claw
25545ee7ca
Align new manifest names with the live deployment so CI replaces the existing news-site deployment instead of creating a parallel signalledger one. Changes: - deployment name: signalledger -> news-site - service name: signalledger -> news-site - ingress name: signalledger -> news-site - selector labels: app.kubernetes.io/name -> app: news-site - ingress backend service: signalledger -> news-site - ingress hosts: add news.claw.jopdorp.nl, keep signalledger.nl + www - TLS secret: signalledger-tls -> news-site-tls (existing live secret) - CI rollout target: deployment/signalledger -> deployment/news-site
23 lines
1.1 KiB
YAML
23 lines
1.1 KiB
YAML
apiVersion: traefik.io/v1alpha1
|
|
kind: Middleware
|
|
metadata:
|
|
name: security-headers
|
|
namespace: openclaw-private
|
|
labels:
|
|
app: news-site
|
|
app.kubernetes.io/component: middleware
|
|
app.kubernetes.io/part-of: signalledger
|
|
spec:
|
|
headers:
|
|
customRequestHeaders:
|
|
X-Forwarded-Proto: "https"
|
|
customResponseHeaders:
|
|
Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload"
|
|
X-Frame-Options: "DENY"
|
|
X-Content-Type-Options: "nosniff"
|
|
Referrer-Policy: "strict-origin-when-cross-origin"
|
|
Content-Security-Policy: "default-src 'self'; script-src 'self' 'unsafe-inline' https://pagead2.googlesyndication.com https://partner.googleadservices.com https://tpc.googlesyndication.com; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self'; frame-src https://googleads.g.doubleclick.net; object-src 'none'; base-uri 'self'; form-action 'self';"
|
|
X-XSS-Protection: "1; mode=block"
|
|
Permissions-Policy: "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()"
|
|
sslRedirect: true
|