aboutsummaryrefslogtreecommitdiffstats
path: root/roles/relayd
diff options
context:
space:
mode:
Diffstat (limited to 'roles/relayd')
-rw-r--r--roles/relayd/templates/relayd.conf.j213
1 files changed, 9 insertions, 4 deletions
diff --git a/roles/relayd/templates/relayd.conf.j2 b/roles/relayd/templates/relayd.conf.j2
index 4169251..b14e6bf 100644
--- a/roles/relayd/templates/relayd.conf.j2
+++ b/roles/relayd/templates/relayd.conf.j2
@@ -23,15 +23,20 @@ http protocol "https" {
tcp { sack, backlog 128 }
- match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
- match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
- match request header set "Connection" value "close"
match request header set "X-Forwarded-Proto" value "https"
+ # match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
+ # match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
match request header set "X-Forwarded-Port" value "$REMOTE_PORT"
+
+ match response header set "X-XSS-Protection" value "1; mode=block"
+ match response header set "X-Content-Type-Options" value "nosniff"
+
+ match request header set "Connection" value "close"
match response header set "Content-Security-Policy" value "upgrade-insecure-requests"
match response header set "Referrer-Policy" value "no-referrer"
- match response header set "X-XSS-Protection" value "1; mode=block"
+ match response header set "Strict-Transport-Security" value "max-age=31536000; includeSubDomains; preload"
+
{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%}
{% for rule in h.relayd__rules %}
remember that computers suck.