Skip to content
Snippets Groups Projects
Select Git revision
  • d9356ab8d783a0f1911b89427cc3cf1a953ded3a
  • master default
2 results

app.py

Blame
    • nimrod's avatar
      d9356ab8
      Improve security by restricting the usage of the response. · d9356ab8
      nimrod authored
      The service replies with the message in the request. This can be used as
      an attack vector as the reply is determined by the request and is coming
      from a shore.co.il domain. So the following precautions are taken:
      
      - Limit the request length to limit the usefulness of the response.
      - Set the response MIME type to plain text and set the
        `X-Content-Type-Options` header to `nosniff` so the browser won't
        guess the content type.
      - Set CORS headers.
      d9356ab8
      History
      Improve security by restricting the usage of the response.
      nimrod authored
      The service replies with the message in the request. This can be used as
      an attack vector as the reply is determined by the request and is coming
      from a shore.co.il domain. So the following precautions are taken:
      
      - Limit the request length to limit the usefulness of the response.
      - Set the response MIME type to plain text and set the
        `X-Content-Type-Options` header to `nosniff` so the browser won't
        guess the content type.
      - Set CORS headers.
    docker-compose.yml 1.86 KiB
    ---
    version: '3.5'
    services:
      proxy:
        build:
          context: ./
        # command: ["nginx", "-g", "daemon off;"]
        hostname: &hostname nextcloud.shore.co.il
        networks:
          default:
            aliases:
              - nextcloud.shore.co.il
              - git.shore.co.il
              - lam.shore.co.il
              - mta-sts.shore.co.il
        ports:
          - '80:80'
          - '443:443'
        restart: always
        volumes:
          - '/var/www/www.shore.co.il/.well-known/acme-challenge:/var/www/www.shore.co.il/.well-known/acme-challenge:ro'
          - '/var/www/mail.shore.co.il/.well-known/acme-challenge:/var/www/mail.shore.co.il/.well-known/acme-challenge:ro'
          - '/var/www/www.shore.co.il/blog:/var/www/www.shore.co.il/blog:ro'
          - '/var/www/www.shore.co.il/resume:/var/www/www.shore.co.il/resume:ro'
          - '/var/ssl/site.key:/var/ssl/site.key:ro'
          - '/var/ssl/site.crt:/var/ssl/site.crt:ro'
          - '/var/ssl/mail.key:/var/ssl/mail.key:ro'
          - '/var/ssl/mail.crt:/var/ssl/mail.crt:ro'
          - '/var/ssl/dhparams:/var/ssl/dhparams:ro'
    
      vouch:
        environment:
          OAUTH_AUTH_URL: https://nextcloud.shore.co.il/apps/oauth2/authorize
          OAUTH_CALLBACK_URLS: https://vouch.shore.co.il/auth
          OAUTH_CLIENT_ID: "${VOUCH_OAUTH_CLIENT_ID}"
          # yamllint disable-line rule:line-length
          OAUTH_CLIENT_SECRET: "${VOUCH_OAUTH_CLIENT_SECRET}"  # pragma: allowlist secret
          OAUTH_PROVIDER: nextcloud
          OAUTH_SCOPES: 'openid,email.profile'
          OAUTH_TOKEN_URL: https://nextcloud.shore.co.il/apps/oauth2/api/v1/token
          # yamllint disable-line rule:line-length
          OAUTH_USER_INFO_URL: https://nextcloud.shore.co.il/ocs/v2.php/cloud/user?format=json
          VOUCH_DOMAINS: shore.co.il
          VOUCH_JWT_SECRET: "${VOUCH_JWT_SECRET}"  # pragma: allowlist secret
        image: registry.hub.docker.com/voucher/vouch-proxy:alpine-0.23.1
        restart: always
    
    networks:
      default:
        name: shore