From 5acca5d4c7a6341268c96e95a1e82f5a3ffedd6b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A1rcio=20Fernandes?= Date: Thu, 16 Apr 2026 19:47:11 +0000 Subject: [PATCH] ingress/internal: relax security ingress/public: disabled authentik-forward-auth (problems with phone clients) middlewares/rate-limit: increase values middlewares/security-headers:- added sts - fix nextcloud warning Some headers are not set correctly on your instance - The Strict-Transport-Security HTTP header is not set (should be at least 15552000 seconds). For enhanced security, it is recommended to enable HSTS --- deploy/infra/ingress-web-public.yaml | 5 ++- deploy/infra/ingress-web.yaml | 51 ++-------------------------- deploy/infra/middlewares.yaml | 16 ++++----- 3 files changed, 15 insertions(+), 57 deletions(-) diff --git a/deploy/infra/ingress-web-public.yaml b/deploy/infra/ingress-web-public.yaml index 06f2d83..3e96aca 100644 --- a/deploy/infra/ingress-web-public.yaml +++ b/deploy/infra/ingress-web-public.yaml @@ -21,6 +21,9 @@ spec: - name: ak-outpost-authentik-embedded-outpost namespace: id-limbosolutions-com port: 9000 + middlewares: + - name: nextcloud-security-headers + - name: rate-limit # PUBLIC SHARES (NO SSO) @@ -63,7 +66,7 @@ spec: - name: nextcloud port: 8080 middlewares: - - name: authentik-forward-auth + # - name: authentik-forward-auth - name: nextcloud-security-headers - name: rate-limit diff --git a/deploy/infra/ingress-web.yaml b/deploy/infra/ingress-web.yaml index b17650f..efe005e 100644 --- a/deploy/infra/ingress-web.yaml +++ b/deploy/infra/ingress-web.yaml @@ -14,59 +14,14 @@ spec: - main: cloud.limbosolutions.com routes: - - # # AUTHENTIK OUTPOST - # - match: Host(`cloud.limbosolutions.com`) && PathPrefix(`/outpost.goauthentik.io`) - # kind: Rule - # services: - # - name: ak-outpost-authentik-embedded-outpost - # namespace: id-limbosolutions-com - # port: 9000 - - - # # PUBLIC SHARES (NO SSO) - # - match: Host(`cloud.limbosolutions.com`) && - # (PathPrefix(`/s/`) || - # PathPrefix(`/index.php/s/`) || - # PathPrefix(`/public.php/`) || - # PathPrefix(`/remote.php/dav/public-files/`)) - # kind: Rule - # services: - # - name: nextcloud - # port: 8080 - # middlewares: - # - name: rate-limit - # - name: nextcloud-security-headers - - # # Sync clients + mobile app (no SSO) - # - match: Host(`cloud.limbosolutions.com`) && - # (PathPrefix(`/remote.php/dav`) || - # PathPrefix(`/remote.php/webdav`) || - # PathPrefix(`/remote.php/caldav`) || - # PathPrefix(`/remote.php/carddav`) || - # PathPrefix(`/ocs/v1.php`) || - # PathPrefix(`/ocs/v2.php`) || - # PathPrefix(`/status.php`) || - # PathPrefix(`/index.php/login/v2`) || - # PathPrefix(`/index.php/login/v2/poll`)) - # kind: Rule - # services: - # - name: nextcloud - # port: 8080 - # middlewares: - # #- name: webdav-strip-auth - # #- name: rate-limit - - # 3) EVERYTHING ELSE (SSO REQUIRED) - match: Host(`cloud.limbosolutions.com`) kind: Rule services: - name: nextcloud port: 8080 - middlewares: [] - #- name: authentik-forward-auth - #- name: nextcloud-security-headers - #- name: rate-limit + middlewares: + - name: nextcloud-security-headers + - name: rate-limit diff --git a/deploy/infra/middlewares.yaml b/deploy/infra/middlewares.yaml index 6b7dce9..74d2eee 100644 --- a/deploy/infra/middlewares.yaml +++ b/deploy/infra/middlewares.yaml @@ -17,8 +17,8 @@ metadata: name: rate-limit spec: rateLimit: - average: 50 - burst: 100 + average: 100 + burst: 500 --- # Optional: security headers for UI @@ -28,19 +28,19 @@ metadata: name: nextcloud-security-headers spec: headers: - stsSeconds: 31536000 - stsIncludeSubdomains: true - stsPreload: true browserXssFilter: true contentTypeNosniff: true - frameDeny: true + frameDeny: false referrerPolicy: "no-referrer" + stsSeconds: 15552000 + stsIncludeSubdomains: true + stsPreload: true customResponseHeaders: X-Content-Type-Options: "nosniff" - X-Frame-Options: "DENY" + X-Frame-Options: "SAMEORIGIN" X-XSS-Protection: "1; mode=block" - --- + apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: