + Data URLs are used to embed files into HTML (for example images written directly into the src attribute). + checkbox + + + security_header.csp_img_src_http_urls + + select_multiple + true + + Allow loading files over HTTP(S) allows downloading of content over other domains or CDNs. + You can use wildcards here like https://*.exmaple.com. + + + security_header.csp_img_src_inline + + checkbox + Checking this directive allows to use scripts or styles directly embedded in in the HTML content. + Examples are the script and the style tags. + + + security_header.csp_img_src_eval + + checkbox + Checking this box allows functions like eval or createFunction in JS, or style attributes for CSS. + + + security_header.csp_img_src_self + + checkbox + Allows everything from the same site (path can differ, but host, protocol and port need to be the same). + + + security_header.csp_img_src_blob + + checkbox + Allows to use blobs as a data source. This usually is content, which is somehow generated in JavaScript. + + + security_header.csp_img_src_mediastream + + checkbox + + + security_header.csp_img_src_filesystem + + checkbox + + + security_header.csp_img_src_none + + checkbox + If this checkbox is checked, all other settings for this directive are ignored and everything will be forbidden. + + + header + + + + security_header.csp_style_src_enabled + + checkbox + If checked, this part of the CSP is enabled. + + + security_header.csp_style_src_data_urls + + Data URLs are used to embed files into HTML (for example images written directly into the src attribute). + checkbox + + + security_header.csp_style_src_http_urls + + select_multiple + true + + Allow loading files over HTTP(S) allows downloading of content over other domains or CDNs. + You can use wildcards here like https://*.exmaple.com. + + + security_header.csp_style_src_inline + + checkbox + Checking this directive allows to use scripts or styles directly embedded in in the HTML content. + Examples are the script and the style tags. + + + security_header.csp_style_src_eval + + checkbox + Checking this box allows functions like eval or createFunction in JS, or style attributes for CSS. + + + security_header.csp_style_src_self + + checkbox + Allows everything from the same site (path can differ, but host, protocol and port need to be the same). + + + security_header.csp_style_src_blob + + checkbox + Allows to use blobs as a data source. This usually is content, which is somehow generated in JavaScript. + + + security_header.csp_style_src_mediastream + + checkbox + + + security_header.csp_style_src_filesystem + + checkbox + + + security_header.csp_style_src_none + + checkbox + If this checkbox is checked, all other settings for this directive are ignored and everything will be forbidden. + + + header + + + + security_header.csp_media_src_enabled + + checkbox + If checked, this part of the CSP is enabled. + + + security_header.csp_media_src_data_urls + + Data URLs are used to embed files into HTML (for example images written directly into the src attribute). + checkbox + + + security_header.csp_media_src_http_urls + + select_multiple + true + + Allow loading files over HTTP(S) allows downloading of content over other domains or CDNs. + You can use wildcards here like https://*.exmaple.com. + + + security_header.csp_media_src_inline + + checkbox + Checking this directive allows to use scripts or styles directly embedded in in the HTML content. + Examples are the script and the style tags. + + + security_header.csp_media_src_eval + + checkbox + Checking this box allows functions like eval or createFunction in JS, or style attributes for CSS. + + + security_header.csp_media_src_self + + checkbox + Allows everything from the same site (path can differ, but host, protocol and port need to be the same). + + + security_header.csp_media_src_blob + + checkbox + Allows to use blobs as a data source. This usually is content, which is somehow generated in JavaScript. + + + security_header.csp_media_src_mediastream + + checkbox + + + security_header.csp_media_src_filesystem + + checkbox + + + security_header.csp_media_src_none + + checkbox + If this checkbox is checked, all other settings for this directive are ignored and everything will be forbidden. + + + header + + + + security_header.csp_font_src_enabled + + checkbox + If checked, this part of the CSP is enabled. + + + security_header.csp_font_src_data_urls + + Data URLs are used to embed files into HTML (for example images written directly into the src attribute). + checkbox + + + security_header.csp_font_src_http_urls + + select_multiple + true + + Allow loading files over HTTP(S) allows downloading of content over other domains or CDNs. + You can use wildcards here like https://*.exmaple.com. + + + security_header.csp_font_src_inline + + checkbox + Checking this directive allows to use scripts or styles directly embedded in in the HTML content. + Examples are the script and the style tags. + + + security_header.csp_font_src_eval + + checkbox + Checking this box allows functions like eval or createFunction in JS, or style attributes for CSS. + + + security_header.csp_font_src_self + + checkbox + Allows everything from the same site (path can differ, but host, protocol and port need to be the same). + + + security_header.csp_font_src_blob + + checkbox + Allows to use blobs as a data source. This usually is content, which is somehow generated in JavaScript. + + + security_header.csp_font_src_mediastream + + checkbox + + + security_header.csp_font_src_filesystem + + checkbox + + + security_header.csp_font_src_none + + checkbox + If this checkbox is checked, all other settings for this directive are ignored and everything will be forbidden. + + + header + + + + security_header.csp_form_action_enabled + + checkbox + If checked, this part of the CSP is enabled. + + + security_header.csp_form_action_data_urls + + Data URLs are used to embed files into HTML (for example images written directly into the src attribute). + checkbox + + + security_header.csp_form_action_http_urls + + select_multiple + true + + Allow loading files over HTTP(S) allows downloading of content over other domains or CDNs. + You can use wildcards here like https://*.exmaple.com. + + + security_header.csp_form_action_inline + + checkbox + Checking this directive allows to use scripts or styles directly embedded in in the HTML content. + Examples are the script and the style tags. + + + security_header.csp_form_action_eval + + checkbox + Checking this box allows functions like eval or createFunction in JS, or style attributes for CSS. + + + security_header.csp_form_action_self + + checkbox + Allows everything from the same site (path can differ, but host, protocol and port need to be the same). + + + security_header.csp_form_action_blob + + checkbox + Allows to use blobs as a data source. This usually is content, which is somehow generated in JavaScript. + + + security_header.csp_form_action_mediastream + + checkbox + + + security_header.csp_form_action_filesystem + + checkbox + + + security_header.csp_form_action_none + + checkbox + If this checkbox is checked, all other settings for this directive are ignored and everything will be forbidden. + +
    diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml index 8ef5a9098..fe06656c1 100644 --- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml +++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml @@ -1,5 +1,6 @@ //OPNsense/Nginx + 1.1.0 nginx web server, reverse proxy and waf @@ -459,6 +460,18 @@ 1 Y + + + + + Selected security rule not found + N + N + @@ -484,5 +497,336 @@ + + + Y + + + N + + No Referrer + No Referrer When Downgrading + Same Origin (recommended) + Origin + Strict Origin + Strict Origin When Cross Origin + Origin When Cross Origin + Unsafe URL + + N + + + N + + Block + Off + On + + N + + + Y + + + N + + + Y + 1 + + + N + /[a-z0-9\+\/=]+(,[a-z0-9\+\/=]+)*/i + + + Y + + + N + + + Y + + + Y + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + N + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + N + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + N + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + N + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + N + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + N + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + N + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + + Y + 0 + + diff --git a/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt b/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt index b1d8109f9..877e9cf33 100644 --- a/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt +++ b/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt @@ -96,6 +96,7 @@ $( document ).ready(function() { 'httpserver', 'httprewrite', 'custompolicy', + 'security_header', 'naxsirule'].forEach(function(element) { $("#grid-" + element).UIBootgrid( { 'search':'/api/nginx/settings/search' + element, @@ -149,6 +150,9 @@ $( document ).ready(function() {
  • {{ lang._('Naxsi WAF Rule')}}
    • +
  • + {{ lang._('Security Headers')}} +
    • @@ -367,6 +371,27 @@ $( document ).ready(function() { +
    + + + + + + + + + + + + + + + +
    {{ lang._('Description') }}{{ lang._('Commands') }}
    + + +
    +
    @@ -380,3 +405,4 @@ $( document ).ready(function() { {{ partial("layout_partials/base_dialog",['fields': httprewrite,'id':'httprewritedlg', 'label':lang._('Edit URL Rewrite')]) }} {{ partial("layout_partials/base_dialog",['fields': naxsi_custom_policy,'id':'custompolicydlg', 'label':lang._('Edit WAF Policy')]) }} {{ partial("layout_partials/base_dialog",['fields': naxsi_rule,'id':'naxsiruledlg', 'label':lang._('Edit Naxsi Rule')]) }} +{{ partial("layout_partials/base_dialog",['fields': security_headers,'id':'security_headersdlg', 'label':lang._('Edit Security Headers')]) }} diff --git a/www/nginx/src/opnsense/scripts/nginx/csp_report.php b/www/nginx/src/opnsense/scripts/nginx/csp_report.php new file mode 100644 index 000000000..45770492f --- /dev/null +++ b/www/nginx/src/opnsense/scripts/nginx/csp_report.php @@ -0,0 +1,23 @@ + 0 %} +{# only append non-empty #} +{% do hash_csp.update({csp_category: current_list}) %} +{% endif %} +{% endif %} +{% endfor %} + add_header Content-Security-Policy{% if security_rule.csp_report_only %}-Report-Only{% endif %} "{% + for key, value in hash_csp.items() %}{{ key }} {{ value|join(' ') }}; {% endfor %}{# + #} report-uri /opnsense-report-csp-violation" always; +{% endif %} \ No newline at end of file