diff --git a/docker/nginx/root/entrypoint.sh b/docker/nginx/root/entrypoint.sh index 4e34a96573..cfb87b5f6a 100755 --- a/docker/nginx/root/entrypoint.sh +++ b/docker/nginx/root/entrypoint.sh @@ -18,7 +18,8 @@ if [ ! -z "$GATEWAY_FASTCGI_HTTPS" ]; then GATEWAY_FASTCGI_HTTPS="fastcgi_param HTTPS $GATEWAY_FASTCGI_HTTPS;" else echo "NO GATEWAY_FASTCGI_HTTPS is defined" - GATEWAY_FASTCGI_HTTPS="fastcgi_param HTTPS on;" + GATEWAY_FASTCGI_HTTPS="fastcgi_param HTTPS on;fastcgi_param SERVER_PORT 443;" + fi cat /nginx.conf.sample | sed "s/\$MAX_BODY_SIZE/$MAX_BODY_SIZE/g" | sed "s/\$GATEWAY_SEND_TIMEOUT/$GATEWAY_SEND_TIMEOUT/g" | sed "s/\$GATEWAY_FASTCGI_TIMEOUT/$GATEWAY_FASTCGI_TIMEOUT/g" | sed "s/\$MAX_BODY_SIZE/$MAX_BODY_SIZE/g" | sed "s/\$GATEWAY_PROXY_TIMEOUT/$GATEWAY_PROXY_TIMEOUT/g" | sed "s/\$NEW_TARGET/$NEW_TARGET/g" | sed "s/\$NEW_RESOLVER/$NEW_RESOLVER/g" | sed "s/\$GATEWAY_FASTCGI_HTTPS/$GATEWAY_FASTCGI_HTTPS/g" > /etc/nginx/conf.d/default.conf diff --git a/docker/nginx/root/etc/nginx/nginx.conf b/docker/nginx/root/etc/nginx/nginx.conf index 3f63ac6da6..7b0147edbf 100755 --- a/docker/nginx/root/etc/nginx/nginx.conf +++ b/docker/nginx/root/etc/nginx/nginx.conf @@ -23,13 +23,13 @@ http { #tcp_nopush on; server_tokens off; #gzip on; - ## Security headers for Nginx ## + ## Security headers for Nginx ## add_header Strict-Transport-Security "max-age=15768000" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Xss-Protection "1; mode=block" always; add_header Referrer-Policy strict-origin-when-cross-origin; - add_header Content-Security-Policy "default-src 'self' * 127.0.0.1 data: ;script-src 'unsafe-inline' 'unsafe-eval' 'self' data: https://www.google.com http://www.google-analytics.com/gtm/js https://*.gstatic.com https://ajax.googleapis.com;style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://www.google.com https://www.gstatic.com;img-src 'self' data:"; + add_header Content-Security-Policy "default-src 'self' 127.0.0.1 https://fonts.gstatic.com data: ;script-src 'unsafe-inline' 'unsafe-eval' 'self' https://www.gstatic.com ;style-src 'self' 'unsafe-inline' https://fonts.gstatic.com https://fonts.googleapis.com https://www.google.com https://www.gstatic.com;img-src 'self' data:; object-src 'self';frame-ancestors 'self' "; include /etc/nginx/conf.d/*.conf; } diff --git a/docker/phraseanet/php.ini.sample b/docker/phraseanet/php.ini.sample index 13d59d1872..838de12fe6 100644 --- a/docker/phraseanet/php.ini.sample +++ b/docker/phraseanet/php.ini.sample @@ -1330,6 +1330,9 @@ session.save_handler = $SESSION_SAVE_HANDLER ; http://php.net/session.save-path session.save_path = $SESSION_SAVE_PATH +session.hash_bits_per_character = 6 +session.hash_function = 1 + ; Whether to use strict session mode. ; Strict session mode does not accept uninitialized session ID and regenerate ; session ID if browser sends uninitialized session ID. Strict mode protects @@ -1374,7 +1377,7 @@ session.cookie_domain = ; Whether or not to add the httpOnly flag to the cookie, which makes it inaccessible to browser scripting languages such as JavaScript. ; http://php.net/session.cookie-httponly -session.cookie_httponly = +session.cookie_httponly = 1 ; Handler used to serialize data. php is the standard serializer of PHP. ; http://php.net/session.serialize-handler