Jump to content

Yet another server test to defeat.... :-)


pir8radio

Recommended Posts

pir8radio

I know these things are overkill....  But it's fun to try to get your server to hit a good "grade" if the grade even really means anything..

I know some of you tinkerers are like me...  so here is another one to eat up hours of your day:  https://observatory.mozilla.org

This is more for webservers and reverse proxies, not necessarily emby specifically.    Took me a bit of googleing but got mine to an A+ lol.

 

5b69176c65334_Capture.png

Edited by pir8radio
  • Like 1
Link to comment
Share on other sites

Swynol

think your going to have to share your CSP. if i lock mine down to get an A+ my sites dont load as they get blocked ha

Link to comment
Share on other sites

  • 2 weeks later...
makarai

Hi hi,

 

This is my report with haproxy instead of nginx, i guess i have to fix some stuff. However @@pir8radio, would you mind doing this again so i can check if i set all the correct headers, also can you let me know what you set for the CSP

 

For other HAproxy users:

.. outdated

What i noticed is CORS differs as well

Content is visible via cross-origin resource sharing (CORS) files or headers, but is restricted to specific domains

post-165508-0-52642400-1534429756_thumb.png

Edited by makarai
Link to comment
Share on other sites

makarai

in the meantime i achieved also A+ and a working emby with the following front end settings:

 

I moved all headers to the ssl frontend

#...outdated
Edited by makarai
  • Like 1
Link to comment
Share on other sites

pir8radio

Hi hi,

 

This is my report with haproxy instead of nginx, i guess i have to fix some stuff. However @@pir8radio, would you mind doing this again so i can check if i set all the correct headers, also can you let me know what you set for the CSP

 

For other HAproxy users:

http-response set-header X-Frame-Options SAMEORIGIN
http-response set-header X-XSS-Protection "1;mode=block"
http-response set-header Referrer-Policy "no-referrer,same-origin,strict-origin,strict-origin-when-cross-origin"
http-response set-header X-Content-Type-Options nosniff
http-response set-header Strict-Transport-Security max-age=31536000;includeSubDomains;preload

What i noticed is CORS differs as well

Content is visible via cross-origin resource sharing (CORS) files or headers, but is restricted to specific domains

 

 

Yours, looks good, I actually stole some of your settings, and combined with mine..  I now have this:

same score as my initial test but hey...

add_header Content-Security-Policy "default-src 'self' https://*.mydomain.net wss://*.mysomain.net https://www.gstatic.com https://www.github.com; base-uri 'none'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; script-src 'sha256-bdnU7HNzra4Qmlo30dpjygO1RLIIqRVu1wcOsl0OWqU=' https://*.mydomain.net https://www.gstatic.com; img-src data: https: ; style-src 'unsafe-inline' https://*.mydomain.net" always;

post-1037-0-39857500-1534554497_thumb.png

Edited by pir8radio
  • Like 1
Link to comment
Share on other sites

pir8radio

i did just notice ios browsers not working..   apps work though..  you see the same issue?

Link to comment
Share on other sites

Swynol

i did just notice ios browsers not working..   apps work though..  you see the same issue?

 

i see the same. Ios app works fine. 

 

using chrome or safari on ios the page fails to load

Link to comment
Share on other sites

pir8radio

and this is with the security policy on this page enabled correct?  Just want to make sure im not chasing an emby issue.  :-)

Link to comment
Share on other sites

Swynol

ye with CSP you mentioned above. if i comment it out and use my old CSP works fine.

 

i also had to add a few other urls to the CSP to drop the amount of errors in chrome console. mainly google-analytics and googletagmanager.com

Edited by Swynol
Link to comment
Share on other sites

pir8radio

Boo...   Ill go back to what I had too, and do some more digging..  lol    thx.

Link to comment
Share on other sites

Swynol

Boo...   Ill go back to what I had too, and do some more digging..  lol    thx.

looks like all browsers failed to work with me. all the apps worked fine.

 

Could some one help me with CSP? Apparently I only get a B+ because of it

 

ye looks like there is an issue atm trying to get an A or A+ breaks emby. so best stick with a B+ for now. nothing wrong with a B+ most huge commercial sites out there dont get near a B

  • Like 1
Link to comment
Share on other sites

pir8radio

I dont have a mac to use the native ios debugging options. :-(   

Link to comment
Share on other sites

pir8radio

looks like all browsers failed to work with me. all the apps worked fine.

 

 

ye looks like there is an issue atm trying to get an A or A+ breaks emby. so best stick with a B+ for now. nothing wrong with a B+ most huge commercial sites out there dont get near a B

 

when you say all browsers, do you mean on ios?   or PC too?    I think all ios browsers use the underlying safari goodies to make them work..  But if you mean on PC too then im corn fused....

Link to comment
Share on other sites

chef

Oh! I did it! A+ and no issues with my users connecting and streaming content!

  • Like 1
Link to comment
Share on other sites

makarai

I dont have a mac to use the native ios debugging options. :-(   

 

 

I dont have a mac to test either, if someone has a mac and the policies that we posted, just open chrome hit f12 go to network and check what is red post a screenshot or comment on it.

Link to comment
Share on other sites

makarai

Boo...   Ill go back to what I had too, and do some more digging..  lol    thx.

 

can you post what you used before so i can spare me the digging :)

Link to comment
Share on other sites

pir8radio

Well I figured it out,  This is the CSP I'm using but i had to do a work around.      My work around will only work for nginx users that have the "sub_filter" module baked into their copy of nginx.     @@Luke will need to make a change for us to be able to fully secure emby with a content security policy.     Luke skip to the bottom.

If you are unable to edit the emby index.html or use sub_filter you will have to allow inline scripts, which defeats the purpose of the CSP.

add_header Content-Security-Policy "default-src 'self' https://*.mydomain.net wss://*.mydomain.net https://www.gstatic.com https://www.github.com; base-uri 'none'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; script-src 'nonce-4AEemGb0xJptoIGFP3Nd' https://*.mydomain.net https://www.gstatic.com; img-src data: https: ; style-src 'unsafe-inline' https://*.mydomain.net" always;
	    

But the above wont work unless you either use an nginx sub_filter (shown below), edit the emby index html, or luke adds a nonce to his inline script at the bottom of index.html.     This inline script can't be hashed because it changes with every version, so in order to get it to load it has to have a non changing nonce added to it.   I was able to add this on the fly with nginx, it actually rewrites the html from:

<script>window.dashboardVersion='3.6.0.2';</script>

TO:

<script nonce="4AEemGb0xJptoIGFP3Nd">window.dashboardVersion='3.6.0.2';</script>

The nginx subfilter line: what this does is takes emby's script (ignoring the version number) and rewrites it on the 
fly to the second set of quotes.  Adding the nonce so the CSP can then allow this script to run on the client side.

sub_filter '<script>window.dashboardVersion='  '<script nonce="4AEemGb0xJptoIGFP3Nd">window.dashboardVersion=';

Now with a nonce assigned to the inline script, i can add it to my CSP and allow this script to run. 

 

Luke any way you can either remove this inline script and reference a js file or just add a static nonce to your script tag like above?   "nonce="4AEemGb0xJptoIGFP3Nd"    this minor change will allow you to secure emby with CSP later anyway, and won't affect current users.  

 

I think just putting that one line of script into a dashboard.js and bring it into the index file that way would be easy too. 

Edited by pir8radio
  • Like 1
Link to comment
Share on other sites

pir8radio

another option is to hash that line of script and put the hash in your CSP, but you will have to rehash it for every emby version as you upgrade.  

 

Use this site to create a hash: https://report-uri.com/home/hash/ 

 

the script you will ne to hash is at the bottom of the index.html when you view source.

<script>window.dashboardVersion='X.X.X.X';</script>

Link to comment
Share on other sites

Spaceboy

I got my domain to a B+ following the advice here, thanks! And also adding me support for the changes to be made in emby to allow us to achieve full marks

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...