added header flags back in.

2025-06-25 18:57:50 +02:00 · 2024-10-01 17:04:11 +10:00
parent 6c8923ae28
commit 2b4fdea70f
6 changed files with 78 additions and 78 deletions
--- a/roles/custom/matrix-livekit-server/defaults/main.yml
+++ b/roles/custom/matrix-livekit-server/defaults/main.yml
@ -32,18 +32,18 @@ matrix_livekit_server_container_labels_traefik_tls_certResolver: default  # noqa

 # Controls which additional headers to attach to all HTTP responses.
 # To add your own headers, use `matrix_livekit_server_container_labels_traefik_additional_response_headers_custom`
-#matrix_livekit_server_container_labels_traefik_additional_response_headers: "{{ matrix_livekit_server_container_labels_traefik_additional_response_headers_auto | combine(matrix_livekit_server_container_labels_traefik_additional_response_headers_custom) }}"
-#matrix_livekit_server_container_labels_traefik_additional_response_headers_auto: |
-#  {{
-#    {}
-#    | combine ({'X-XSS-Protection': matrix_livekit_server_http_header_xss_protection} if matrix_livekit_server_http_header_xss_protection else {})
-#    | combine ({'X-Frame-Options': matrix_livekit_server_http_header_frame_options} if matrix_livekit_server_http_header_frame_options else {})
-#    | combine ({'X-Content-Type-Options': matrix_livekit_server_http_header_content_type_options} if matrix_livekit_server_http_header_content_type_options else {})
-#    | combine ({'Content-Security-Policy': matrix_livekit_server_http_header_content_security_policy} if matrix_livekit_server_http_header_content_security_policy else {})
-#    | combine ({'Permission-Policy': matrix_livekit_server_http_header_content_permission_policy} if matrix_livekit_server_http_header_content_permission_policy else {})
-#    | combine ({'Strict-Transport-Security': matrix_livekit_server_http_header_strict_transport_security} if matrix_livekit_server_http_header_strict_transport_security and matrix_livekit_server_container_labels_traefik_tls else {})
-#  }}
-#matrix_livekit_server_container_labels_traefik_additional_response_headers_custom: {}
+matrix_livekit_server_container_labels_traefik_additional_response_headers: "{{ matrix_livekit_server_container_labels_traefik_additional_response_headers_auto | combine(matrix_livekit_server_container_labels_traefik_additional_response_headers_custom) }}"
+matrix_livekit_server_container_labels_traefik_additional_response_headers_auto: |
+  {{
+    {}
+    | combine ({'X-XSS-Protection': matrix_livekit_server_http_header_xss_protection} if matrix_livekit_server_http_header_xss_protection else {})
+    | combine ({'X-Frame-Options': matrix_livekit_server_http_header_frame_options} if matrix_livekit_server_http_header_frame_options else {})
+    | combine ({'X-Content-Type-Options': matrix_livekit_server_http_header_content_type_options} if matrix_livekit_server_http_header_content_type_options else {})
+    | combine ({'Content-Security-Policy': matrix_livekit_server_http_header_content_security_policy} if matrix_livekit_server_http_header_content_security_policy else {})
+    | combine ({'Permission-Policy': matrix_livekit_server_http_header_content_permission_policy} if matrix_livekit_server_http_header_content_permission_policy else {})
+    | combine ({'Strict-Transport-Security': matrix_livekit_server_http_header_strict_transport_security} if matrix_livekit_server_http_header_strict_transport_security and matrix_livekit_server_container_labels_traefik_tls else {})
+  }}
+matrix_livekit_server_container_labels_traefik_additional_response_headers_custom: {}

 # matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
 # See `../templates/labels.j2` for details.
@ -69,27 +69,27 @@ matrix_livekit_server_systemd_required_services_list: "{{ [devture_systemd_docke
 # Learn more about it is here:
 # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
 # - https://portswigger.net/web-security/cross-site-scripting/reflected
-#matrix_livekit_server_http_header_xss_protection: "1; mode=block"
+matrix_livekit_server_http_header_xss_protection: ''

 # Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
 # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
-#matrix_livekit_server_http_header_frame_options: SAMEORIGIN
+matrix_livekit_server_http_header_frame_options: ''

 # Specifies the value of the `X-Content-Type-Options` header.
 # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
-#matrix_livekit_server_http_header_content_type_options: nosniff
+matrix_livekit_server_http_header_content_type_options: ''

 # Specifies the value of the `Content-Security-Policy` header.
 # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
-#matrix_livekit_server_http_header_content_security_policy: frame-ancestors 'self'
+matrix_livekit_server_http_header_content_security_policy: ''

 # Specifies the value of the `Permission-Policy` header.
 # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy
-#matrix_livekit_server_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_livekit_server_floc_optout_enabled else '' }}"
+matrix_livekit_server_http_header_content_permission_policy: ''

 # Specifies the value of the `Strict-Transport-Security` header.
 # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
-#matrix_livekit_server_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_livekit_server_hsts_preload_enabled else '' }}"
+matrix_livekit_server_http_header_strict_transport_security: ''

 # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses
 #
@ -100,7 +100,7 @@ matrix_livekit_server_systemd_required_services_list: "{{ [devture_systemd_docke
 #
 # Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
 # See: `matrix_livekit_server_content_permission_policy`
-#matrix_livekit_server_floc_optout_enabled: true
+matrix_livekit_server_floc_optout_enabled: false

 # Controls if HSTS preloading is enabled
 #
@ -112,4 +112,4 @@ matrix_livekit_server_systemd_required_services_list: "{{ [devture_systemd_docke
 # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
 # - https://hstspreload.org/#opt-in
 # See: `matrix_livekit_server_http_header_strict_transport_security`
-#matrix_livekit_server_hsts_preload_enabled: true
+matrix_livekit_server_hsts_preload_enabled: true
--- a/roles/custom/matrix-livekit-server/templates/labels.j2
+++ b/roles/custom/matrix-livekit-server/templates/labels.j2
@ -20,12 +20,12 @@ traefik.http.middlewares.matrix-livekit-server-strip-prefix.stripprefix.prefixes
 {% set middlewares = middlewares + ['matrix-livekit-server-strip-prefix'] %}
 {% endif %}

-#{% if matrix_livekit_server_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
-#{% for name, value in matrix_livekit_server_container_labels_traefik_additional_response_headers.items() %}
-#traefik.http.middlewares.matrix-livekit-server-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
-#{% endfor %}
-#{% set middlewares = middlewares + ['matrix-livekit-server-add-headers'] %}
-#{% endif %}
+{% if matrix_livekit_server_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
+{% for name, value in matrix_livekit_server_container_labels_traefik_additional_response_headers.items() %}
+traefik.http.middlewares.matrix-livekit-server-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
+{% endfor %}
+{% set middlewares = middlewares + ['matrix-livekit-server-add-headers'] %}
+{% endif %}

 traefik.http.routers.matrix-livekit-server.rule={{ matrix_livekit_server_container_labels_traefik_rule }}
 {% if matrix_livekit_server_container_labels_traefik_priority | int > 0 %}