diff options
Diffstat (limited to 'roles/relayd/templates')
-rw-r--r-- | roles/relayd/templates/relayd.conf.j2 | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/roles/relayd/templates/relayd.conf.j2 b/roles/relayd/templates/relayd.conf.j2 index 4169251..b14e6bf 100644 --- a/roles/relayd/templates/relayd.conf.j2 +++ b/roles/relayd/templates/relayd.conf.j2 @@ -23,15 +23,20 @@ http protocol "https" { tcp { sack, backlog 128 } - match request header append "X-Forwarded-For" value "$REMOTE_ADDR" - match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" - match request header set "Connection" value "close" match request header set "X-Forwarded-Proto" value "https" + # match request header append "X-Forwarded-For" value "$REMOTE_ADDR" + # match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" match request header set "X-Forwarded-For" value "$REMOTE_ADDR" match request header set "X-Forwarded-Port" value "$REMOTE_PORT" + + match response header set "X-XSS-Protection" value "1; mode=block" + match response header set "X-Content-Type-Options" value "nosniff" + + match request header set "Connection" value "close" match response header set "Content-Security-Policy" value "upgrade-insecure-requests" match response header set "Referrer-Policy" value "no-referrer" - match response header set "X-XSS-Protection" value "1; mode=block" + match response header set "Strict-Transport-Security" value "max-age=31536000; includeSubDomains; preload" + {% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%} {% for rule in h.relayd__rules %} |