system-configuration

system-configuration/modules/config/web.scm

web.scm

;;; Tyreunom's system administration and configuration tools.
;;;
;;; Copyright © 2019 Julien Lepiller <julien@lepiller.eu>
;;;
;;; This program is free software: you can redistribute it and/or modify
;;; it under the terms of the GNU General Public License as published by
;;; the Free Software Foundation, either version 3 of the License, or
;;; (at your option) any later version.
;;;
;;; This program is distributed in the hope that it will be useful,
;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with this program.  If not, see <http://www.gnu.org/licenses/>.

(define-module (config web)
  #:export (web-base-policy
            web-html-policy
	    default-web-policy
        accept-languages))

(define (accept-languages language-lists)
  "Returns nginx configuration code to set up the $lang variable
according to the Accept-Language header in the HTTP request.  The
requesting user agent will be served the files at /$lang/some/url.
Each list in LANGUAGE-LISTS starts with the $lang and is followed by
synonymous IETF language tags that should be mapped to the same $lang."
  (define (language-mappings language-list)
    (define (language-mapping language)
      (string-join (list "    "  language (car language-list) ";")))
    (string-join (map language-mapping language-list) "\n"))

  (let ((directives
         `(,(string-join
             `("set_from_accept_language $lang_unmapped"
               ,@(map string-join language-lists)
               ";"))
           "map $lang_unmapped $lang {"
           ,@(map language-mappings language-lists)
           "}")))
    directives))

(define web-base-policy
  '("add_header Strict-Transport-Security \"max-age=31536000; includeSubDomains\" always;"
    "add_header X-Frame-Options DENY;"
    "add_header X-Content-Type-Options nosniff;"
    "add_header Content-Security-Policy 'default-src \\'none\\'; img-src \\'self\\'; style-src \\'self\\' \\'unsafe-inline\\'; frame-ancestors \\'none\\'';"
    "add_header Referrer-Policy no-referrer;"))

(define (web-html-policy additional-data)
  (append
    '("location ~ \\.html$ {"
      "    add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';"
      "    add_header Strict-Transport-Security \"max-age=31536000; includeSubDomains\" always;"
      "    add_header X-Frame-Options DENY;"
      "    add_header X-Content-Type-Options nosniff;"
      "    add_header Content-Security-Policy 'default-src \\'none\\'; img-src \\'self\\'; style-src \\'self\\' \\'unsafe-inline\\'; frame-ancestors \\'none\\'';"
      "    add_header Referrer-Policy no-referrer;")
    additional-data
    '("    expires off;"
      "}")))

(define default-web-policy
  (append
    web-base-policy
    (web-html-policy '())))


1	;;; Tyreunom's system administration and configuration tools.
2	;;;
3	;;; Copyright © 2019 Julien Lepiller <julien@lepiller.eu>
4	;;;
5	;;; This program is free software: you can redistribute it and/or modify
6	;;; it under the terms of the GNU General Public License as published by
7	;;; the Free Software Foundation, either version 3 of the License, or
8	;;; (at your option) any later version.
9	;;;
10	;;; This program is distributed in the hope that it will be useful,
11	;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
12	;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13	;;; GNU General Public License for more details.
14	;;;
15	;;; You should have received a copy of the GNU General Public License
16	;;; along with this program. If not, see <http://www.gnu.org/licenses/>.
17
18	(define-module (config web)
19	#:export (web-base-policy
20	web-html-policy
21	default-web-policy
22	accept-languages))
23
24	(define (accept-languages language-lists)
25	"Returns nginx configuration code to set up the $lang variable
26	according to the Accept-Language header in the HTTP request. The
27	requesting user agent will be served the files at /$lang/some/url.
28	Each list in LANGUAGE-LISTS starts with the $lang and is followed by
29	synonymous IETF language tags that should be mapped to the same $lang."
30	(define (language-mappings language-list)
31	(define (language-mapping language)
32	(string-join (list " " language (car language-list) ";")))
33	(string-join (map language-mapping language-list) "\n"))
34
35	(let ((directives
36	`(,(string-join
37	`("set_from_accept_language $lang_unmapped"
38	,@(map string-join language-lists)
39	";"))
40	"map $lang_unmapped $lang {"
41	,@(map language-mappings language-lists)
42	"}")))
43	directives))
44
45	(define web-base-policy
46	'("add_header Strict-Transport-Security \"max-age=31536000; includeSubDomains\" always;"
47	"add_header X-Frame-Options DENY;"
48	"add_header X-Content-Type-Options nosniff;"
49	"add_header Content-Security-Policy 'default-src \\'none\\'; img-src \\'self\\'; style-src \\'self\\' \\'unsafe-inline\\'; frame-ancestors \\'none\\'';"
50	"add_header Referrer-Policy no-referrer;"))
51
52	(define (web-html-policy additional-data)
53	(append
54	'("location ~ \\.html$ {"
55	" add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';"
56	" add_header Strict-Transport-Security \"max-age=31536000; includeSubDomains\" always;"
57	" add_header X-Frame-Options DENY;"
58	" add_header X-Content-Type-Options nosniff;"
59	" add_header Content-Security-Policy 'default-src \\'none\\'; img-src \\'self\\'; style-src \\'self\\' \\'unsafe-inline\\'; frame-ancestors \\'none\\'';"
60	" add_header Referrer-Policy no-referrer;")
61	additional-data
62	'(" expires off;"
63	"}")))
64
65	(define default-web-policy
66	(append
67	web-base-policy
68	(web-html-policy '())))
69