diff options
-rw-r--r-- | roles/httpd/defaults/main.yml | 1 | ||||
-rw-r--r-- | roles/relayd/templates/relayd.conf.j2 | 13 |
2 files changed, 10 insertions, 4 deletions
diff --git a/roles/httpd/defaults/main.yml b/roles/httpd/defaults/main.yml index 5e2af25..1ddaccd 100644 --- a/roles/httpd/defaults/main.yml +++ b/roles/httpd/defaults/main.yml @@ -3,6 +3,7 @@ httpd__supported_types: - application/pdf pdf - application/xml xml rss + - application/javascript js mjs - audio/mpeg mp3 - image/gif gif - image/jpeg jpeg jpg diff --git a/roles/relayd/templates/relayd.conf.j2 b/roles/relayd/templates/relayd.conf.j2 index 4169251..b14e6bf 100644 --- a/roles/relayd/templates/relayd.conf.j2 +++ b/roles/relayd/templates/relayd.conf.j2 @@ -23,15 +23,20 @@ http protocol "https" { tcp { sack, backlog 128 } - match request header append "X-Forwarded-For" value "$REMOTE_ADDR" - match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" - match request header set "Connection" value "close" match request header set "X-Forwarded-Proto" value "https" + # match request header append "X-Forwarded-For" value "$REMOTE_ADDR" + # match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" match request header set "X-Forwarded-For" value "$REMOTE_ADDR" match request header set "X-Forwarded-Port" value "$REMOTE_PORT" + + match response header set "X-XSS-Protection" value "1; mode=block" + match response header set "X-Content-Type-Options" value "nosniff" + + match request header set "Connection" value "close" match response header set "Content-Security-Policy" value "upgrade-insecure-requests" match response header set "Referrer-Policy" value "no-referrer" - match response header set "X-XSS-Protection" value "1; mode=block" + match response header set "Strict-Transport-Security" value "max-age=31536000; includeSubDomains; preload" + {% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%} {% for rule in h.relayd__rules %} |