From b22190416684e8ed57aa380c89083985eb0d9a4b Mon Sep 17 00:00:00 2001
From: Patrick Spek <p.spek@tyil.nl>
Date: Sat, 22 May 2021 10:06:01 +0200
Subject: Move some hidden stuff to the src dir

---
 src/.docker/envvars.sh    | 14 ++++++++++++++
 src/.docker/lighttpd.conf | 29 +++++++++++++++++++++++++++++
 2 files changed, 43 insertions(+)
 create mode 100644 src/.docker/envvars.sh
 create mode 100644 src/.docker/lighttpd.conf

(limited to 'src/.docker')

diff --git a/src/.docker/envvars.sh b/src/.docker/envvars.sh
new file mode 100644
index 0000000..71f47e1
--- /dev/null
+++ b/src/.docker/envvars.sh
@@ -0,0 +1,14 @@
+#! /usr/bin/env sh
+
+main()
+{
+	mkvar intendedHost "${INTENDED_HOST:-localhost}"
+	mkvar intendedHostProto "${INTENDED_HOST_PROTO:-http}"
+}
+
+mkvar()
+{
+	printf 'var.%s="%s"\n' "$1" "$2"
+}
+
+main "$@"
diff --git a/src/.docker/lighttpd.conf b/src/.docker/lighttpd.conf
new file mode 100644
index 0000000..1b480ca
--- /dev/null
+++ b/src/.docker/lighttpd.conf
@@ -0,0 +1,29 @@
+server.modules += (
+	"mod_setenv",
+	"mod_redirect",
+)
+
+setenv.add-response-header = (
+	"Content-Security-Policy" => "default-src 'self'; img-src https:; object-src 'self'; script-src 'self'; style-src 'self'",
+	"Referrer-Policy" => "no-referrer",
+	"X-Content-Type-Options" => "nosniff",
+	"X-Frame-Options" => "SAMEORIGIN",
+	"X-Permitted-Cross-Domain-Policies" => "none",
+	"X-XSS-Protection" => "1; mode=block",
+)
+
+include_shell "/usr/local/bin/lighttpd-env.sh"
+
+# Redirect to the "official" domain
+$HTTP["host"] != var.intendedHost {
+	$HTTP["url"] !~ "^/.well-known" {
+		url.redirect = ( "^/(.*)" => var.intendedHostProto + "://" + var.intendedHost + "/$1" )
+	}
+}
+
+# Add CORS header for WKP
+$HTTP["url"] =~ "^/.well-known/openpgpkey" {
+	setenv.add-response-header = (
+		"Access-Control-Allow-Origin" => "*",
+	)
+}
-- 
cgit v1.1