ingress/internal: relax security

ingress/public: disabled authentik-forward-auth (problems with phone clients)
middlewares/rate-limit: increase values
middlewares/security-headers:- added sts -  fix nextcloud warning Some headers are not set correctly on your instance - The Strict-Transport-Security HTTP header is not set (should be at least 15552000 seconds). For enhanced security, it is recommended to enable HSTS

deploy/infra/ingress-web-public.yaml

@@ -21,6 +21,9 @@ spec:
         - name: ak-outpost-authentik-embedded-outpost
           namespace: id-limbosolutions-com
           port: 9000
+      middlewares:
+          - name: nextcloud-security-headers
+          - name: rate-limit
 
 
     # PUBLIC SHARES (NO SSO)
@@ -63,7 +66,7 @@ spec:
         - name: nextcloud
           port: 8080
       middlewares:
-         - name: authentik-forward-auth
+        # - name: authentik-forward-auth
          - name: nextcloud-security-headers
          - name: rate-limit
 

deploy/infra/ingress-web.yaml

@@ -14,59 +14,14 @@ spec:
       - main: cloud.limbosolutions.com
 
   routes:
-
-    # # AUTHENTIK OUTPOST
-    # - match: Host(`cloud.limbosolutions.com`)  && PathPrefix(`/outpost.goauthentik.io`)
-    #   kind: Rule
-    #   services:
-    #     - name: ak-outpost-authentik-embedded-outpost
-    #       namespace: id-limbosolutions-com
-    #       port: 9000
-
-
-    # # PUBLIC SHARES (NO SSO)
-    # - match: Host(`cloud.limbosolutions.com`) &&
-    #         (PathPrefix(`/s/`) ||
-    #           PathPrefix(`/index.php/s/`) ||
-    #           PathPrefix(`/public.php/`) ||
-    #           PathPrefix(`/remote.php/dav/public-files/`))
-    #   kind: Rule
-    #   services:
-    #     - name: nextcloud
-    #       port: 8080
-    #   middlewares:
-    #     - name: rate-limit
-    #     - name: nextcloud-security-headers
-
-    # # Sync clients + mobile app (no SSO)
-    # - match: Host(`cloud.limbosolutions.com`) &&
-    #      (PathPrefix(`/remote.php/dav`) ||
-    #       PathPrefix(`/remote.php/webdav`) ||
-    #       PathPrefix(`/remote.php/caldav`) ||
-    #       PathPrefix(`/remote.php/carddav`) ||
-    #       PathPrefix(`/ocs/v1.php`) ||
-    #       PathPrefix(`/ocs/v2.php`) ||
-    #       PathPrefix(`/status.php`) ||
-    #       PathPrefix(`/index.php/login/v2`) ||
-    #       PathPrefix(`/index.php/login/v2/poll`))
-    #   kind: Rule
-    #   services:
-    #     - name: nextcloud
-    #       port: 8080
-    #   middlewares:
-    #     #- name: webdav-strip-auth
-    #     #- name: rate-limit
-
-    # 3) EVERYTHING ELSE (SSO REQUIRED)
     - match: Host(`cloud.limbosolutions.com`)
       kind: Rule
       services:
         - name: nextcloud
           port: 8080
-      middlewares: []
-         #- name: authentik-forward-auth
-         #- name: nextcloud-security-headers
-         #- name: rate-limit
+      middlewares:
+         - name: nextcloud-security-headers
+         - name: rate-limit
 
 
 

deploy/infra/middlewares.yaml

@@ -17,8 +17,8 @@ metadata:
   name: rate-limit
 spec:
   rateLimit:
-    average: 50
-    burst: 100
+    average: 100
+    burst: 500
 
 ---
 # Optional: security headers for UI
@@ -28,19 +28,19 @@ metadata:
   name: nextcloud-security-headers
 spec:
   headers:
-    stsSeconds: 31536000
-    stsIncludeSubdomains: true
-    stsPreload: true
     browserXssFilter: true
     contentTypeNosniff: true
-    frameDeny: true
+    frameDeny: false
     referrerPolicy: "no-referrer"
+    stsSeconds: 15552000
+    stsIncludeSubdomains: true
+    stsPreload: true
     customResponseHeaders:
       X-Content-Type-Options: "nosniff"
-      X-Frame-Options: "DENY"
+      X-Frame-Options: "SAMEORIGIN"
       X-XSS-Protection: "1; mode=block"
-
 ---
+
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata: