drupal-environment#14 Add webserver response headers by traefik labels

63d36e79 · jurgenhaas · d74f0303 · 63d36e79 · 63d36e79
Commit 63d36e79 authored 1 year ago by jurgenhaas
--- a/src/Handler.php
+++ b/src/Handler.php
@@ -120,6 +120,16 @@ class Handler extends BaseHandler {
      'webserver' => [
        'type' => 'apache',
        'overwriteconfig' => FALSE,
+        'responseheader' => [
+          'server' => '',
+          'strict_transport_security' => 'max-age=31536000; includeSubDomains',
+          'referrer_policy' => 'same-origin',
+          'permissions_policy' => 'accelerometer=(), camera=(), geolocation=(), gyroscope=(), microphone=(), payment=(), usb=()',
+          'cross_origin_embedder_policy' => 'unsafe-none',
+          'cross_origin_opener_policy' => 'same-origin',
+          'cross_origin_resource_policy' => 'cross-origin',
+          'x_permitted_cross_domain_policies' => 'none',
+        ],
      ],
      'mailhog' => [
        'enable' => 0,

--- a/templates/docker-compose.yml.twig
+++ b/templates/docker-compose.yml.twig
@@ -49,10 +49,8 @@ services:
    restart: unless-stopped
 {% endif %}
    environment:
-{% if mailhog.enable %}
-      PHP_SENDMAIL_PATH: /usr/sbin/sendmail -t -i -S mailhog:1025
-{% elseif mailpit.enable %}
-      PHP_SENDMAIL_PATH: /usr/sbin/sendmail -t -i -S mailpit:1025
+{% if mailhog.enable or mailpit.enable %}
+      PHP_SENDMAIL_PATH: /usr/sbin/sendmail -t -i -S {% if mailhog.enable %}mailhog{% else %}mailpit{% endif %}:1025
 {% endif %}
      DB_HOST: mariadb
      DB_USER: drupal
@@ -153,6 +151,17 @@ services:
    labels:
      traefik.enable: 'true'
      traefik.docker.network: traefik-public
+      traefik.http.routers.{{ webserver.type }}-{{ projectname }}.middlewares: {{ webserver.type }}-{{ projectname }}-middleware
+      traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-middleware.chain.middlewares: {{ webserver.type }}-{{ projectname }}-headers@docker{% if basicauth.enable %},{{ webserver.type }}-{{ projectname }}-auth@docker{% endif %}{% for domain in extradomains %},{{ webserver.type }}-{{ projectname }}-redirectregex{{ loop.index }}@docker{% endfor %}
+
+      traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-headers.headers.customresponseheaders.server: '{{ webserver.responseheader.server }}'
+      traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-headers.headers.customresponseheaders.strict-transport-security: '{{ webserver.responseheader.strict_transport_security }}'
+      traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-headers.headers.customresponseheaders.referrer-policy: '{{ webserver.responseheader.referrer_policy }}'
+      traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-headers.headers.customresponseheaders.permissions-policy: '{{ webserver.responseheader.permissions_policy }}'
+      traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-headers.headers.customresponseheaders.cross-origin-embedder-policy: '{{ webserver.responseheader.cross_origin_embedder_policy }}'
+      traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-headers.headers.customresponseheaders.cross-origin-opener-policy: '{{ webserver.responseheader.cross_origin_opener_policy }}'
+      traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-headers.headers.customresponseheaders.cross-origin-resource-policy: '{{ webserver.responseheader.cross_origin_resource_policy }}'
+      traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-headers.headers.customresponseheaders.x-permitted-cross-domain-policies: '{{ webserver.responseheader.x_permitted_cross_domain_policies }}'
 {% if basicauth.enable %}
      traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-auth.basicauth.users: {{ basicauth.code }}
 {% endif %}
@@ -162,18 +171,6 @@ services:
      traefik.http.routers.{{ webserver.type }}-{{ projectname }}.tls: 'true'
      traefik.http.routers.{{ webserver.type }}-{{ projectname }}.tls.certresolver: lakedrops
 {% endif %}
-{% if extradomains|default([]) and basicauth.enable %}
-      traefik.http.routers.{{ webserver.type }}-{{ projectname }}.middlewares: {{ webserver.type }}-{{ projectname }}-middleware
-      traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-middleware.chain.middlewares: {% for domain in extradomains %}{% if loop.index > 1 %},{% endif %}{{ webserver.type }}-{{ projectname }}-redirectregex{{ loop.index }}@docker{% endfor %},{{ webserver.type }}-{{ projectname }}-auth@docker
-{% elseif extradomains|default([])|length == 1 %}
-      traefik.http.routers.{{ webserver.type }}-{{ projectname }}.middlewares: {{ webserver.type }}-{{ projectname }}-redirectregex1@docker
-{% elseif extradomains|default([]) %}
-      traefik.http.routers.{{ webserver.type }}-{{ projectname }}.middlewares: {{ webserver.type }}-{{ projectname }}-middleware
-      traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-middleware.chain.middlewares: {% for domain in extradomains %}{% if loop.index > 1 %},{% endif %}{{ webserver.type }}-{{ projectname }}-redirectregex{{ loop.index }}@docker{% endfor %}
-
-{% elseif basicauth.enable %}
-      traefik.http.routers.{{ webserver.type }}-{{ projectname }}.middlewares: {{ webserver.type }}-{{ projectname }}-auth@docker
-{% endif %}
 {% for domain in extradomains|default([]) %}
      traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-redirectregex{{ loop.index }}.redirectRegex.regex: "^https://{{ domain }}/(.*)"
      traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-redirectregex{{ loop.index }}.redirectRegex.replacement: "https://{{ projectdomain }}/$${1}"