Jump to content


Photo

Yet another server test to defeat.... :-)


  • Please log in to reply
57 replies to this topic

#1 pir8radio OFFLINE  

pir8radio

    NGINX

  • Members
  • 3519 posts
  • Local time: 02:15 AM
  • LocationChicago

Posted 06 August 2018 - 11:53 PM

I know these things are overkill....  But it's fun to try to get your server to hit a good "grade" if the grade even really means anything..

I know some of you tinkerers are like me...  so here is another one to eat up hours of your day:  https://observatory.mozilla.org

This is more for webservers and reverse proxies, not necessarily emby specifically.    Took me a bit of googleing but got mine to an A+ lol.

 

5b69176c65334_Capture.png


Edited by pir8radio, 06 August 2018 - 11:55 PM.

  • darkassassin07 likes this

#2 mastrmind11 OFFLINE  

mastrmind11

    Advanced Member

  • Members
  • 3134 posts
  • Local time: 03:15 AM
  • LocationLong Island, NY

Posted 07 August 2018 - 10:37 AM

lol well done.



#3 Swynol OFFLINE  

Swynol

    Advanced Member

  • Members
  • 1077 posts
  • Local time: 08:15 AM
  • LocationWales, UK

Posted 07 August 2018 - 01:10 PM

bloody hell, here we go again. time to push it from a B to an A :)



#4 Swynol OFFLINE  

Swynol

    Advanced Member

  • Members
  • 1077 posts
  • Local time: 08:15 AM
  • LocationWales, UK

Posted 07 August 2018 - 01:42 PM

think your going to have to share your CSP. if i lock mine down to get an A+ my sites dont load as they get blocked ha



#5 Abobader OFFLINE  

Abobader

    Super-Tester

  • Administrators
  • 9492 posts
  • Local time: 10:15 AM

Posted 07 August 2018 - 09:17 PM

Nice indeed :)



#6 makarai OFFLINE  

makarai

    Advanced Member

  • Members
  • 549 posts
  • Local time: 09:15 AM

Posted 16 August 2018 - 10:31 AM

Hi hi,

 

This is my report with haproxy instead of nginx, i guess i have to fix some stuff. However @pir8radio, would you mind doing this again so i can check if i set all the correct headers, also can you let me know what you set for the CSP

 

For other HAproxy users:

.. outdated

What i noticed is CORS differs as well

Content is visible via cross-origin resource sharing (CORS) files or headers, but is restricted to specific domains

Attached Files


Edited by makarai, 18 September 2018 - 01:33 AM.


#7 makarai OFFLINE  

makarai

    Advanced Member

  • Members
  • 549 posts
  • Local time: 09:15 AM

Posted 17 August 2018 - 02:02 AM

in the meantime i achieved also A+ and a working emby with the following front end settings:

 

I moved all headers to the ssl frontend

#...outdated

Edited by makarai, 18 September 2018 - 01:33 AM.

  • pir8radio likes this

#8 pir8radio OFFLINE  

pir8radio

    NGINX

  • Members
  • 3519 posts
  • Local time: 02:15 AM
  • LocationChicago

Posted 17 August 2018 - 09:08 PM

Hi hi,

 

This is my report with haproxy instead of nginx, i guess i have to fix some stuff. However @pir8radio, would you mind doing this again so i can check if i set all the correct headers, also can you let me know what you set for the CSP

 

For other HAproxy users:

http-response set-header X-Frame-Options SAMEORIGIN
http-response set-header X-XSS-Protection "1;mode=block"
http-response set-header Referrer-Policy "no-referrer,same-origin,strict-origin,strict-origin-when-cross-origin"
http-response set-header X-Content-Type-Options nosniff
http-response set-header Strict-Transport-Security max-age=31536000;includeSubDomains;preload

What i noticed is CORS differs as well

Content is visible via cross-origin resource sharing (CORS) files or headers, but is restricted to specific domains

 

 

Yours, looks good, I actually stole some of your settings, and combined with mine..  I now have this:

same score as my initial test but hey...

add_header Content-Security-Policy "default-src 'self' https://*.mydomain.net wss://*.mysomain.net https://www.gstatic.com https://www.github.com; base-uri 'none'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; script-src 'sha256-bdnU7HNzra4Qmlo30dpjygO1RLIIqRVu1wcOsl0OWqU=' https://*.mydomain.net https://www.gstatic.com; img-src data: https: ; style-src 'unsafe-inline' https://*.mydomain.net" always;

Attached Files


Edited by pir8radio, 17 August 2018 - 09:13 PM.

  • makarai likes this

#9 makarai OFFLINE  

makarai

    Advanced Member

  • Members
  • 549 posts
  • Local time: 09:15 AM

Posted 18 August 2018 - 03:08 AM

Thank you m8 !



#10 pir8radio OFFLINE  

pir8radio

    NGINX

  • Members
  • 3519 posts
  • Local time: 02:15 AM
  • LocationChicago

Posted 18 August 2018 - 10:29 AM

i did just notice ios browsers not working..   apps work though..  you see the same issue?



#11 Swynol OFFLINE  

Swynol

    Advanced Member

  • Members
  • 1077 posts
  • Local time: 08:15 AM
  • LocationWales, UK

Posted 18 August 2018 - 10:39 AM

i did just notice ios browsers not working..   apps work though..  you see the same issue?

 

i see the same. Ios app works fine. 

 

using chrome or safari on ios the page fails to load



#12 pir8radio OFFLINE  

pir8radio

    NGINX

  • Members
  • 3519 posts
  • Local time: 02:15 AM
  • LocationChicago

Posted 18 August 2018 - 10:40 AM

and this is with the security policy on this page enabled correct?  Just want to make sure im not chasing an emby issue.  :-)



#13 Swynol OFFLINE  

Swynol

    Advanced Member

  • Members
  • 1077 posts
  • Local time: 08:15 AM
  • LocationWales, UK

Posted 18 August 2018 - 11:03 AM

ye with CSP you mentioned above. if i comment it out and use my old CSP works fine.

 

i also had to add a few other urls to the CSP to drop the amount of errors in chrome console. mainly google-analytics and googletagmanager.com


Edited by Swynol, 18 August 2018 - 11:04 AM.


#14 pir8radio OFFLINE  

pir8radio

    NGINX

  • Members
  • 3519 posts
  • Local time: 02:15 AM
  • LocationChicago

Posted 18 August 2018 - 11:25 AM

Boo...   Ill go back to what I had too, and do some more digging..  lol    thx.



#15 chef OFFLINE  

chef

    Advanced Member

  • Developers
  • 4723 posts
  • Local time: 03:15 AM
  • LocationPeterborough, Canada

Posted 18 August 2018 - 12:35 PM

Could some one help me with CSP? Apparently I only get a B+ because of it 😀

#16 Swynol OFFLINE  

Swynol

    Advanced Member

  • Members
  • 1077 posts
  • Local time: 08:15 AM
  • LocationWales, UK

Posted 18 August 2018 - 01:56 PM

Boo...   Ill go back to what I had too, and do some more digging..  lol    thx.

looks like all browsers failed to work with me. all the apps worked fine.

 

Could some one help me with CSP? Apparently I only get a B+ because of it

 

ye looks like there is an issue atm trying to get an A or A+ breaks emby. so best stick with a B+ for now. nothing wrong with a B+ most huge commercial sites out there dont get near a B


  • chef likes this

#17 pir8radio OFFLINE  

pir8radio

    NGINX

  • Members
  • 3519 posts
  • Local time: 02:15 AM
  • LocationChicago

Posted 18 August 2018 - 02:24 PM

I dont have a mac to use the native ios debugging options. :-(   



#18 pir8radio OFFLINE  

pir8radio

    NGINX

  • Members
  • 3519 posts
  • Local time: 02:15 AM
  • LocationChicago

Posted 18 August 2018 - 03:11 PM

looks like all browsers failed to work with me. all the apps worked fine.

 

 

ye looks like there is an issue atm trying to get an A or A+ breaks emby. so best stick with a B+ for now. nothing wrong with a B+ most huge commercial sites out there dont get near a B

 

when you say all browsers, do you mean on ios?   or PC too?    I think all ios browsers use the underlying safari goodies to make them work..  But if you mean on PC too then im corn fused....



#19 chef OFFLINE  

chef

    Advanced Member

  • Developers
  • 4723 posts
  • Local time: 03:15 AM
  • LocationPeterborough, Canada

Posted 18 August 2018 - 06:01 PM

Oh! I did it! A+ and no issues with my users connecting and streaming content!
  • CBers likes this

#20 makarai OFFLINE  

makarai

    Advanced Member

  • Members
  • 549 posts
  • Local time: 09:15 AM

Posted 18 August 2018 - 06:14 PM

I dont have a mac to use the native ios debugging options. :-(   

 

 

I dont have a mac to test either, if someone has a mac and the policies that we posted, just open chrome hit f12 go to network and check what is red post a screenshot or comment on it.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users