• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved How do I parameterize domain.tld in the nginx additional directives?

W

Walter

Basic Pleskian
What is the proper way to parameterize the domain name in nginx additional directives?

Code: 
add_header Content-Security-Policy "default-src 'none'; script-src 'self' https://www.google-analytics.com/; style-src 'self' https://fonts.googleapis.com; img-src 'self' https://www.google-analytics.com; font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com; frame-src 'self'; frame-ancestors 'none'; form-action 'none'; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; base-uri domain.tld www.domain.tld; referrer no-referrer-when-downgrade";

I'd like to apply the CSP to multiple domains without having to customize each domain. I'd like to parameterize the domain.tld value in the code above ie something like $domain. Additionally how would I append www. to it such as: "www.$domain"?

Thank you so much for your time...
 
You can try to extract necessary lines with something like:

# for i in `mysql -uadmin -p\`cat /etc/psa/.psa.shadow\` psa -Ns -e "select name from domains"`; do echo 'add_header Content-Security-Policy "default-src 'none'; script-src 'self' https://www.google-analytics.com/; style-src 'self' https://fonts.googleapis.com; img-src 'self' https://www.google-analytics.com; font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com; frame-src 'self'; frame-ancestors 'none'; form-action 'none'; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; base-uri' $i www.$i'; referrer no-referrer-when-downgrade";'; done

then use this output for some kind of script for updating corresponding vhost's nginx configs.
 
Thank you IgorG I think that could work. Just concerned about the overhead that would place having to evaluate? I think I found the formal nginx parameter to use.

In short, rather than using domain.tld and www.domain.tld I used...
Code: 
base-uri $host www.$host;

Here is a list of variables that nginx will recognize:
Alphabetical index of variables

Here is the code I chose to use for my generic CSP. Of course certain sites may need to have this altered...
Code: 
add_header Content-Security-Policy "default-src 'none'; script-src 'self' https://www.google-analytics.com/; style-src 'self' https://fonts.googleapis.com; img-src 'self' https://www.google-analytics.com; font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com; frame-src 'self'; frame-ancestors 'none'; form-action 'none'; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; base-uri $host www.$host; referrer no-referrer-when-downgrade";

I validated this by running my URL through Analyse your HTTP response headers which validates my headers and returns the values. It properly converts $host to my domain.tld.
 
You must log in or register to reply here.

Similar threads

A
Question How to use Clear-Site-Data header rule to clear browser cache
Replies
2
Views
756
AntoineW
A
B
Question nginx only / add_header values are added to all files, even images
Replies
1
Views
444
Peter Debik
P
A
Question How to set passenger for 2 different sites?
Replies
0
Views
947
arsus
A
R
Question Blocking access to wp-admin with nginx directive
Replies
0
Views
2K
Rooked
R
D
Input How to run Magento 2 on Plesk Obsidian 18 without Docker
Replies
6
Views
3K
WebHostingAce
WebHostingAce
Back
Top