kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-10-09 18:28:10 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
aa19a97ed62b7e79440e6ec324968e3e3e2d8fce
computer-playbook/roles/web-app-bluesky/templates/extra_locations.conf.j2
Kevin Veen-Birkenbach aa19a97ed6 CORS/CSP hardening & centralization 
- Add reusable Nginx include: roles/sys-svc-proxy/templates/headers/access_control_allow.conf.j2
  (dynamic ACAO/credentials/methods/headers via role vars)
- Set global 'Vary: Origin' in nginx.conf.j2 to prevent cache poisoning
- CSP: allow Simple Icons via connect-src when feature is enabled
- Front proxy: rename vars to lowercase + flush handlers after config deploy
- Desktop: gate & load Simple Icons role; inject brand logos when enabled
- Bluesky + Logout: replace inline CORS with centralized include
- Simpleicons: public CORS (ACAO='*', no credentials), keep GET/OPTIONS, allow headers
- Taiga: adjust canonical domain to taiga.kanban.{{ PRIMARY_DOMAIN }}
- LibreTranslate: remove unused images/versions keys

Fixes: https://open.project.infinito.nexus/projects/cymais/work_packages/342/activity
Discussion: https://chatgpt.com/share/68da5e27-ffd4-800f-91a3-0ef103058d44
2025-09-29 12:23:58 +02:00

30 lines
1.1 KiB
Django/Jinja
Raw Blame History

# Injected by web-app-bluesky (same pattern as web-app-yourls)
# Exposes a same-origin /config to avoid CORS when the social-app fetches config.
location = /config {
proxy_pass {{ BLUESKY_CONFIG_UPSTREAM_URL }};
{# Just extract hostname #}
set $up_host "{{ BLUESKY_CONFIG_UPSTREAM_URL | regex_replace('^https?://', '') | regex_replace('/.*$', '') }}";
proxy_set_header Host $up_host;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_ssl_server_name on;
{# Access Control Allow Configurations #}
proxy_hide_header Access-Control-Allow-Origin;
{% include 'roles/sys-svc-proxy/templates/headers/access_control_allow.conf.j2' %}
}
location = /ipcc {
proxy_pass https://bsky.app/ipcc;
set $up_host "bsky.app";
proxy_set_header Host $up_host;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_ssl_server_name on;
{# Access Control Allow Configurations #}
proxy_hide_header Access-Control-Allow-Origin;
{% include 'roles/sys-svc-proxy/templates/headers/access_control_allow.conf.j2' %}
}
Reference in New Issue View Git Blame Copy Permalink