@abtnode/router-provider 1.16.49-beta-20250827-025603-2bb1a7ee → 1.16.49-beta-20250828-131156-98768a61

package/lib/nginx/includes/daemon/ssl

@@ -0,0 +1,3 @@
+# Security headers for HTTPS responses
+# Note: HSTS must only be sent on HTTPS
+add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

package/lib/nginx/index.js

@@ -26,6 +26,10 @@ const {
   GATEWAY_RATE_LIMIT_GLOBAL,
   GATEWAY_RATE_LIMIT,
   DOMAIN_FOR_IP_SITE_REGEXP,
+  CSP_OFFICIAL_SOURCES,
+  CSP_SYSTEM_SOURCES,
+  CSP_THIRD_PARTY_SOURCES,
+  CSP_ICONIFY_SOURCES,
 } = require('@abtnode/constant');
 const { toHex } = require('@ocap/util');
 const promiseRetry = require('promise-retry');
@@ -164,6 +168,7 @@ class NginxProvider extends BaseProvider {
 
     this._copyConfigFiles();
     this._ensureDhparam();
+    this._ensureDaemonSecurityHeaders();
     this.updateProxyPolicy({ enabled: false });
     this.initialize();
   }
@@ -303,6 +308,7 @@ class NginxProvider extends BaseProvider {
             // if match certificate, then add https server
             this._addHttpsServer({
               conf,
+              serviceType: site.serviceType,
               locations: rules,
               certificateFileName: certificate.domain,
               serverName: parsedServerName,
@@ -314,6 +320,7 @@ class NginxProvider extends BaseProvider {
           } else {
             this._addHttpServer({
               conf,
+              serviceType: site.serviceType,
               locations: rules,
               serverName: parsedServerName,
               corsAllowedOrigins,
@@ -581,6 +588,16 @@ class NginxProvider extends BaseProvider {
     }
   }
 
+  _addSecurityHeaders(location, serviceType) {
+    if (serviceType === 'daemon') {
+      if (fs.existsSync(path.join(this.includesDir, 'daemon', 'security'))) {
+        location._add('include', 'includes/daemon/security');
+      }
+
+      location._add('include', 'includes/daemon/ssl');
+    }
+  }
+
   /**
    * Returns:
    * server /flash/ {
@@ -605,6 +622,7 @@ class NginxProvider extends BaseProvider {
     commonHeaders,
     cacheGroup,
     pageGroup,
+    serviceType,
   }) {
     server._add('location', concatPath(prefix, suffix, root));
 
@@ -637,6 +655,8 @@ class NginxProvider extends BaseProvider {
       location._add('include', 'includes/cache');
     }
 
+    this._addSecurityHeaders(location, serviceType);
+
     // Redirect blocklet traffic
     if (type === ROUTING_RULE_TYPES.BLOCKLET) {
       // FIXME: logic related to server gateway should not in provider
@@ -680,7 +700,7 @@ class NginxProvider extends BaseProvider {
     location._add('proxy_pass', `http://${getUpstreamName(port)}`);
   }
 
-  _addRedirectTypeLocation({ server, url, redirectCode, prefix, suffix }) {
+  _addRedirectTypeLocation({ server, url, redirectCode, prefix, suffix, serviceType }) {
     const cleanUrl = trimEndSlash(url);
     server._add('location', `${concatPath(prefix, suffix)}`);
     const location = this._getLastLocation(server);
@@ -694,6 +714,8 @@ class NginxProvider extends BaseProvider {
     // always allow cors here since we are doing a redirect
     location._add('include', 'includes/cors');
 
+    this._addSecurityHeaders(location, serviceType);
+
     // 如果 prefix 是根路径，则不需要重写，直接将当前的请求附加到设置的重定向地址后面
     if (prefix === '/') {
       location._add('return', `${redirectCode} ${cleanUrl}$request_uri`);
@@ -704,24 +726,28 @@ class NginxProvider extends BaseProvider {
     }
   }
 
-  _addRewriteTypeLocation({ server, url, prefix, suffix }) {
+  _addRewriteTypeLocation({ server, url, prefix, suffix, serviceType }) {
     server._add('location', concatPath(prefix, suffix));
     const location = this._getLastLocation(server);
+
+    this._addSecurityHeaders(location, serviceType);
     location._add('rewrite', `^${prefix}(.*) ${url}$1 last`);
   }
 
-  _addNotFoundLocation({ server, prefix, suffix }) {
+  _addNotFoundLocation({ server, prefix, suffix, serviceType }) {
     server._add('location', concatPath(prefix, suffix));
     const location = this._getLastLocation(server);
-    this._addTailSlashRedirection(location, prefix);
 
+    this._addSecurityHeaders(location, serviceType);
+    this._addTailSlashRedirection(location, prefix);
     location._add('try_files', '$uri /404.html break');
   }
 
-  _addGeneralProxyLocation({ server, port, prefix, suffix, blockletDid, targetPrefix }) {
+  _addGeneralProxyLocation({ server, port, prefix, suffix, blockletDid, targetPrefix, serviceType }) {
     server._add('location', concatPath(prefix, suffix));
     const location = this._getLastLocation(server);
     this._addCommonHeader(location);
+    this._addSecurityHeaders(location, serviceType);
     location._add('include', 'includes/proxy');
     if (blockletDid) {
       location._add('proxy_set_header', `X-Blocklet-Did ${blockletDid}`);
@@ -867,6 +893,61 @@ class NginxProvider extends BaseProvider {
     }
   }
 
+  _ensureDaemonSecurityHeaders() {
+    const securityFilePath = path.join(this.includesDir, 'daemon', 'security');
+    const cspSources = [
+      ...CSP_OFFICIAL_SOURCES,
+      ...CSP_SYSTEM_SOURCES,
+      ...CSP_THIRD_PARTY_SOURCES,
+      ...CSP_ICONIFY_SOURCES,
+      'data:',
+      'blob:',
+      '*/__blocklet__.js',
+      '*/.well-known/ping',
+    ];
+    const cspPolicy = `default-src 'self'; frame-ancestors 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' ${cspSources.join(' ')}; font-src 'self' data:; connect-src 'self' ${cspSources.join(' ')} */.well-known/ping; base-uri 'self'; object-src 'none'`;
+    const cspLine = `add_header Content-Security-Policy "${cspPolicy}" always;`;
+
+    try {
+      if (fs.existsSync(securityFilePath)) {
+        logger.info('security include file already exists', { path: securityFilePath });
+        return;
+      }
+
+      const baseContent = [
+        '## Global HTTP security headers (safe baseline)',
+        '',
+        '# MIME sniffing protection',
+        'add_header X-Content-Type-Options "nosniff" always;',
+        '# --- Secure Headers Baseline ---',
+        '# Hide headers from upstream (in case the upstream app sets them).',
+        '# This prevents duplicate values which may cause overly strict policies.',
+        'proxy_hide_header Content-Security-Policy;',
+        'proxy_hide_header Referrer-Policy;',
+        'proxy_hide_header Permissions-Policy;',
+        '# Referrer-Policy:',
+        '# Controls how much referrer information is included with requests.',
+        '# "strict-origin-when-cross-origin" is a balanced choice: full referrer',
+        '# for same-origin, origin only for cross-origin, nothing on downgrade.',
+        '# Use "no-referrer" if you want the strictest setting.',
+        'add_header Referrer-Policy "strict-origin-when-cross-origin" always;',
+        'add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=(), usb=(), bluetooth=(), fullscreen=(), xr-spatial-tracking=(), magnetometer=(), gyroscope=(), accelerometer=(), browsing-topics=()" always;',
+        'add_header X-Frame-Options "DENY" always;',
+        '# Content-Security-Policy (CSP):',
+        '# Mitigates XSS by restricting resource loading.',
+        '# This baseline only allows self-hosted resources, blocks framing,',
+        '# disallows <base> tag overrides, and disables legacy plugins.',
+        '# Adjust sources (script-src, style-src, img-src, etc.) if you need CDNs.',
+        cspLine,
+      ].join('\n');
+
+      fs.writeFileSync(securityFilePath, baseContent);
+      logger.info('security include file updated', { path: securityFilePath });
+    } catch (error) {
+      logger.error('Failed to update security include file', { error, path: securityFilePath });
+    }
+  }
+
   _addCommonResHeaders(block, headers) {
     if (!headers || Object.prototype.toString.call(headers) !== '[object Object]') {
       return;
@@ -1019,11 +1100,12 @@ class NginxProvider extends BaseProvider {
     daemonPort,
     commonHeaders,
     blockletDid,
+    serviceType,
   }) {
     const httpServerUnit = this._addHttpServerUnit({ conf, serverName, port });
     this._addDefaultLocations({ server: httpServerUnit, daemonPort, serverName });
     // eslint-disable-next-line max-len
-    locations.forEach((x) => this._addReverseProxy({ server: httpServerUnit, ...x, serverName, corsAllowedOrigins, commonHeaders, blockletDid })); // prettier-ignore
+    locations.forEach((x) => this._addReverseProxy({ server: httpServerUnit, ...x, serverName, corsAllowedOrigins, commonHeaders, blockletDid, serviceType })); // prettier-ignore
   }
 
   _addHttpsServer({
@@ -1031,6 +1113,7 @@ class NginxProvider extends BaseProvider {
     locations,
     certificateFileName,
     serverName,
+    serviceType,
     corsAllowedOrigins,
     daemonPort,
     commonHeaders,
@@ -1043,7 +1126,7 @@ class NginxProvider extends BaseProvider {
 
     this._addDefaultLocations({ server: httpsServerUnit, daemonPort, serverName });
     // eslint-disable-next-line max-len
-    locations.forEach((x) => this._addReverseProxy({ server: httpsServerUnit, ...x, serverName, corsAllowedOrigins, commonHeaders, blockletDid })); // prettier-ignore
+    locations.forEach((x) => this._addReverseProxy({ server: httpsServerUnit, ...x, serverName, corsAllowedOrigins, commonHeaders, blockletDid, serviceType })); // prettier-ignore
   }
 
   _addHttpServerUnit({ conf, serverName, port = '' }) {

package/lib/util.js

@@ -75,6 +75,7 @@ const formatRoutingTable = (routingTable) => {
         rules: [],
         port: site.port,
         corsAllowedOrigins: site.corsAllowedOrigins,
+        serviceType: site.serviceType,
       };
     }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@abtnode/router-provider",
-  "version": "1.16.49-beta-20250827-025603-2bb1a7ee",
+  "version": "1.16.49-beta-20250828-131156-98768a61",
   "description": "Routing engine implementations for abt node",
   "author": "polunzh <polunzh@gmail.com>",
   "homepage": "https://github.com/ArcBlock/blocklet-server#readme",
@@ -32,11 +32,11 @@
     "url": "https://github.com/ArcBlock/blocklet-server/issues"
   },
   "dependencies": {
-    "@abtnode/constant": "1.16.49-beta-20250827-025603-2bb1a7ee",
-    "@abtnode/db-cache": "1.16.49-beta-20250827-025603-2bb1a7ee",
-    "@abtnode/logger": "1.16.49-beta-20250827-025603-2bb1a7ee",
-    "@abtnode/router-templates": "1.16.49-beta-20250827-025603-2bb1a7ee",
-    "@abtnode/util": "1.16.49-beta-20250827-025603-2bb1a7ee",
+    "@abtnode/constant": "1.16.49-beta-20250828-131156-98768a61",
+    "@abtnode/db-cache": "1.16.49-beta-20250828-131156-98768a61",
+    "@abtnode/logger": "1.16.49-beta-20250828-131156-98768a61",
+    "@abtnode/router-templates": "1.16.49-beta-20250828-131156-98768a61",
+    "@abtnode/util": "1.16.49-beta-20250828-131156-98768a61",
     "@arcblock/http-proxy": "^1.19.1",
     "@arcblock/is-valid-domain": "^1.0.5",
     "@ocap/util": "^1.23.1",
@@ -62,5 +62,5 @@
     "bluebird": "^3.7.2",
     "fs-extra": "^11.2.0"
   },
-  "gitHead": "2b70eea34e8bc8546abb09d38935e8906d9586fd"
+  "gitHead": "2d2312333cf9dd50034609c678f2fd777e0ba25a"
 }