diff options
-rw-r--r-- | config/default.yaml | 7 | ||||
-rw-r--r-- | config/production.yaml.example | 6 | ||||
-rw-r--r-- | server.ts | 16 | ||||
-rw-r--r-- | server/initializers/checker-after-init.ts | 6 | ||||
-rw-r--r-- | server/initializers/checker-before-init.ts | 1 | ||||
-rw-r--r-- | server/initializers/constants.ts | 6 | ||||
-rw-r--r-- | server/middlewares/csp.ts | 10 | ||||
-rw-r--r-- | support/docker/production/config/custom-environment-variables.yaml | 3 |
8 files changed, 36 insertions, 19 deletions
diff --git a/config/default.yaml b/config/default.yaml index 1f6046a1b..6c339e66d 100644 --- a/config/default.yaml +++ b/config/default.yaml | |||
@@ -96,6 +96,11 @@ redundancy: | |||
96 | # strategy: 'recently-added' # Cache recently added videos | 96 | # strategy: 'recently-added' # Cache recently added videos |
97 | # min_views: 10 # Having at least x views | 97 | # min_views: 10 # Having at least x views |
98 | 98 | ||
99 | csp: | ||
100 | enabled: false | ||
101 | report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk! | ||
102 | report_uri: | ||
103 | |||
99 | cache: | 104 | cache: |
100 | previews: | 105 | previews: |
101 | size: 500 # Max number of previews you want to cache | 106 | size: 500 # Max number of previews you want to cache |
@@ -182,8 +187,6 @@ instance: | |||
182 | "# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:" | 187 | "# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:" |
183 | 188 | ||
184 | services: | 189 | services: |
185 | # You can provide a reporting endpoint for Content Security Policy violations | ||
186 | csp-logger: | ||
187 | # Cards configuration to format video in Twitter | 190 | # Cards configuration to format video in Twitter |
188 | twitter: | 191 | twitter: |
189 | username: '@Chocobozzz' # Indicates the Twitter account for the website or platform on which the content was published | 192 | username: '@Chocobozzz' # Indicates the Twitter account for the website or platform on which the content was published |
diff --git a/config/production.yaml.example b/config/production.yaml.example index ae8fb2d51..c227d5fcc 100644 --- a/config/production.yaml.example +++ b/config/production.yaml.example | |||
@@ -97,6 +97,12 @@ redundancy: | |||
97 | # strategy: 'recently-added' # Cache recently added videos | 97 | # strategy: 'recently-added' # Cache recently added videos |
98 | # min_views: 10 # Having at least x views | 98 | # min_views: 10 # Having at least x views |
99 | 99 | ||
100 | csp: | ||
101 | enabled: false | ||
102 | report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk! | ||
103 | report_uri: | ||
104 | |||
105 | |||
100 | ############################################################################### | 106 | ############################################################################### |
101 | # | 107 | # |
102 | # From this point, all the following keys can be overridden by the web interface | 108 | # From this point, all the following keys can be overridden by the web interface |
@@ -55,13 +55,15 @@ app.set('trust proxy', CONFIG.TRUST_PROXY) | |||
55 | // Security middleware | 55 | // Security middleware |
56 | import { baseCSP } from './server/middlewares' | 56 | import { baseCSP } from './server/middlewares' |
57 | 57 | ||
58 | app.use(baseCSP) | 58 | if (CONFIG.CSP.ENABLED) { |
59 | app.use(helmet({ | 59 | app.use(baseCSP) |
60 | frameguard: { | 60 | app.use(helmet({ |
61 | action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts | 61 | frameguard: { |
62 | }, | 62 | action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts |
63 | hsts: false | 63 | }, |
64 | })) | 64 | hsts: false |
65 | })) | ||
66 | } | ||
65 | 67 | ||
66 | // ----------- Database ----------- | 68 | // ----------- Database ----------- |
67 | 69 | ||
diff --git a/server/initializers/checker-after-init.ts b/server/initializers/checker-after-init.ts index 955d55206..53124f9ec 100644 --- a/server/initializers/checker-after-init.ts +++ b/server/initializers/checker-after-init.ts | |||
@@ -34,6 +34,12 @@ async function checkActivityPubUrls () { | |||
34 | // Return an error message, or null if everything is okay | 34 | // Return an error message, or null if everything is okay |
35 | function checkConfig () { | 35 | function checkConfig () { |
36 | 36 | ||
37 | // Moved configuration keys | ||
38 | if (config.has('services.csp-logger')) { | ||
39 | logger.warn('services.csp-logger configuration has been renamed to csp.report_uri. Please update your configuration file.') | ||
40 | } | ||
41 | |||
42 | // Email verification | ||
37 | if (!Emailer.isEnabled()) { | 43 | if (!Emailer.isEnabled()) { |
38 | if (CONFIG.SIGNUP.ENABLED && CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION) { | 44 | if (CONFIG.SIGNUP.ENABLED && CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION) { |
39 | return 'Emailer is disabled but you require signup email verification.' | 45 | return 'Emailer is disabled but you require signup email verification.' |
diff --git a/server/initializers/checker-before-init.ts b/server/initializers/checker-before-init.ts index 230fdd356..2567d957b 100644 --- a/server/initializers/checker-before-init.ts +++ b/server/initializers/checker-before-init.ts | |||
@@ -15,6 +15,7 @@ function checkMissedConfig () { | |||
15 | 'storage.redundancy', 'storage.tmp', 'storage.playlists', | 15 | 'storage.redundancy', 'storage.tmp', 'storage.playlists', |
16 | 'log.level', | 16 | 'log.level', |
17 | 'user.video_quota', 'user.video_quota_daily', | 17 | 'user.video_quota', 'user.video_quota_daily', |
18 | 'csp.enabled', 'csp.report_only', 'csp.report_uri', | ||
18 | 'cache.previews.size', 'admin.email', 'contact_form.enabled', | 19 | 'cache.previews.size', 'admin.email', 'contact_form.enabled', |
19 | 'signup.enabled', 'signup.limit', 'signup.requires_email_verification', | 20 | 'signup.enabled', 'signup.limit', 'signup.requires_email_verification', |
20 | 'signup.filters.cidr.whitelist', 'signup.filters.cidr.blacklist', | 21 | 'signup.filters.cidr.whitelist', 'signup.filters.cidr.blacklist', |
diff --git a/server/initializers/constants.ts b/server/initializers/constants.ts index 0ede45620..0d9a6a512 100644 --- a/server/initializers/constants.ts +++ b/server/initializers/constants.ts | |||
@@ -229,6 +229,11 @@ const CONFIG = { | |||
229 | STRATEGIES: buildVideosRedundancy(config.get<any[]>('redundancy.videos.strategies')) | 229 | STRATEGIES: buildVideosRedundancy(config.get<any[]>('redundancy.videos.strategies')) |
230 | } | 230 | } |
231 | }, | 231 | }, |
232 | CSP: { | ||
233 | ENABLED: config.get<boolean>('csp.enabled'), | ||
234 | REPORT_ONLY: config.get<boolean>('csp.report_only'), | ||
235 | REPORT_URI: config.get<boolean>('csp.report_uri') | ||
236 | }, | ||
232 | ADMIN: { | 237 | ADMIN: { |
233 | get EMAIL () { return config.get<string>('admin.email') } | 238 | get EMAIL () { return config.get<string>('admin.email') } |
234 | }, | 239 | }, |
@@ -300,7 +305,6 @@ const CONFIG = { | |||
300 | get SECURITYTXT_CONTACT () { return config.get<string>('admin.email') } | 305 | get SECURITYTXT_CONTACT () { return config.get<string>('admin.email') } |
301 | }, | 306 | }, |
302 | SERVICES: { | 307 | SERVICES: { |
303 | get 'CSP-LOGGER' () { return config.get<string>('services.csp-logger') }, | ||
304 | TWITTER: { | 308 | TWITTER: { |
305 | get USERNAME () { return config.get<string>('services.twitter.username') }, | 309 | get USERNAME () { return config.get<string>('services.twitter.username') }, |
306 | get WHITELISTED () { return config.get<boolean>('services.twitter.whitelisted') } | 310 | get WHITELISTED () { return config.get<boolean>('services.twitter.whitelisted') } |
diff --git a/server/middlewares/csp.ts b/server/middlewares/csp.ts index 5fa9d1ab5..404e33b43 100644 --- a/server/middlewares/csp.ts +++ b/server/middlewares/csp.ts | |||
@@ -18,22 +18,20 @@ const baseDirectives = Object.assign({}, | |||
18 | frameSrc: ["'self'"], // instead of deprecated child-src / self because of test-embed | 18 | frameSrc: ["'self'"], // instead of deprecated child-src / self because of test-embed |
19 | workerSrc: ["'self'", 'blob:'] // instead of deprecated child-src | 19 | workerSrc: ["'self'", 'blob:'] // instead of deprecated child-src |
20 | }, | 20 | }, |
21 | CONFIG.SERVICES['CSP-LOGGER'] ? { reportUri: CONFIG.SERVICES['CSP-LOGGER'] } : {}, | 21 | CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {}, |
22 | CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {} | 22 | CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {} |
23 | ) | 23 | ) |
24 | 24 | ||
25 | const baseCSP = helmet.contentSecurityPolicy({ | 25 | const baseCSP = helmet.contentSecurityPolicy({ |
26 | directives: baseDirectives, | 26 | directives: baseDirectives, |
27 | browserSniff: false, | 27 | browserSniff: false, |
28 | reportOnly: true | 28 | reportOnly: CONFIG.CSP.REPORT_ONLY |
29 | }) | 29 | }) |
30 | 30 | ||
31 | const embedCSP = helmet.contentSecurityPolicy({ | 31 | const embedCSP = helmet.contentSecurityPolicy({ |
32 | directives: Object.assign(baseDirectives, { | 32 | directives: Object.assign({}, baseDirectives, { frameAncestors: ['*'] }), |
33 | frameAncestors: ['*'] | ||
34 | }), | ||
35 | browserSniff: false, // assumes a modern browser, but allows CDN in front | 33 | browserSniff: false, // assumes a modern browser, but allows CDN in front |
36 | reportOnly: true | 34 | reportOnly: CONFIG.CSP.REPORT_ONLY |
37 | }) | 35 | }) |
38 | 36 | ||
39 | // --------------------------------------------------------------------------- | 37 | // --------------------------------------------------------------------------- |
diff --git a/support/docker/production/config/custom-environment-variables.yaml b/support/docker/production/config/custom-environment-variables.yaml index 8604939aa..bd4ac1215 100644 --- a/support/docker/production/config/custom-environment-variables.yaml +++ b/support/docker/production/config/custom-environment-variables.yaml | |||
@@ -111,6 +111,3 @@ instance: | |||
111 | name: "PEERTUBE_INSTANCE_NAME" | 111 | name: "PEERTUBE_INSTANCE_NAME" |
112 | description: "PEERTUBE_INSTANCE_DESCRIPTION" | 112 | description: "PEERTUBE_INSTANCE_DESCRIPTION" |
113 | terms: "PEERTUBE_INSTANCE_TERMS" | 113 | terms: "PEERTUBE_INSTANCE_TERMS" |
114 | |||
115 | services: | ||
116 | csp-logger: "PEERTUBE_SERVICES_CSPLOGGER" | ||