slickstack icon indicating copy to clipboard operation
slickstack copied to clipboard
verified publisher icon littlebizzy

Support for custom feature policy HTTP header in Nginx

Open jessuppi opened this issue 2 years ago • 4 comments

This is an issue we knew would eventually need to be discussed, and here it is being requested:

https://slickstack.io/forum/topic/feature-policy-header-blocking-camera-request

It gets to a bigger issue which is better support for "sub-config" files added under e.g. /etc/nginx/conf.d/ however, the official Nginx.com docs suggest feature-specific files which doesn't really apply to SlickStack since it's mostly just http... their docs suggest child config files for e.g. http, events, stream, etc.

Ref: https://docs.nginx.com/nginx/admin-guide/basic-functionality/managing-configuration-files/

I think we need to be even narrower than that for SlickStack. For example maybe featurepolicy.conf to focus specifically on that HTTP header, since other HTTP headers will likely remain hardcoded in SlickStack...

jessuppi avatar Apr 26 '23 09:04 jessuppi

Since we are using a unique Nginx server blocks directory /var/www/sites/ we probably should ensure that any custom child config files are in a subdirectory there to avoid confusion.

For example like:

/var/www/sites/custom/

jessuppi avatar Apr 26 '23 09:04 jessuppi

I was going back on forth on this but I don't think custom is a good sudirectory name. It sounds like maybe users could replace default server blocks with their own but that's not true, it's just for Nginx includes only.

So I'm proceeding with calling this /var/www/sites/includes/

https://github.com/littlebizzy/slickstack/commit/91ac5a6470d2ae9a8dd1af28b24c1c46dc08601f

After a few Google searches it looks like Roots Trellis uses a similar folder name nginx-includes so that's good, at least some similar naming helps the community.

Ref: https://roots.io/trellis/docs/nginx-includes/

Still pending integration with SlickStack installer scripts and the main Nginx config file...

jessuppi avatar Apr 26 '23 09:04 jessuppi

See here:

## pending testing ##
# include /var/www/sites/includes/featurepolicy.conf;

For better security/control perhaps we can include specific child includes only as they become approved by the community instead of just a wildcard include...

https://github.com/littlebizzy/slickstack/blob/master/modules/nginx/nginx-conf.txt

jessuppi avatar Apr 26 '23 09:04 jessuppi

https://forum.nginx.org/read.php?11,256135

Hi, you may use the include directive with some glob() pattern tricks

For instance, replace this

include /path/to/something/nonexisting.conf

with

include /path/to/something/nonexisting[.]conf

the config parser won't complain if such file does not exist.

Not sure if still relevant.

jessuppi avatar Apr 26 '23 09:04 jessuppi

Related: https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/

jessuppi avatar Apr 10 '24 09:04 jessuppi

New default Permissions Policy submodule called perms-policy.conf

https://github.com/littlebizzy/slickstack/blob/master/modules/nginx/includes/perms-policy-conf.txt

You can now customize this in SlickStack. Simply edit your own file under /var/www/sites-includes/perms-policy.conf and SlickStack will validate that file during installation... if it's missing the string add_header Permissions-Policy then our default submodule will be installed in that file location instead.

Ref: https://github.com/littlebizzy/slickstack/blob/master/bash/ss-install-nginx-config.txt

jessuppi avatar Apr 10 '24 10:04 jessuppi