Verified Commit 23820a79 authored by Jake Jarvis's avatar Jake Jarvis 馃惣

AWS deploy cleanup

parent b08b17b9
......@@ -15,13 +15,17 @@ before_script:
build:
stage: build
script:
# download and install Hugo
- wget https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_${HUGO_VERSION}_Linux-64bit.tar.gz
- echo "${HUGO_SHA} hugo_${HUGO_VERSION}_Linux-64bit.tar.gz" | sha256sum -c
- tar xf hugo_${HUGO_VERSION}_Linux-64bit.tar.gz && cp ./hugo /usr/bin
# build site
- rm -rf public
- hugo
artifacts:
paths:
# send built site to deploy stage
- public
deploy:
......@@ -29,31 +33,28 @@ deploy:
dependencies:
- build
script:
# install awscli
- pip install --quiet --no-cache-dir awscli==${AWSCLI_VERSION}
- aws configure set preview.cloudfront true
- aws configure set preview.create-invalidation true
# upload all files
- aws s3 sync ./public s3://$S3_BUCKET_NAME --delete --region us-east-1 --cache-control "max-age=86400, public" --metadata-directive "REPLACE"
# set certain content-types manually because S3 sucks at guessing
# set cache-control and certain content-types manually because S3 sucks at guessing
- aws s3 cp s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME --exclude "*" --include "*.ico" --content-type="image/x-icon" --cache-control "max-age=604800, public" --metadata-directive="REPLACE" --recursive
- aws s3 cp s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME --exclude "*" --include "*.svg" --content-type="image/svg+xml" --cache-control "max-age=2628000, public" --metadata-directive="REPLACE" --recursive
- aws s3 cp s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME --exclude "*" --include "*.ttf" --content-type="font/ttf" --cache-control "max-age=2628000, public" --metadata-directive="REPLACE" --recursive
- aws s3 cp s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME --exclude "*" --include "*.otf" --content-type="font/otf" --cache-control "max-age=2628000, public" --metadata-directive="REPLACE" --recursive
- aws s3 cp s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME --exclude "*" --include "*.eot" --content-type="application/vnd.ms-fontobject" --cache-control "max-age=2628000, public" --metadata-directive="REPLACE" --recursive
- aws s3 cp s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME --exclude "*" --include "*.eot" --content-type="application/vnd.ms-fontobject" --cache-control "max-age=2628000, public" --metadata-directive="REPLACE" --recursive
- aws s3 cp s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME --exclude "*" --include "*.woff" --content-type="font/woff" --cache-control "max-age=2628000, public" --metadata-directive="REPLACE" --recursive
- aws s3 cp s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME --exclude "*" --include "*.woff2" --content-type="font/woff2" --cache-control "max-age=2628000, public" --metadata-directive="REPLACE" --recursive
- aws s3 cp s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME --exclude "*" --include "*.xml" --content-type="text/xml" --cache-control "max-age=3600, public" --metadata-directive="REPLACE" --recursive
- aws s3 cp s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME --exclude "*" --include "*.mp4" --content-type="video/mp4" --cache-control "max-age=604800, public" --metadata-directive="REPLACE" --recursive
- aws s3 cp s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME --exclude "*" --include "*.webm" --content-type="video/webm" --cache-control "max-age=604800, public" --metadata-directive="REPLACE" --recursive
- aws s3 cp s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME --exclude "*" --include "*.docx" --content-type="application/vnd.openxmlformats-officedocument.wordprocessingml.document" --cache-control "max-age=604800, public" --metadata-directive="REPLACE" --recursive
- aws s3 cp s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME --exclude "*" --include "*.docx" --content-type="application/vnd.openxmlformats-officedocument.wordprocessingml.document" --cache-control "max-age=604800, public" --metadata-directive="REPLACE" --recursive
- aws s3 cp s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME --exclude "*" --include "*.pdf" --content-type="application/pdf" --cache-control "max-age=604800, public" --metadata-directive="REPLACE" --recursive
# a few caching improvements
# a few more caching improvements
- aws s3 cp s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME --exclude "*" --include "*.css" --include "*.js" --include "*.jpg" --include "*.png" --include "*.gif" --cache-control "max-age=604800, public" --metadata-directive="REPLACE" --recursive
- aws s3 cp s3://$S3_BUCKET_NAME/jarvis.asc s3://$S3_BUCKET_NAME/jarvis.asc --content-type="text/plain; charset=utf-8" --cache-control "max-age=0, no-cache, no-store" --content-disposition "inline; filename=\"jarvis.asc\"" --metadata-directive="REPLACE"
# invalidate entire CloudFront cache
- aws cloudfront create-invalidation --distribution-id $DISTRIBUTION_ID --paths "/*";
- aws s3 cp s3://$S3_BUCKET_NAME/jarvis.asc s3://$S3_BUCKET_NAME/jarvis.asc --content-type="text/plain; charset=utf-8" --cache-control "max-age=0, no-store, no-cache, must-revalidate" --content-disposition "inline; filename=\"jarvis.asc\"" --metadata-directive="REPLACE"
only:
- master
# [jarv.is](https://jarv.is/)
# [jarv.is](https://jarv.is/) 馃惣
[![pipeline status](https://git.jarv.is/jake/jarv.is/badges/master/pipeline.svg)](https://git.jarv.is/jake/jarv.is/commits/master)
Personal website of [@jakejarvis](https://github.com/jakejarvis), created and deployed using the following:
- [Hugo](https://github.com/gohugoio/hugo)
- [AWS S3/CloudFront/Lambda](https://aws.amazon.com/)
- [Amazon S3](https://aws.amazon.com/)
- [CloudFlare Workers](https://developers.cloudflare.com/workers/about/)
- [GitLab CI](https://git.jarv.is/jake/jarv.is/pipelines)
- [Matomo Analytics](https://matomo.org/)
......
......@@ -2,8 +2,6 @@ baseURL = "https://jarv.is/"
languageCode = "en-us"
title = "Jake Jarvis"
disableHugoGeneratorInject = true
disableKinds = ["taxonomy", "taxonomyTerm", "RSS"]
[taxonomies]
......
'use strict';
exports.handler = (event, context, callback) => {
// Get contents of response
const response = event.Records[0].cf.response;
response.headers['Strict-Transport-Security'] = [{
key: 'Strict-Transport-Security',
value: "max-age=31536000; includeSubdomains"
}];
response.headers['X-Frame-Options'] = [{
key: 'X-Frame-Options',
value: "SAMEORIGIN"
}];
response.headers['X-Content-Type-Options'] = [{
key: 'X-Content-Type-Options',
value: "nosniff"
}];
response.headers['Referrer-Policy'] = [{
key: 'Referrer-Policy',
value: "same-origin"
}];
response.headers['X-XSS-Protection'] = [{
key: 'X-XSS-Protection',
value: "1; mode=block; report=https://jarvis.report-uri.com/r/d/xss/enforce"
}];
// response.headers['Accept-Ranges'] = [{
// key: 'Accept-Ranges',
// value: "bytes"
// }];
response.headers['Content-Security-Policy'] = [{
key: 'Content-Security-Policy',
value: "default-src 'none'; script-src 'self' stats.jarv.is 'sha256-TLAu2p9kt4LHt+sWwE0cvqq1Ok5LoGzRPrw7+mzhX00='; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; object-src 'self'; media-src 'self'; base-uri 'none'; form-action 'self'; frame-src 'self'; frame-ancestors 'self'; worker-src 'none'; connect-src 'self' jarvis.report-uri.com stats.jarv.is; upgrade-insecure-requests; report-uri https://jarvis.report-uri.com/r/d/csp/enforce; report-to default"
}];
response.headers['Report-To'] = [{
key: 'Report-To',
value: "{\"group\":\"default\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://jarvis.report-uri.com/a/d/g\"}]}"
}];
response.headers['NEL'] = [{
key: 'NEL',
value: "{\"report_to\":\"default\",\"max_age\":604800}"
}];
response.headers['X-DNS-Prefetch-Control'] = [{
key: 'X-DNS-Prefetch-Control',
value: "off"
}];
response.headers['X-UA-Compatible'] = [{
key: 'X-UA-Compatible',
value: "IE=edge"
}];
response.headers['Expect-CT'] = [{
key: 'Expect-CT',
value: "max-age=604800, enforce, report-uri=\"https://jarvis.report-uri.com/r/d/ct/enforce\""
}];
response.headers['X-Permitted-Cross-Domain-Policies'] = [{
key: 'X-Permitted-Cross-Domain-Policies',
value: "none"
}];
response.headers['Feature-Policy'] = [{
key: 'Feature-Policy',
value: "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; sync-xhr 'none'; payment 'none'; usb 'none'; vr 'none'"
}];
delete response.headers['Last-Modified'];
delete response.headers['Expires'];
// Return modified response
callback(null, response);
};
\ No newline at end of file
......@@ -3,7 +3,6 @@
<html lang="en">
<head>
<meta charset="utf-8">
{{ .Hugo.Generator }}
<title>{{ .Title }}{{ if .IsHome }} &#x1f468;&#x200d;&#x1f4bb;{{ end }}</title>
<meta name="description" content="{{ if .Description }}{{ .Description }}{{ else }}{{ .Site.Params.description }}{{ end }}">
<meta name="viewport" content="width=device-width, initial-scale=1">
......
let securityHeaders = {
"Content-Security-Policy": "default-src 'none'; script-src 'self' stats.jarv.is 'sha256-QwZM+dNl2R1KcXo8ORmpT3mqAVwIBbEcJBmWYurBNv4='; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; object-src 'self'; media-src 'self'; base-uri 'none'; form-action 'self'; frame-src 'self'; frame-ancestors 'self'; worker-src 'none'; connect-src 'self' jarvis.report-uri.com stats.jarv.is; upgrade-insecure-requests; report-uri https://jarvis.report-uri.com/r/d/csp/enforce; report-to default",
"Report-To": "{\"group\":\"default\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://jarvis.report-uri.com/a/d/g\"}]}",
"NEL": "{\"report_to\":\"default\",\"max_age\":604800}",
// "Strict-Transport-Security" : "max-age=1000",
"X-Xss-Protection": "1; mode=block; report=https://jarvis.report-uri.com/r/d/xss/enforce",
"X-Frame-Options": "SAMEORIGIN",
"X-Content-Type-Options": "nosniff",
"Referrer-Policy": "same-origin",
"X-DNS-Prefetch-Control": "off",
"X-UA-Compatible": "IE=edge",
"X-Permitted-Cross-Domain-Policies": "none",
"Feature-Policy": "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; sync-xhr 'none'; payment 'none'; usb 'none'; vr 'none'"
let newHeaders = {
"Content-Security-Policy": "default-src 'none'; script-src 'self' stats.jarv.is 'sha256-QwZM+dNl2R1KcXo8ORmpT3mqAVwIBbEcJBmWYurBNv4='; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; object-src 'self'; media-src 'self'; base-uri 'none'; form-action 'self'; frame-src 'self'; frame-ancestors 'self'; worker-src 'none'; connect-src 'self' jarvis.report-uri.com stats.jarv.is; upgrade-insecure-requests; report-uri https://jarvis.report-uri.com/r/d/csp/enforce; report-to default",
"Report-To": "{\"group\":\"default\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://jarvis.report-uri.com/a/d/g\"}]}",
"NEL": "{\"report_to\":\"default\",\"max_age\":604800}",
// "Strict-Transport-Security" : "max-age=1000",
"X-Xss-Protection": "1; mode=block; report=https://jarvis.report-uri.com/r/d/xss/enforce",
"X-Frame-Options": "SAMEORIGIN",
"X-Content-Type-Options": "nosniff",
"Referrer-Policy": "same-origin",
"X-DNS-Prefetch-Control": "off",
"X-UA-Compatible": "IE=edge",
"X-Permitted-Cross-Domain-Policies": "none",
"Feature-Policy": "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; sync-xhr 'none'; payment 'none'; usb 'none'; vr 'none'"
}
let removeHeaders = [
"Last-Modified",
"Expires",
"Public-Key-Pins",
"X-Powered-By",
"x-amz-request-id",
"x-amz-id-2",
"x-amz-bucket",
"x-amz-bucket-region",
"x-amz-error-code",
"x-amz-error-message",
"x-amz-error-detail-key",
"x-amz-version-id"
"Last-Modified",
"Expires",
"Public-Key-Pins",
"X-Powered-By",
"x-amz-request-id",
"x-amz-id-2",
"x-amz-bucket",
"x-amz-bucket-region",
"x-amz-error-code",
"x-amz-error-message",
"x-amz-error-detail-key",
"x-amz-version-id"
]
addEventListener('fetch', event => {
event.respondWith(addHeaders(event.request))
addEventListener("fetch", event => {
event.respondWith(addHeaders(event.request))
})
async function addHeaders(req) {
let response = await fetch(req)
let newHeaders = new Headers(response.headers)
let response = await fetch(req)
let responseHeaders = new Headers(response.headers)
Object.keys(securityHeaders).map(function(name, index) {
newHeaders.set(name, securityHeaders[name]);
Object.keys(newHeaders).map(function(name, index) {
responseHeaders.set(name, newHeaders[name])
})
removeHeaders.forEach(function(name){
newHeaders.delete(name)
})
removeHeaders.forEach(function(name){
responseHeaders.delete(name)
})
return new Response(response.body , {
status: response.status,
statusText: response.statusText,
headers: newHeaders
})
return new Response(response.body, {
status: response.status,
statusText: response.statusText,
headers: responseHeaders
})
}
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment