Просмотр исходного кода
Improve security grafana
- duplicate X-Content-Type-Options - X-Frame-Options header - Referrer-Policy [Might consider adding variable] - Secure flag with cookies - matrix_grafana_content_security_policy variable for [Content Security Policy](https://grafana.com/docs/grafana/latest/administration/configuration/#content_security_policy)pull/1005/head
sakkiii
4 лет назад
3 измененных файлов: 16 добавлений и 3 удалений
-
+6 -0roles/matrix-grafana/defaults/main.yml
-
+3 -0roles/matrix-grafana/templates/grafana.ini.j2
-
+7 -3roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2
+ 6
- 0
roles/matrix-grafana/defaults/main.yml
Просмотреть файл
| @@ -31,6 +31,12 @@ matrix_grafana_anonymous_access_org_name: 'Main Org.' | |||||
| matrix_grafana_default_admin_user: admin | matrix_grafana_default_admin_user: admin | ||||
| matrix_grafana_default_admin_password: admin | matrix_grafana_default_admin_password: admin | ||||
| # Set to true to add the Content-Security-Policy header to your requests. | |||||
| # CSP allows to control resources that the user agent can load and helps | |||||
| # prevent XSS attacks. | |||||
| # [Content Security Policy](https://grafana.com/docs/grafana/latest/administration/configuration/#content_security_policy) | |||||
| matrix_grafana_content_security_policy: true | |||||
| # A list of extra arguments to pass to the container | # A list of extra arguments to pass to the container | ||||
| matrix_grafana_container_extra_arguments: [] | matrix_grafana_container_extra_arguments: [] | ||||
+ 3
- 0
roles/matrix-grafana/templates/grafana.ini.j2
Просмотреть файл
| @@ -5,6 +5,9 @@ admin_user = "{{ matrix_grafana_default_admin_user }}" | |||||
| # default admin password, can be changed before first start of grafana, or in profile settings | # default admin password, can be changed before first start of grafana, or in profile settings | ||||
| admin_password = """{{ matrix_grafana_default_admin_password }}""" | admin_password = """{{ matrix_grafana_default_admin_password }}""" | ||||
| # specify content_security_policy to add the Content-Security-Policy header to your requests | |||||
| content_security_policy = "{{ matrix_grafana_content_security_policy }}" | |||||
| [auth.anonymous] | [auth.anonymous] | ||||
| # enable anonymous access | # enable anonymous access | ||||
| enabled = {{ matrix_grafana_anonymous_access }} | enabled = {{ matrix_grafana_anonymous_access }} | ||||
+ 7
- 3
roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2
Просмотреть файл
| @@ -3,9 +3,13 @@ | |||||
| {% macro render_vhost_directives() %} | {% macro render_vhost_directives() %} | ||||
| gzip on; | gzip on; | ||||
| gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; | gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; | ||||
| add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; | |||||
| add_header X-Content-Type-Options nosniff; | |||||
| add_header X-Frame-Options SAMEORIGIN; | |||||
| add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; | |||||
| # duplicate X-Content-Type-Options & X-Frame-Options header | |||||
| # Enabled by grafana by default | |||||
| # add_header X-Content-Type-Options nosniff; | |||||
| # add_header X-Frame-Options SAMEORIGIN; | |||||
| add_header Referrer-Policy "strict-origin-when-cross-origin"; | |||||
| proxy_cookie_path / "/; HTTPOnly; Secure"; | |||||
| {% for configuration_block in matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks %} | {% for configuration_block in matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks %} | ||||
| {{- configuration_block }} | {{- configuration_block }} | ||||
| {% endfor %} | {% endfor %} | ||||