From 63d36e79301df3d8874572cd2bef3c59d2e82e8f Mon Sep 17 00:00:00 2001
From: jurgenhaas <juergen.haas@lakedrops.com>
Date: Fri, 16 Feb 2024 15:14:05 +0100
Subject: [PATCH] composer/plugin/drupal-environment#14 Add webserver response
headers by traefik labels
---
src/Handler.php | 10 ++++++++++
templates/docker-compose.yml.twig | 29 +++++++++++++----------------
2 files changed, 23 insertions(+), 16 deletions(-)
diff --git a/src/Handler.php b/src/Handler.php
index 7457e49..5ea429a 100644
--- a/src/Handler.php
+++ b/src/Handler.php
@@ -120,6 +120,16 @@ class Handler extends BaseHandler {
'webserver' => [
'type' => 'apache',
'overwriteconfig' => FALSE,
+ 'responseheader' => [
+ 'server' => '',
+ 'strict_transport_security' => 'max-age=31536000; includeSubDomains',
+ 'referrer_policy' => 'same-origin',
+ 'permissions_policy' => 'accelerometer=(), camera=(), geolocation=(), gyroscope=(), microphone=(), payment=(), usb=()',
+ 'cross_origin_embedder_policy' => 'unsafe-none',
+ 'cross_origin_opener_policy' => 'same-origin',
+ 'cross_origin_resource_policy' => 'cross-origin',
+ 'x_permitted_cross_domain_policies' => 'none',
+ ],
],
'mailhog' => [
'enable' => 0,
diff --git a/templates/docker-compose.yml.twig b/templates/docker-compose.yml.twig
index 6faa1de..a4dffcb 100644
--- a/templates/docker-compose.yml.twig
+++ b/templates/docker-compose.yml.twig
@@ -49,10 +49,8 @@ services:
restart: unless-stopped
{% endif %}
environment:
-{% if mailhog.enable %}
- PHP_SENDMAIL_PATH: /usr/sbin/sendmail -t -i -S mailhog:1025
-{% elseif mailpit.enable %}
- PHP_SENDMAIL_PATH: /usr/sbin/sendmail -t -i -S mailpit:1025
+{% if mailhog.enable or mailpit.enable %}
+ PHP_SENDMAIL_PATH: /usr/sbin/sendmail -t -i -S {% if mailhog.enable %}mailhog{% else %}mailpit{% endif %}:1025
{% endif %}
DB_HOST: mariadb
DB_USER: drupal
@@ -153,6 +151,17 @@ services:
labels:
traefik.enable: 'true'
traefik.docker.network: traefik-public
+ traefik.http.routers.{{ webserver.type }}-{{ projectname }}.middlewares: {{ webserver.type }}-{{ projectname }}-middleware
+ traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-middleware.chain.middlewares: {{ webserver.type }}-{{ projectname }}-headers@docker{% if basicauth.enable %},{{ webserver.type }}-{{ projectname }}-auth@docker{% endif %}{% for domain in extradomains %},{{ webserver.type }}-{{ projectname }}-redirectregex{{ loop.index }}@docker{% endfor %}
+
+ traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-headers.headers.customresponseheaders.server: '{{ webserver.responseheader.server }}'
+ traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-headers.headers.customresponseheaders.strict-transport-security: '{{ webserver.responseheader.strict_transport_security }}'
+ traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-headers.headers.customresponseheaders.referrer-policy: '{{ webserver.responseheader.referrer_policy }}'
+ traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-headers.headers.customresponseheaders.permissions-policy: '{{ webserver.responseheader.permissions_policy }}'
+ traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-headers.headers.customresponseheaders.cross-origin-embedder-policy: '{{ webserver.responseheader.cross_origin_embedder_policy }}'
+ traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-headers.headers.customresponseheaders.cross-origin-opener-policy: '{{ webserver.responseheader.cross_origin_opener_policy }}'
+ traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-headers.headers.customresponseheaders.cross-origin-resource-policy: '{{ webserver.responseheader.cross_origin_resource_policy }}'
+ traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-headers.headers.customresponseheaders.x-permitted-cross-domain-policies: '{{ webserver.responseheader.x_permitted_cross_domain_policies }}'
{% if basicauth.enable %}
traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-auth.basicauth.users: {{ basicauth.code }}
{% endif %}
@@ -162,18 +171,6 @@ services:
traefik.http.routers.{{ webserver.type }}-{{ projectname }}.tls: 'true'
traefik.http.routers.{{ webserver.type }}-{{ projectname }}.tls.certresolver: lakedrops
{% endif %}
-{% if extradomains|default([]) and basicauth.enable %}
- traefik.http.routers.{{ webserver.type }}-{{ projectname }}.middlewares: {{ webserver.type }}-{{ projectname }}-middleware
- traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-middleware.chain.middlewares: {% for domain in extradomains %}{% if loop.index > 1 %},{% endif %}{{ webserver.type }}-{{ projectname }}-redirectregex{{ loop.index }}@docker{% endfor %},{{ webserver.type }}-{{ projectname }}-auth@docker
-{% elseif extradomains|default([])|length == 1 %}
- traefik.http.routers.{{ webserver.type }}-{{ projectname }}.middlewares: {{ webserver.type }}-{{ projectname }}-redirectregex1@docker
-{% elseif extradomains|default([]) %}
- traefik.http.routers.{{ webserver.type }}-{{ projectname }}.middlewares: {{ webserver.type }}-{{ projectname }}-middleware
- traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-middleware.chain.middlewares: {% for domain in extradomains %}{% if loop.index > 1 %},{% endif %}{{ webserver.type }}-{{ projectname }}-redirectregex{{ loop.index }}@docker{% endfor %}
-
-{% elseif basicauth.enable %}
- traefik.http.routers.{{ webserver.type }}-{{ projectname }}.middlewares: {{ webserver.type }}-{{ projectname }}-auth@docker
-{% endif %}
{% for domain in extradomains|default([]) %}
traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-redirectregex{{ loop.index }}.redirectRegex.regex: "^https://{{ domain }}/(.*)"
traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-redirectregex{{ loop.index }}.redirectRegex.replacement: "https://{{ projectdomain }}/$${1}"
--
GitLab