aboutsummaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorRomain Gonçalves <me@rgoncalves.se>2024-07-01 11:03:56 +0200
committerRomain Gonçalves <me@rgoncalves.se>2024-07-01 11:05:18 +0200
commit7ea5af649faf2b63d5917998d0c9a2435e2b4f24 (patch)
tree0dfdeaa26128ef7ebbd7e9b63668bed6964976fb /roles
parent7145dc982cc0e0fff4afa91d7e3970ad1abddf3f (diff)
downloadrules-7ea5af649faf2b63d5917998d0c9a2435e2b4f24.tar.gz
fix(roles/relayd): mjs mimetype and correct nextclud header
Diffstat (limited to 'roles')
-rw-r--r--roles/httpd/defaults/main.yml1
-rw-r--r--roles/relayd/templates/relayd.conf.j213
2 files changed, 10 insertions, 4 deletions
diff --git a/roles/httpd/defaults/main.yml b/roles/httpd/defaults/main.yml
index 5e2af25..1ddaccd 100644
--- a/roles/httpd/defaults/main.yml
+++ b/roles/httpd/defaults/main.yml
@@ -3,6 +3,7 @@
httpd__supported_types:
- application/pdf pdf
- application/xml xml rss
+ - application/javascript js mjs
- audio/mpeg mp3
- image/gif gif
- image/jpeg jpeg jpg
diff --git a/roles/relayd/templates/relayd.conf.j2 b/roles/relayd/templates/relayd.conf.j2
index 4169251..b14e6bf 100644
--- a/roles/relayd/templates/relayd.conf.j2
+++ b/roles/relayd/templates/relayd.conf.j2
@@ -23,15 +23,20 @@ http protocol "https" {
tcp { sack, backlog 128 }
- match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
- match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
- match request header set "Connection" value "close"
match request header set "X-Forwarded-Proto" value "https"
+ # match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
+ # match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
match request header set "X-Forwarded-Port" value "$REMOTE_PORT"
+
+ match response header set "X-XSS-Protection" value "1; mode=block"
+ match response header set "X-Content-Type-Options" value "nosniff"
+
+ match request header set "Connection" value "close"
match response header set "Content-Security-Policy" value "upgrade-insecure-requests"
match response header set "Referrer-Policy" value "no-referrer"
- match response header set "X-XSS-Protection" value "1; mode=block"
+ match response header set "Strict-Transport-Security" value "max-age=31536000; includeSubDomains; preload"
+
{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%}
{% for rule in h.relayd__rules %}
remember that computers suck.