Merge branch 'trunk' into sysdig_pipeline_scanning

ideacrew · Sep 27, 2024 · 86f2832 · 86f2832
2 parents 0e6571a + cda5cf8
commit 86f2832
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 12 deletions.
diff --git a/.docker/config/nginx.conf b/.docker/config/nginx.conf
@@ -1,24 +1,43 @@
 server {
     listen 80;
     server_name API_URL;
+
+    more_clear_headers Server;
+
     location / {
         return 301 https://$host$request_uri;
     }
 }
 server {
-    listen 443 ssl;
-    server_name API_URL;
-    client_max_body_size 2G;
-    keepalive_timeout 300s;
+   listen 443 ssl;
+   server_name API_URL;
+   client_max_body_size 2G;
+   keepalive_timeout 300s;
+
+   ssl_certificate /etc/ssl/ssl_cert.pem;
+   ssl_certificate_key /etc/ssl/ssl_key.pem;
+
+   ssl_session_cache    shared:SSL:1m;
+   ssl_session_timeout  5m;
+
+   ssl_ciphers  HIGH:!aNULL:!MD5;
+   ssl_prefer_server_ciphers  on;
 
-    ssl_certificate /etc/ssl/ssl_cert.pem;
-    ssl_certificate_key /etc/ssl/ssl_key.pem;
+   more_clear_headers Server;
 
-    ssl_session_cache    shared:SSL:1m;
-    ssl_session_timeout  5m;
+   set $csp "default-src 'self' https;";
+   set $csp "${csp} script-src 'self' 'unsafe-inline' https https://tagmanager.google.com https://www.googletagmanager.com https://apps.usw2.pure.cloud *.fontawesome.com *.google-analytics.com;";
+   set $csp "${csp} style-src 'self' 'unsafe-inline' https https://tagmanager.google.com https://www.googletagmanager.com https://fonts.googleapis.com *.fontawesome.com;";
+   set $csp "${csp} style-src-elem 'self' 'unsafe-inline' https https://fonts.googleapis.com;";
+   set $csp "${csp} font-src 'self' *.gstatic.com  *.fontawesome.com;";
+   set $csp "${csp} connect-src 'self' https://*.cme.openhbx.org https://*.coverme.gov";
 
-    ssl_ciphers  HIGH:!aNULL:!MD5;
-    ssl_prefer_server_ciphers  on;
+   more_set_headers "Content-Security-Policy: ${csp}";
+   more_set_headers "Strict-Transport-Security: max-age=31536000; includeSubDomains";
+   more_set_headers "X-Frame-Options: SAMEORIGIN";
+   more_set_headers "X-Content-Type-Options: nosniff";
+   more_set_headers "X-XSS-Protection: 1; mode=block";
+   more_set_headers "Referrer-Policy: strict-origin";
 
    location ^~ /admin/ {
         proxy_set_header  Host $http_host;

diff --git a/.docker/production/Dockerfile.gha b/.docker/production/Dockerfile.gha
@@ -62,6 +62,8 @@ RUN mkdir $HOME \
 # Configure app home directory
 WORKDIR $HOME
 
+RUN mkdir /etc/infra
+
 ENV RAILS_ENV=production
 ENV NODE_ENV=production
 
@@ -109,4 +111,6 @@ COPY --chown=$USERNAME:$USERNAME . $HOME
 COPY --chown=$USERNAME:$USERNAME ./.docker/config/credentials.yml.enc $HOME/config
 COPY --chown=$USERNAME:$USERNAME ./.docker/config/master.key $HOME/config
 
-USER $USERNAME
+RUN echo '[ ! -z "$TERM" -a -r /etc/infra/motd ] && cat /etc/infra/motd' >> /etc/bash.bashrc
+
+USER $USERNAME
diff --git a/.docker/production/Dockerfile.web b/.docker/production/Dockerfile.web
@@ -5,6 +5,9 @@
 # base image
 FROM node:12.10.0 as build
 
+RUN echo "deb http://archive.debian.org/debian stretch main" > /etc/apt/sources.list
+RUN echo "deb http://archive.debian.org/debian-security stretch/updates main" >> /etc/apt/sources.list
+
 # install chrome for protractor tests
 RUN apt-get update && apt-get install
 
@@ -39,13 +42,16 @@ RUN npm run "build:prod:$CLIENT"
 ############
 
 # base image
-FROM nginx:1.16.0-alpine
+FROM nginx:1.22
+
+RUN apt-get update && apt-get install nginx-extras -y
 
 # copy artifact build from the 'build environment'
 COPY --from=build /app/dist /usr/share/nginx/html
 
 # copy nginx configuration
 ARG API_URL
+
 COPY ./.docker/config/nginx.conf /etc/nginx/conf.d/$API_URL.conf
 RUN sed -i -r "s/API_URL/$API_URL/g" /etc/nginx/conf.d/$API_URL.conf