This is an automated email from the ASF dual-hosted git repository.
sebb pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/attic-docker.git
The following commit(s) were added to refs/heads/main by this push:
new 140fc3a Always apply CSP
140fc3a is described below
commit 140fc3a0f05cbc40526d92a0cfa57fba41073351
Author: Sebb <s...@apache.org>
AuthorDate: Mon Apr 14 17:32:03 2025 +0100
Always apply CSP
---
README.md | 3 ---
compose.yaml | 3 ++-
config/000-default.conf | 13 ++++++++-----
3 files changed, 10 insertions(+), 9 deletions(-)
diff --git a/README.md b/README.md
index d0f5c2a..bc22cb2 100644
--- a/README.md
+++ b/README.md
@@ -15,9 +15,6 @@ This is shown as /path/to/website in the following
descriptions
To enable/disable the Attic banner, create/delete the directory:
/path/to/website/_ATTIC
-To enable/disable Content-Security-Policy, create/delete the directory:
-/path/to/website/_CSP
-
To process download cgi pages, you will need access to
the closer_cgi/files directory in the private infrastructure-p6 repository.
If not available, such pages will fail to load, but the site should otherwise
work OK.
diff --git a/compose.yaml b/compose.yaml
index 12a6902..86539e1 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -5,7 +5,8 @@ services:
ports:
- "8000:80"
volumes:
- # Pick up the Lua scripts etc
+ # Pick up the closer.lua script etc.
+ # (e.g. set this to a checkout of
infrastructure-p6/modules/closer_cgi/files)
- ${VAR_DYN:-.}:/var/www/dyn
# Needs to match xxx.apache.org or closer.lua reverts to default template
- ${VAR_HTML:-./www}:/var/www/site.apache.org
diff --git a/config/000-default.conf b/config/000-default.conf
index b7d9d68..91ff9d3 100644
--- a/config/000-default.conf
+++ b/config/000-default.conf
@@ -4,6 +4,14 @@
# This is mapped at run-time
DocumentRoot /var/www/site.apache.org
+ # Always set CSP; ensure this agrees with TLP version
+ Header set Content-Security-Policy "default-src 'self' data: blob:
'unsafe-inline' https://www.apachecon.com/ https://www.communityovercode.org/
https://*.apache.org/; script-src 'self' 'unsafe-inline' 'unsafe-eval'
https://www.apachecon.com/ https://*.apache.org/ https://apache.org/; style-src
'self' 'unsafe-inline' data: https://*.apache.org/ https://apache.org/;
frame-ancestors 'self'; frame-src 'self' data: blob:; img-src 'self' data:
https://*.apache.org/ https://apache.org/ https: [...]
+
+ # Allow .htaccess Header set CSP
+ <Directory /var/www/site.apache.org/>
+ AllowOverride FileInfo
+ </Directory>
+
LuaScope thread
LuaCodeCache stat
@@ -25,11 +33,6 @@
</FilesMatch>
</Directory>
-
- <If "-d '/var/www/site.apache.org/_CSP'">
- Header set Content-Security-Policy "default-src 'self' data: blob:
'unsafe-inline' https://www.apachecon.com/ https://www.communityovercode.org/
https://analytics.apache.org/; script-src 'self' 'unsafe-inline' 'unsafe-eval'
https://www.apachecon.com/ https://*.apache.org/ https://apache.org/; style-src
'self' 'unsafe-inline' data: https://*.apache.org/ https://apache.org/;
frame-ancestors 'self'; frame-src 'self' data: blob:; img-src 'self' data:
https://*.apache.org/ https://apa [...]
- </If>
-
# Filter website to add Attic header if marker directory is present
LuaOutputFilter attic "/etc/apache2/conf-enabled/attic_filter.lua"
output_filter
<If "-d '/var/www/site.apache.org/_ATTIC'">
