From 5862e8354adc8e9674155d95c12d1f45107691de Mon Sep 17 00:00:00 2001 From: AtomHare Date: Sun, 19 Sep 2021 00:59:50 +0200 Subject: [PATCH] Update varnish and headers (#4) * update varnish * update headers * Indent with 4 spaces. Co-authored-by: FireMasterK <20838718+FireMasterK@users.noreply.github.com> --- template/Caddyfile | 98 ++++++++++++++++++++++++++----------- template/docker-compose.yml | 2 +- 2 files changed, 70 insertions(+), 30 deletions(-) diff --git a/template/Caddyfile b/template/Caddyfile index 0aabe7c..0a7c15b 100644 --- a/template/Caddyfile +++ b/template/Caddyfile @@ -1,48 +1,88 @@ { - servers :443 { - protocol { - experimental_http3 - } - } + servers :443 { + protocol { + experimental_http3 + } + } } FRONTEND_HOSTNAME { - reverse_proxy pipedfrontend:80 + reverse_proxy pipedfrontend:80 + header { + # disable FLoC tracking + Permissions-Policy interest-cohort=() + + # enable HSTS + Strict-Transport-Security max-age=31536000; + + # keep referrer data off + Referrer-Policy no-referrer + + # prevent for appearing in search engine for private instances (option) + #X-Robots-Tag noindex + } } BACKEND_HOSTNAME { - reverse_proxy varnish:80 + reverse_proxy varnish:80 + header { + # disable FLoC tracking + Permissions-Policy interest-cohort=() + + # enable HSTS + Strict-Transport-Security max-age=31536000; + + # keep referrer data off + Referrer-Policy no-referrer + + # prevent for appearing in search engine for private instances (option) + #X-Robots-Tag noindex + } } PROXY_HOSTNAME { - @ytproxy path /videoplayback* /api/v4/* /api/manifest/* + @ytproxy path /videoplayback* /api/v4/* /api/manifest/* - @optionscall { - method OPTIONS - } - - header Access-Control-Allow-Origin * - header Access-Control-Allow-Headers * - - route { - - header @ytproxy { - Cache-Control private always + @optionscall { + method OPTIONS } - header / { - Cache-Control "public, max-age=604800" + header { + Access-Control-Allow-Origin * + Access-Control-Allow-Headers * + + # disable FLoC tracking + Permissions-Policy interest-cohort=() + + # enable HSTS + Strict-Transport-Security max-age=31536000; + + # keep referrer data off + Referrer-Policy no-referrer + + # prevent for appearing in search engine for private instances (option) + #X-Robots-Tag noindex } - respond @optionscall 200 + route { - reverse_proxy unix//var/run/ytproxy/http-proxy.sock { - header_up -CF-Connecting-IP - header_up -X-Forwarded-For - header_down -Access-Control-Allow-Origin - header_down -etag - header_down -alt-svc + header @ytproxy { + Cache-Control private always + } + + header / { + Cache-Control "public, max-age=604800" + } + + respond @optionscall 200 + + reverse_proxy unix//var/run/ytproxy/http-proxy.sock { + header_up -CF-Connecting-IP + header_up -X-Forwarded-For + header_down -Access-Control-Allow-Origin + header_down -etag + header_down -alt-svc + } } - } } diff --git a/template/docker-compose.yml b/template/docker-compose.yml index aad90c1..5e0e79e 100644 --- a/template/docker-compose.yml +++ b/template/docker-compose.yml @@ -21,7 +21,7 @@ services: - postgres container_name: piped-backend varnish: - image: varnish:6.6-alpine + image: varnish:7.0-alpine restart: unless-stopped volumes: - ./config/default.vcl:/etc/varnish/default.vcl:ro