Fix CSP and cleanup
This commit is contained in:
parent
9127906790
commit
69b4b24758
|
@ -1,6 +1,5 @@
|
|||
job "matrix" {
|
||||
|
||||
|
||||
datacenters = ["dc1"]
|
||||
|
||||
|
||||
|
@ -41,14 +40,13 @@ job "matrix" {
|
|||
"traefik.enable=true",
|
||||
|
||||
"traefik.http.middlewares.matrix-headers.headers.contentsecuritypolicy=connect-src 'self' https://scalar.vector.im https://api.maptiler.com;frame-src 'self' blob: https://scalar.vector.im/ https://meet.element.io;img-src 'self' data: blob: https://img.youtube.com https://*.ytimg.com;script-src 'self' https://usercontent.riot.im https://scalar.vector.im;worker-src 'self' blob:;",
|
||||
|
||||
"traefik.http.routers.matrix-admin.rule=Host(`matrix.consul`) && (PathPrefix(`/_admin/`) || PathPrefix(`/_synapse/admin`))",
|
||||
"traefik.http.routers.matrix-admin.entrypoints=https",
|
||||
"traefik.http.routers.matrix-admin.middlewares=rate-limit-high@file,inflight-high@file,security-headers@file,hsts@file,compression@file",
|
||||
"traefik.http.routers.matrix-admin.middlewares=matrix-headers,rate-limit-std@file,inflight-std@file,security-headers@file,hsts@file",
|
||||
|
||||
"traefik.http.routers.matrix.rule=Host(`matrix.consul`) || (Host(`matrix.consul`) && PathRegexp(`^/(_(synapse|matrix)|\\.well-known/matrix)/.*`))",
|
||||
"traefik.http.routers.matrix.entrypoints=https",
|
||||
"traefik.http.routers.matrix.middlewares=rate-limit-high@file,inflight-high@file,security-headers@file,hsts@file",
|
||||
"traefik.http.routers.matrix.middlewares=matrix-headers,rate-limit-std@file,inflight-std@file,security-headers@file,hsts@file",
|
||||
]
|
||||
|
||||
connect {
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
[[ $c := merge .matrix.synapse . -]]
|
||||
job [[ .instance | toJSON ]] {
|
||||
job "[[ .instance ]]" {
|
||||
[[ $c := merge .matrix.synapse .matrix . -]]
|
||||
|
||||
[[ template "common/job_start" $c ]]
|
||||
|
||||
|
@ -9,7 +9,7 @@ job [[ .instance | toJSON ]] {
|
|||
mode = "bridge"
|
||||
}
|
||||
|
||||
[[ template "common/volumes" .matrix.volumes ]]
|
||||
[[ template "common/volumes" $c ]]
|
||||
|
||||
service {
|
||||
name = "[[ .instance ]][[ .consul.suffix ]]"
|
||||
|
@ -30,32 +30,33 @@ job [[ .instance | toJSON ]] {
|
|||
}
|
||||
|
||||
tags = [
|
||||
[[- $w := merge .matrix.nginx . ]]
|
||||
[[- $w := merge .matrix.nginx .matrix . ]]
|
||||
"[[ $w.traefik.instance ]].enable=[[ $w.traefik.enabled ]]",
|
||||
|
||||
"[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]]-headers[[ .consul.suffix ]].headers.contentsecuritypolicy=[[ range $k, $v := $w.traefik.csp ]][[ $k ]] [[ $v ]];[[ end ]]",
|
||||
"[[ $w.traefik.instance ]].http.middlewares.[[ .instance ]]-headers[[ .consul.suffix ]].headers.contentsecuritypolicy=[[ range $k, $v := $w.traefik.csp ]][[ $k ]] [[ $v ]];[[ end ]]",
|
||||
|
||||
"[[ $w.traefik.instance ]].http.routers.[[ .instance ]]-admin[[ .consul.suffix ]].rule=Host(`[[ (urlParse .matrix.public_url).Hostname ]]`) && (PathPrefix(`/_admin/`) || PathPrefix(`/_synapse/admin`))",
|
||||
"[[ $w.traefik.instance ]].http.routers.[[ .instance ]]-admin[[ .consul.suffix ]].entrypoints=[[ join $w.traefik.entrypoints "," ]]",
|
||||
"[[ $w.traefik.instance ]].http.routers.[[ .instance ]]-admin[[ .consul.suffix ]].middlewares=[[ template "common/traefik_middlewares" $w.traefik.admin ]]",
|
||||
[[- $a := merge .matrix.nginx.admin $w ]]
|
||||
"[[ $a.traefik.instance ]].http.routers.[[ .instance ]]-admin[[ .consul.suffix ]].rule=Host(`[[ (urlParse .matrix.public_url).Hostname ]]`) && (PathPrefix(`/_admin/`) || PathPrefix(`/_synapse/admin`))",
|
||||
"[[ $a.traefik.instance ]].http.routers.[[ .instance ]]-admin[[ .consul.suffix ]].entrypoints=[[ join $a.traefik.entrypoints "," ]]",
|
||||
"[[ $a.traefik.instance ]].http.routers.[[ .instance ]]-admin[[ .consul.suffix ]].middlewares=[[ .instance ]]-headers[[ .consul.suffix ]],[[ template "common/traefik_middlewares" $a ]]",
|
||||
|
||||
"[[ $w.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].rule=Host(`[[ (urlParse .matrix.public_url).Hostname ]]`) || (Host(`[[ .matrix.server_name ]]`) && PathRegexp(`^/(_(synapse|matrix)|\\.well-known/matrix)/.*`))",
|
||||
"[[ $w.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].entrypoints=[[ join $w.traefik.entrypoints "," ]]",
|
||||
"[[ $w.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ template "common/traefik_middlewares" $w.traefik ]]",
|
||||
"[[ $w.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ .instance ]]-headers[[ .consul.suffix ]],[[ template "common/traefik_middlewares" $w ]]",
|
||||
]
|
||||
|
||||
[[ template "common/connect" merge .matrix . ]]
|
||||
[[ template "common/connect" merge $c ]]
|
||||
}
|
||||
|
||||
[[ template "common/task.wait_for" $c ]]
|
||||
[[ template "common/task.pgpooler" $c ]]
|
||||
|
||||
task "synapse" {
|
||||
driver = [[ $c.nomad.driver | toJSON ]]
|
||||
driver = "[[ $c.nomad.driver ]]"
|
||||
leader = true
|
||||
|
||||
config {
|
||||
image = [[ $c.image | toJSON ]]
|
||||
image = "[[ $c.image ]]"
|
||||
pids_limit = 200
|
||||
readonly_rootfs = true
|
||||
}
|
||||
|
@ -91,38 +92,38 @@ _EOT
|
|||
destination = "/data"
|
||||
}
|
||||
|
||||
[[ template "common/resources" $c.resources ]]
|
||||
[[ template "common/resources" $c ]]
|
||||
}
|
||||
|
||||
[[ $c = merge .matrix.nginx . ]]
|
||||
task "nginx" {
|
||||
driver = [[ $c.nomad.driver | toJSON ]]
|
||||
driver = "[[ $c.nomad.driver ]]"
|
||||
|
||||
config {
|
||||
image = [[ $c.image | toJSON ]]
|
||||
image = "[[ $c.image ]]"
|
||||
readonly_rootfs = true
|
||||
pids_limit = 100
|
||||
volumes = [
|
||||
"local/nginx.conf:/etc/nginx/conf.d/default.conf:ro",
|
||||
]
|
||||
[[ template "common/tmpfs" dict "size" "5000000" "target" "/tmp" ]]
|
||||
[[ template "common/tmpfs" dict "size" "5000000" "target" "/tmp" ]]
|
||||
}
|
||||
|
||||
template {
|
||||
data =<<_EOT
|
||||
[[ template "matrix/nginx.conf.tpl" . ]]
|
||||
[[ template "matrix/nginx.conf.tpl" $c ]]
|
||||
_EOT
|
||||
destination = "local/nginx.conf"
|
||||
}
|
||||
|
||||
template {
|
||||
data =<<_EOT
|
||||
[[ template "matrix/element.json.tpl" . ]]
|
||||
[[ template "matrix/element.json.tpl" $c ]]
|
||||
_EOT
|
||||
destination = "local/element.json"
|
||||
}
|
||||
|
||||
[[ template "common/resources" $c.resources ]]
|
||||
[[ template "common/resources" $c ]]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -125,27 +125,10 @@ matrix:
|
|||
img-src: "'self' data: blob: https://img.youtube.com https://*.ytimg.com"
|
||||
frame-src: "'self' blob: https://scalar.vector.im/ https://meet.element.io"
|
||||
|
||||
# List of middleware to apply
|
||||
middlewares: []
|
||||
|
||||
# Override base_middlewares to remove csp-relaxed@file
|
||||
base_middlewares:
|
||||
- rate-limit-high@file
|
||||
- inflight-high@file
|
||||
- security-headers@file
|
||||
- hsts@file
|
||||
#- compression@file
|
||||
|
||||
# Admin will apply to requests directed to /_admin/ (synapse-admin) and /_synapse/admin (admin API)
|
||||
# so you can restrict it further
|
||||
admin:
|
||||
base_middlewares:
|
||||
- rate-limit-high@file
|
||||
- inflight-high@file
|
||||
- security-headers@file
|
||||
- hsts@file
|
||||
- compression@file
|
||||
middlewares: []
|
||||
# Admin will apply to requests directed to /_admin/ (synapse-admin) and /_synapse/admin (admin API)
|
||||
# so you can restrict it further
|
||||
admin:
|
||||
traefik: {}
|
||||
|
||||
# Volumes used for data persistance
|
||||
volumes:
|
||||
|
|
Loading…
Reference in New Issue