http_sec_fetch with http_referrer fallback

2026-03-30 23:03:03 -07:00 · 2026-01-28 02:13:04 +00:00
parent fed621f690
commit 2bd80d19db
7 changed files with 69 additions and 9 deletions
--- a/install/production-filesystem/services/config/nginx/netalertx.conf.template
+++ b/install/production-filesystem/services/config/nginx/netalertx.conf.template
@@ -94,6 +94,19 @@ http {
 	access_log /tmp/log/nginx-access.log main;


+    # Map 1: The Legacy Logic (Referer Match)
+    map "$http_referer|$http_host" $sec_legacy {
+        "~^https?://(?<ref_host>[^/:]+)(?::\d+)?/.*\|\k<ref_host>(?::\d+)?$" "TRUSTED";
+        default "UNTRUSTED";
+    }
+
+    # Map 2: Strict Same-Origin Enforcement
+    map $http_sec_fetch_site $is_trusted {
+        "same-origin" "TRUSTED";
+        ""            $sec_legacy; # Fallback only if header is missing
+        default       "UNTRUSTED"; # Blocks 'same-site' and 'cross-site'
+    }
+
 	# Virtual host config
    server {
        listen ${LISTEN_ADDR}:${PORT} default_server;
@@ -102,6 +115,30 @@ http {
        index index.php;
        add_header X-Forwarded-Prefix "/app" always;

+        location /server/ {
+            # 1. Enforcement
+            if ($is_trusted != "TRUSTED") {
+                return 403;
+            }
+
+            # 2. Path Rewriting & Proxy
+            rewrite ^/server/(.*)$ /$1 break;
+            proxy_pass http://127.0.0.1:${BACKEND_PORT};
+
+            # 3. Performance & SSE (Per #1440)
+            proxy_buffering off;
+            proxy_cache off;
+            proxy_http_version 1.1;
+            proxy_set_header Connection "";
+            client_max_body_size 50m;
+			proxy_read_timeout 3600s;
+
+            # 4. Standard Proxy Headers
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }

        location ~* \.php$ {
            # Set Cache-Control header to prevent caching on the first load
--- a/install/production-filesystem/services/start-nginx.sh
+++ b/install/production-filesystem/services/start-nginx.sh
@@ -42,9 +42,32 @@ if [ "$(id -u)" -eq 0 ]; then
    NGINX_USER_DIRECTIVE="user root;"
 fi

+# ------------------------------------------------------------------
+# BACKEND_PORT RESOLUTION
+# ------------------------------------------------------------------
+# Priority 1: APP_CONF_OVERRIDE (parsed via jq)
+# Priority 2: GRAPHQL_PORT env var
+# Priority 3: Default 20212
+
+# Default
+export BACKEND_PORT=20212
+
+# Check env var
+if [ -n "${GRAPHQL_PORT:-}" ]; then
+    export BACKEND_PORT="${GRAPHQL_PORT}"
+fi
+
+# Check override (highest priority)
+if [ -n "${APP_CONF_OVERRIDE:-}" ]; then
+    override_port=$(echo "${APP_CONF_OVERRIDE}" | jq -r '.GRAPHQL_PORT // empty')
+    if [ -n "${override_port}" ]; then
+        export BACKEND_PORT="${override_port}"
+    fi
+fi
+
 # Shell check doesn't recognize envsubst variables
 # shellcheck disable=SC2016
-if envsubst '${LISTEN_ADDR} ${PORT} ${NGINX_USER_DIRECTIVE}' < "${SYSTEM_NGINX_CONFIG_TEMPLATE}" > "${TEMP_CONFIG_FILE}" 2>/dev/null; then
+if envsubst '${LISTEN_ADDR} ${PORT} ${NGINX_USER_DIRECTIVE} ${BACKEND_PORT}' < "${SYSTEM_NGINX_CONFIG_TEMPLATE}" > "${TEMP_CONFIG_FILE}" 2>/dev/null; then
 	mv "${TEMP_CONFIG_FILE}" "${SYSTEM_SERVICES_ACTIVE_CONFIG_FILE}"
 else
 	echo "Note: Unable to write to ${SYSTEM_SERVICES_ACTIVE_CONFIG_FILE}. Using default configuration."