From 7ea5af649faf2b63d5917998d0c9a2435e2b4f24 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Romain=20Gon=C3=A7alves?= Date: Mon, 1 Jul 2024 11:03:56 +0200 Subject: fix(roles/relayd): mjs mimetype and correct nextclud header --- roles/httpd/defaults/main.yml | 1 + roles/relayd/templates/relayd.conf.j2 | 13 +++++++++---- 2 files changed, 10 insertions(+), 4 deletions(-) (limited to 'roles') diff --git a/roles/httpd/defaults/main.yml b/roles/httpd/defaults/main.yml index 5e2af25..1ddaccd 100644 --- a/roles/httpd/defaults/main.yml +++ b/roles/httpd/defaults/main.yml @@ -3,6 +3,7 @@ httpd__supported_types: - application/pdf pdf - application/xml xml rss + - application/javascript js mjs - audio/mpeg mp3 - image/gif gif - image/jpeg jpeg jpg diff --git a/roles/relayd/templates/relayd.conf.j2 b/roles/relayd/templates/relayd.conf.j2 index 4169251..b14e6bf 100644 --- a/roles/relayd/templates/relayd.conf.j2 +++ b/roles/relayd/templates/relayd.conf.j2 @@ -23,15 +23,20 @@ http protocol "https" { tcp { sack, backlog 128 } - match request header append "X-Forwarded-For" value "$REMOTE_ADDR" - match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" - match request header set "Connection" value "close" match request header set "X-Forwarded-Proto" value "https" + # match request header append "X-Forwarded-For" value "$REMOTE_ADDR" + # match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" match request header set "X-Forwarded-For" value "$REMOTE_ADDR" match request header set "X-Forwarded-Port" value "$REMOTE_PORT" + + match response header set "X-XSS-Protection" value "1; mode=block" + match response header set "X-Content-Type-Options" value "nosniff" + + match request header set "Connection" value "close" match response header set "Content-Security-Policy" value "upgrade-insecure-requests" match response header set "Referrer-Policy" value "no-referrer" - match response header set "X-XSS-Protection" value "1; mode=block" + match response header set "Strict-Transport-Security" value "max-age=31536000; includeSubDomains; preload" + {% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%} {% for rule in h.relayd__rules %} -- cgit v1.2.3