Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
78 lines (59 sloc) 4.71 KB
language: php
php:
- 7.2
env:
global:
- DOMAIN="jamieweb.net" #Your website's domain name
- CSP="default-src 'none'" #The Content Security Policy to test against (**without** a report-uri directive)
- REPORT_URI_SUBDOMAIN="jamieweb" #Your report-uri.com subdomain/username (optional, leave blank if you don't want to use Report URI)
before_install:
#Set up your build subdomain to resolve to localhost
- printf "\n127.0.0.1 build${TRAVIS_BUILD_NUMBER}.${DOMAIN}\n" | sudo tee -a /etc/hosts
#Install Apache and libnss3-tools
- sudo apt update
- sudo apt install apache2 libnss3-tools
#Install headless-chrome-crawler using the yarn package manager
- yarn add --ignore-engines headless-chrome-crawler
#Enable mod_headers, mod_proxy_http and mod_ssl
- sudo a2enmod headers proxy_http ssl
#Set up Apache as a reverse proxy (this is used to add the CSP header)
- printf "ProxyPass \"/\" \"http://localhost:8080/\"\nProxyPassReverse \"/\" \"http://localhost:8080/\"\n" | sudo tee /etc/apache2/conf-available/csp.conf
#Add your CSP to the Apache config
- printf "Header always set Content-Security-Policy \"${CSP}; report-uri https://build${TRAVIS_BUILD_NUMBER}.${DOMAIN}/report-uri.php" | sudo tee -a /etc/apache2/conf-available/csp.conf
- if [ -n "$REPORT_URI_SUBDOMAIN" ]; then printf " https://${REPORT_URI_SUBDOMAIN}.report-uri.com/r/d/csp/enforce\"" | sudo tee -a /etc/apache2/conf-available/csp.conf; else printf "\"" | sudo tee -a /etc/apache2/conf-available/csp.conf; fi
- sudo a2enconf csp.conf
#Generate a self-signed certificate for your build-number subdomain
- printf "\n[SAN]\nsubjectAltName=DNS:build${TRAVIS_BUILD_NUMBER}.${DOMAIN}\n" | sudo tee -a /etc/ssl/openssl.cnf
- openssl req -newkey rsa:2048 -x509 -nodes -keyout "build${TRAVIS_BUILD_NUMBER}.${DOMAIN}.key" -new -out "build${TRAVIS_BUILD_NUMBER}.${DOMAIN}.crt" -subj /CN="${TRAVIS_BUILD_NUMBER}.${DOMAIN}" -reqexts SAN -extensions SAN -config /etc/ssl/openssl.cnf -sha256 -days 2
#Add the self-signed certificate to the NSS DB so that it is trusted by the crawler
- mkdir -p "$HOME"/.pki/nssdb
- certutil -d "$HOME"/.pki/nssdb -N --empty-password
- certutil -d sql:"$HOME"/.pki/nssdb -A -t "P,," -n "build${TRAVIS_BUILD_NUMBER}.${DOMAIN}.crt" -i "build${TRAVIS_BUILD_NUMBER}.${DOMAIN}.crt"
#Configure Apache to serve the self-signed certificate
- sudo mv "build${TRAVIS_BUILD_NUMBER}.${DOMAIN}.crt" /etc/ssl/certs/
- sudo mv "build${TRAVIS_BUILD_NUMBER}.${DOMAIN}.key" /etc/ssl/private/
- printf "<VirtualHost _default_:443>\nSSLEngine on\nSSLCertificateFile /etc/ssl/certs/build${TRAVIS_BUILD_NUMBER}.${DOMAIN}.crt\nSSLCertificateKeyFile /etc/ssl/private/build${TRAVIS_BUILD_NUMBER}.${DOMAIN}.key\n</VirtualHost>" | sudo tee /etc/apache2/sites-available/tls.conf
- sudo a2ensite tls.conf
#Restart Apache to apply changes
- sudo service apache2 restart
#Set up the PHP built-in server to host your content locally
before_script:
#Create a basic CSP report handler
#NOTE: This report handler code is not secure and should not be used on any internet-facing server or for production use.
#In this case it is acceptable as it is only processing locally-generated data in a single-use/disposable VM environment.
- printf "<?php \$report = json_decode(filter_var(file_get_contents('php://input'), FILTER_DEFAULT, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH)); if(json_last_error() !== JSON_ERROR_NONE) { exit(); } elseif((in_array(\$report->{'csp-report'}->{'blocked-uri'}, array_map('trim', file('blocked-uri-exclusions.txt')))) || (in_array(\$report->{'csp-report'}->{'document-uri'}, array_map('trim', file('document-uri-exclusions.txt'))))) { exit(); } else { file_put_contents('csp-reports.txt', json_encode(\$report, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES) . \"\\\\n\\\\n\", FILE_APPEND); } ?>" > report-uri.php
#Create configuration files to prevent errors if they do not exist
- touch csp-reports.txt blocked-uri-exclusions.txt document-uri-exclusions.txt
#Prepend build number subdomain to exclusion config files
- if [ -s blocked-uri-exclusions.txt ]; then sed -i "s/^/https:\/\/build${TRAVIS_BUILD_NUMBER}.${DOMAIN}/" blocked-uri-exclusions.txt; fi
- if [ -s document-uri-exclusions.txt ]; then sed -i "s/^/https:\/\/build${TRAVIS_BUILD_NUMBER}.${DOMAIN}/" document-uri-exclusions.txt; fi
#Add required PHP configurations below
- printf "include_path = $(pwd)" > php-conf-csp.ini
- phpenv config-add php-conf-csp.ini
#Start basic PHP web server
#NOTE: If you wish, you can hide all output using 'php -S localhost:8080 > /dev/null 2>&1 &', however it is only recommended to do this once you are sure there are no PHP errors occuring.
- php -S localhost:8080 &
#Wait for detached web server to start
- sleep 3
#Start the build script
script: chmod +x build.sh && ./build.sh "build${TRAVIS_BUILD_NUMBER}.${DOMAIN}"