Websocket, Cloudflare tunnel, apache httpd and a bit of security
Table of Contents
Here we are
Why
I've recently updated part of my private infrastructure to better handle some security aspects and I opened the Pandora's box
Starting point
This one of the scenarios (what made me crazy) where websocket are in use , grafana, since version 8.~ starts to use websocket to update dashboards
The original idea was to define a "role" for each aspect
Vmware esxi as a "flat" platform to abstract hardware brands, extend portability, backups, etc etc
Kubernetes for all the workloads can be run as immutable images
Virtual machines when i need disk pressureThe code used for workers was the following
const securityHeaders = {
"Content-Security-Policy":"upgrade-insecure-requests",
"Strict-Transport-Security":"max-age=3600;includeSubdomains",
"X-Xss-Protection":"1; mode=block",
"X-Frame-Options":"DENY",
"X-Content-Type-Options":"nosniff",
"Permissions-Policy":"geolocation=()",
"Referrer-Policy":"strict-origin-when-cross-origin"
};
async function addHeaders(req) {
constresponse=awaitfetch(req),
newHeaders=newHeaders(response.headers),
setHeaders=Object.assign({},securityHeaders);
if (newHeaders.has("Content-Type") &&!newHeaders.get("Content-Type").includes("text/html")) {
returnnewResponse(response.body,{
status: response.status,
statusText: response.statusText,
headers: newHeaders
});
}
Object.keys(setHeaders).forEach(name=>newHeaders.set(name,setHeaders[name]));
returnnewResponse(response.body,{
status: response.status,
statusText: response.statusText,
headers: newHeaders
});
}
addEventListener("fetch", event => event.respondWith(addHeaders(event.request)));
Anyway now there is a specific topic in cloudflare portal about the alter headers for security ... https://developers.cloudflare.com/workers/examples/security-headers/
Reshape
Issue
Fixs