From 7ea5af649faf2b63d5917998d0c9a2435e2b4f24 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Romain=20Gon=C3=A7alves?= <me@rgoncalves.se>
Date: Mon, 1 Jul 2024 11:03:56 +0200
Subject: fix(roles/relayd): mjs mimetype and correct nextclud header

---
 roles/httpd/defaults/main.yml         |  1 +
 roles/relayd/templates/relayd.conf.j2 | 13 +++++++++----
 2 files changed, 10 insertions(+), 4 deletions(-)

(limited to 'roles')

diff --git a/roles/httpd/defaults/main.yml b/roles/httpd/defaults/main.yml
index 5e2af25..1ddaccd 100644
--- a/roles/httpd/defaults/main.yml
+++ b/roles/httpd/defaults/main.yml
@@ -3,6 +3,7 @@
 httpd__supported_types:
   - application/pdf pdf
   - application/xml xml rss
+  - application/javascript js mjs
   - audio/mpeg mp3
   - image/gif gif
   - image/jpeg jpeg jpg
diff --git a/roles/relayd/templates/relayd.conf.j2 b/roles/relayd/templates/relayd.conf.j2
index 4169251..b14e6bf 100644
--- a/roles/relayd/templates/relayd.conf.j2
+++ b/roles/relayd/templates/relayd.conf.j2
@@ -23,15 +23,20 @@ http protocol "https" {
 
 	tcp { sack, backlog 128 }
 
-	match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
-	match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
-	match request header set "Connection" value "close"
 	match request header set "X-Forwarded-Proto" value "https"
+	# match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
+	# match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
 	match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
 	match request header set "X-Forwarded-Port" value "$REMOTE_PORT"
+
+	match response header set "X-XSS-Protection" value "1; mode=block"
+	match response header set "X-Content-Type-Options" value "nosniff"
+
+	match request header set "Connection" value "close"
 	match response header set "Content-Security-Policy" value "upgrade-insecure-requests"
 	match response header set "Referrer-Policy" value "no-referrer"
-	match response header set "X-XSS-Protection" value "1; mode=block"
+	match response header set "Strict-Transport-Security" value "max-age=31536000; includeSubDomains; preload"
+
 
 {% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%}
 {% for rule in h.relayd__rules %}
-- 
cgit v1.2.3