ssl.conf missing trailing always

[sadkisson]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Optional additional ssl headers missing the always tag on a couple of the lines causing the headers to not be applied.

#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'";
#add_header Permissions-Policy "interest-cohort=()";

Expected Behavior

After adding "always" before ";", the headers are applied.

#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'" always;
#add_header Permissions-Policy "interest-cohort=()" always;

Steps To Reproduce

/swag/nginx/ssl.conf

lines 33, 34

Environment

- OS:Unraid
- How docker service was installed:apps

CPU architecture

x86-64

Docker creation

docker run
  -d
  --name='swag'
  --net='bridge'
  --ip='x.x.x.x'
  -e TZ="America/Somewhere"
  -e HOST_OS="Unraid"
  -e HOST_HOSTNAME="hostname"
  -e HOST_CONTAINERNAME="swag"
  -e 'TCP_PORT_443'='443'
  -e 'TCP_PORT_80'='80'
  -e 'URL'='domain.tld'
  -e 'VALIDATION'='dns'
  -e 'SUBDOMAINS'='wildcard'
  -e 'CERTPROVIDER'='zerossl'
  -e 'DNSPLUGIN'='cloudflare'
  -e 'PROPAGATION'='120'
  -e 'EMAIL'='[email protected]'
  -e 'ONLY_SUBDOMAINS'='false'
  -e 'EXTRA_DOMAINS'=''
  -e 'STAGING'='false'
  -e 'PUID'='99'
  -e 'PGID'='100'
  -e 'UMASK'='022'
  -l net.unraid.docker.managed=dockerman
  -l net.unraid.docker.icon='https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/linuxserver-ls-logo.png'
  -v '/mnt/cache/appdata/swag':'/config':'rw'
  --cap-add=NET_ADMIN 'lscr.io/linuxserver/swag'

Container logs

na

[github-actions]

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

[nemchik]

I'll look more into these headers again, but when they were introduced they were explicitly made the bare minimum to pass most security scanners, because most other settings would be more restrictive and less universal.

If there's any updated settings we could ship that are still fairly universal I'll definitely consider it.

P.s. I tend to use the recommendations from observatory.mozilla.com as a reference for how to set these out of the box, but I'm open to reading other sources.

[sadkisson]

No issues. I had no idea what i was doing. I just used one of those security checking sites that pointed out some of the headers were not being applied. I did not change any of the settings nor do I understand what they do. I just noticed all the other lines included always at the end and tried adding it to the 2 missing lines. Headers were then reporting as working after re scanning.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.

[nemchik]

I need to look at this. Sorry I've been busy.

[Shalar]

Applying this finally allowed firefox to load my subdomains inside frames.