roles/authelia/tasks/authelia.yml

@@ -48,6 +48,17 @@
     - authelia-config
   notify: restart authelia container
 
+- name: template robots.txt
+  template:
+    src: "robots.txt.j2"
+    dest: "{{ systemuserlist.authelia.home }}/robots.txt"
+    owner: authelia
+    group: authelia
+    mode: 0755
+  tags:
+    - authelia-nginx
+  notify: reload nginx
+
 - name: template nginx vhost
   template:
     src: 01-authelia.conf.j2

roles/authelia/templates/01-authelia.conf.j2

@@ -48,13 +48,20 @@ server {
     proxy_buffers 64 256k;
   }
 
+  # the robots.txt file that authelia serves allows search engine
+  location = /robots.txt {
+      alias {{ systemuserlist.authelia.home }}/robots.txt;
+  }
 
+  # swagger: https://login.sudo.is/api/#/
   location /api/verify {
     return 403;
   }
-  location /api/health {
-    return 403;
-  }
+  # only returns {"status": "OK"}, which is also included in /api/state anyway, which clients
+  # seem to access according to logs so cant deny those requests.
+  # location /api/health {
+  #   return 403;
+  # }
 
   access_log /var/log/nginx/access_{{ authelia_login_url }}.log main;
   error_log /var/log/nginx/error_{{ authelia_login_url }}.log warn;
@@ -72,8 +79,6 @@ server {
 
 server {
 
-  #listen 443 ssl http2;
-
   {% if inventory_hostname in wg_clients -%}
   listen {{ wg_clients[inventory_hostname].ip }}:443 ssl http2 default_server;
   {% endif -%}
@@ -113,7 +118,7 @@ server {
 
   }
 
-  location /api/health {
+  location /api {
     proxy_pass         http://{{ bridgewithdns.authelia}}:{{ authelia_port }};
 
     proxy_redirect     off;

roles/authelia/templates/robots.txt.j2

@@ -0,0 +1,2 @@
+User-agent: *
+Disallow: /

roles/jellyfin/templates/01-jellyfin.j2

@@ -56,14 +56,14 @@ server {
 
     # attempting to fix the title with nginx
     {% set jellyfin_title = jellyfin_url.split(".")[0].capitalize() %}
-    sub_filter '<title>Jellyfin</title>' '<title>{{ jellyfin_title }}</title>';
-    sub_filter 'document.title="Jellyfin"' 'document.title="{{ jellyfin_title }}"';
-    sub_filter 'document.title=e||"Jellyfin"' 'document.title=e||"{{ jellyfin_title }}"';
-    sub_filter 'document.title=B.ZP.translateHtml(document.title,"core")' 'document.title="{{ jellyfin_title }}"';
-    # in addition to “text/html”.
-    sub_filter_types application/javascript;
-    sub_filter_last_modified on;
-    sub_filter_once off;
+    #sub_filter '<title>Jellyfin</title>' '<title>{{ jellyfin_title }}</title>';
+    #sub_filter 'document.title="Jellyfin"' 'document.title="{{ jellyfin_title }}"';
+    #sub_filter 'document.title=e||"Jellyfin"' 'document.title=e||"{{ jellyfin_title }}"';
+    #sub_filter 'document.title=B.ZP.translateHtml(document.title,"core")' 'document.title="{{ jellyfin_title }}"';
+    ## in addition to “text/html”.
+    #sub_filter_types application/javascript;
+    #sub_filter_last_modified on;
+    #sub_filter_once off;
 
     location = / {
         return 302 https://$host/web/;
@@ -126,6 +126,17 @@ server {
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     }
     {% endfor %}
+    location = /_health {
+        proxy_pass http://127.0.0.1:{{ jellyfin_port }}/health;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        {# hide_header 'content-security-policy';
+         # hide_header 'x-response-time-ms';
+         # hide_header 'x-frame-options';
+         # hide_header 'x-xss-protection';
+         # hide_header 'last-modified'; #}
+    }
+
 
     {# location /videos/ {
      #     # cache video streams: https://jellyfin.org/docs/general/networking/nginx.html#cache-video-streams

roles/matrix-nginx/templates/01-matrix.j2

@@ -34,19 +34,11 @@ server {
   }
 
 
-  location /health {
-    allow 127.0.0.1;
-    {% if inventory_hostname in my_public_ips -%}
-    allow {{ my_public_ips[inventory_hostname] }}/32;
-    {% endif -%}
-    allow {{ my_public_ips[ansible_control_host] }}/32;
-    allow {{ wireguard_cidr }};
-    deny all;
-    proxy_pass http://{{ bridgewithdns.matrix }}:{{ matrix_synapse_port }};
+  location = /_health {
+    proxy_pass http://{{ bridgewithdns.matrix }}:{{ matrix_synapse_port }}/health;
     proxy_set_header X-Forwarded-For $remote_addr;
     proxy_set_header X-Forwarded-Proto $scheme;
     proxy_set_header Host $host;
-
   }
   location ~* ^(\/_matrix|\/_synapse\/client) {
       # working around this issue that seems to still be hapening

roles/monitoring-server/templates/01-influxdb.j2

@@ -8,7 +8,21 @@ server {
   include /etc/nginx/listen-proxy-protocol.conf;
   server_name {{ influxdb_url }};
 
-  location ~ ^/(ping|metrics|status) {
+  location /ping {
+    # if /ping?verbose=true, it leaks the version
+    set $args '';
+
+    proxy_pass         http://127.0.0.1:{{ influxdb_port }};
+    proxy_set_header   Host $host;
+    proxy_set_header   X-Real-IP $remote_addr;
+    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header   X-Forwarded-Host $server_name;
+  }
+
+  location ~ ^/(metrics|health|debug) {
+    # /health will leak version number
+    # /metrics are private
+    # /debug is also private
     allow 127.0.0.1;
     {% if inventory_hostname in my_public_ips -%}
     allow {{ my_public_ips[inventory_hostname] }}/32;