diff --git a/roles/authelia/tasks/authelia.yml b/roles/authelia/tasks/authelia.yml
index 1f170a0..5af9891 100644
--- a/roles/authelia/tasks/authelia.yml
+++ b/roles/authelia/tasks/authelia.yml
@@ -48,6 +48,17 @@
- authelia-config
notify: restart authelia container
+- name: template robots.txt
+ template:
+ src: "robots.txt.j2"
+ dest: "{{ systemuserlist.authelia.home }}/robots.txt"
+ owner: authelia
+ group: authelia
+ mode: 0755
+ tags:
+ - authelia-nginx
+ notify: reload nginx
+
- name: template nginx vhost
template:
src: 01-authelia.conf.j2
diff --git a/roles/authelia/templates/01-authelia.conf.j2 b/roles/authelia/templates/01-authelia.conf.j2
index 7abe14a..cec4970 100644
--- a/roles/authelia/templates/01-authelia.conf.j2
+++ b/roles/authelia/templates/01-authelia.conf.j2
@@ -48,13 +48,20 @@ server {
proxy_buffers 64 256k;
}
+ # the robots.txt file that authelia serves allows search engine
+ location = /robots.txt {
+ alias {{ systemuserlist.authelia.home }}/robots.txt;
+ }
+ # swagger: https://login.sudo.is/api/#/
location /api/verify {
return 403;
}
- location /api/health {
- return 403;
- }
+ # only returns {"status": "OK"}, which is also included in /api/state anyway, which clients
+ # seem to access according to logs so cant deny those requests.
+ # location /api/health {
+ # return 403;
+ # }
access_log /var/log/nginx/access_{{ authelia_login_url }}.log main;
error_log /var/log/nginx/error_{{ authelia_login_url }}.log warn;
@@ -72,8 +79,6 @@ server {
server {
- #listen 443 ssl http2;
-
{% if inventory_hostname in wg_clients -%}
listen {{ wg_clients[inventory_hostname].ip }}:443 ssl http2 default_server;
{% endif -%}
@@ -113,7 +118,7 @@ server {
}
- location /api/health {
+ location /api {
proxy_pass http://{{ bridgewithdns.authelia}}:{{ authelia_port }};
proxy_redirect off;
diff --git a/roles/authelia/templates/robots.txt.j2 b/roles/authelia/templates/robots.txt.j2
new file mode 100644
index 0000000..1f53798
--- /dev/null
+++ b/roles/authelia/templates/robots.txt.j2
@@ -0,0 +1,2 @@
+User-agent: *
+Disallow: /
diff --git a/roles/jellyfin/templates/01-jellyfin.j2 b/roles/jellyfin/templates/01-jellyfin.j2
index d3ab59a..54eb0b1 100644
--- a/roles/jellyfin/templates/01-jellyfin.j2
+++ b/roles/jellyfin/templates/01-jellyfin.j2
@@ -56,14 +56,14 @@ server {
# attempting to fix the title with nginx
{% set jellyfin_title = jellyfin_url.split(".")[0].capitalize() %}
- sub_filter 'Jellyfin' '{{ jellyfin_title }}';
- sub_filter 'document.title="Jellyfin"' 'document.title="{{ jellyfin_title }}"';
- sub_filter 'document.title=e||"Jellyfin"' 'document.title=e||"{{ jellyfin_title }}"';
- sub_filter 'document.title=B.ZP.translateHtml(document.title,"core")' 'document.title="{{ jellyfin_title }}"';
- # in addition to “text/html”.
- sub_filter_types application/javascript;
- sub_filter_last_modified on;
- sub_filter_once off;
+ #sub_filter 'Jellyfin' '{{ jellyfin_title }}';
+ #sub_filter 'document.title="Jellyfin"' 'document.title="{{ jellyfin_title }}"';
+ #sub_filter 'document.title=e||"Jellyfin"' 'document.title=e||"{{ jellyfin_title }}"';
+ #sub_filter 'document.title=B.ZP.translateHtml(document.title,"core")' 'document.title="{{ jellyfin_title }}"';
+ ## in addition to “text/html”.
+ #sub_filter_types application/javascript;
+ #sub_filter_last_modified on;
+ #sub_filter_once off;
location = / {
return 302 https://$host/web/;
@@ -126,6 +126,17 @@ server {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
{% endfor %}
+ location = /_health {
+ proxy_pass http://127.0.0.1:{{ jellyfin_port }}/health;
+ proxy_set_header Host $host;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ {# hide_header 'content-security-policy';
+ # hide_header 'x-response-time-ms';
+ # hide_header 'x-frame-options';
+ # hide_header 'x-xss-protection';
+ # hide_header 'last-modified'; #}
+ }
+
{# location /videos/ {
# # cache video streams: https://jellyfin.org/docs/general/networking/nginx.html#cache-video-streams
diff --git a/roles/matrix-nginx/templates/01-matrix.j2 b/roles/matrix-nginx/templates/01-matrix.j2
index 8a5fbdf..ca95ecd 100644
--- a/roles/matrix-nginx/templates/01-matrix.j2
+++ b/roles/matrix-nginx/templates/01-matrix.j2
@@ -34,19 +34,11 @@ server {
}
- location /health {
- allow 127.0.0.1;
- {% if inventory_hostname in my_public_ips -%}
- allow {{ my_public_ips[inventory_hostname] }}/32;
- {% endif -%}
- allow {{ my_public_ips[ansible_control_host] }}/32;
- allow {{ wireguard_cidr }};
- deny all;
- proxy_pass http://{{ bridgewithdns.matrix }}:{{ matrix_synapse_port }};
+ location = /_health {
+ proxy_pass http://{{ bridgewithdns.matrix }}:{{ matrix_synapse_port }}/health;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
-
}
location ~* ^(\/_matrix|\/_synapse\/client) {
# working around this issue that seems to still be hapening
diff --git a/roles/monitoring-server/templates/01-influxdb.j2 b/roles/monitoring-server/templates/01-influxdb.j2
index 6bf88a7..2ed496d 100644
--- a/roles/monitoring-server/templates/01-influxdb.j2
+++ b/roles/monitoring-server/templates/01-influxdb.j2
@@ -8,7 +8,21 @@ server {
include /etc/nginx/listen-proxy-protocol.conf;
server_name {{ influxdb_url }};
- location ~ ^/(ping|metrics|status) {
+ location /ping {
+ # if /ping?verbose=true, it leaks the version
+ set $args '';
+
+ proxy_pass http://127.0.0.1:{{ influxdb_port }};
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $server_name;
+ }
+
+ location ~ ^/(metrics|health|debug) {
+ # /health will leak version number
+ # /metrics are private
+ # /debug is also private
allow 127.0.0.1;
{% if inventory_hostname in my_public_ips -%}
allow {{ my_public_ips[inventory_hostname] }}/32;