From cf95421673b7c49a2f04524ac85947df70e8b562 Mon Sep 17 00:00:00 2001 From: Julien Bouquillon Date: Wed, 13 Sep 2023 18:55:08 +0200 Subject: [PATCH] fix --- .kontinuous/env/prod/values.yaml | 38 ++++++++++++++++++++++++++++++++ .kontinuous/values.yaml | 2 ++ 2 files changed, 40 insertions(+) diff --git a/.kontinuous/env/prod/values.yaml b/.kontinuous/env/prod/values.yaml index ccc1c75..2b144ce 100644 --- a/.kontinuous/env/prod/values.yaml +++ b/.kontinuous/env/prod/values.yaml @@ -1,2 +1,40 @@ app: host: 1000jours.fabrique.social.gouv.fr + ingress: + # adjustments for /acvc path + # proxy_upstream_name must be set to correct upstream + # https://docs.unity3d.com/Manual/webgl-deploying.html + annotations: + nginx.ingress.kubernetes.io/server-snippet: | + location ~ .+\.(data|symbols\.json)\.gz$ { + proxy_hide_header X-Content-Type-Options; + proxy_hide_header Content-Type; + gzip off; # Do not attempt dynamic gzip compression on an already compressed file + add_header Content-Encoding gzip; + add_header Content-Type application/gzip; # The correct MIME type here would be application/octet-stream, but due to Safari bug https://bugs.webkit.org/show_bug.cgi?id=247421, it's preferable to use MIME Type application/gzip instead. + set $proxy_upstream_name "nos1000jours-landing-app-http"; + proxy_pass http://upstream_balancer; + } + location ~ .+\.js\.gz$ { + proxy_hide_header X-Content-Type-Options; + proxy_hide_header Content-Type; + gzip off; # Do not attempt dynamic gzip compression on an already compressed file + add_header Content-Encoding gzip; # The correct MIME type here would be application/octet-stream, but due to Safari bug https://bugs.webkit.org/show_bug.cgi?id=247421, it's preferable to use MIME Type application/gzip instead. + add_header Content-Type application/javascript; # The correct MIME type here would be application/octet-stream, but due to Safari bug https://bugs.webkit.org/show_bug.cgi?id=247421, it's preferable to use MIME Type application/gzip instead. + set $proxy_upstream_name "nos1000jours-landing-app-http"; + proxy_pass http://upstream_balancer; + } + location ~ .+\.wasm\.gz$ { + proxy_hide_header X-Content-Type-Options; + proxy_hide_header Content-Type; + gzip off; # Do not attempt dynamic gzip compression on an already compressed file + add_header Content-Encoding gzip; # The correct MIME type here would be application/octet-stream, but due to Safari bug https://bugs.webkit.org/show_bug.cgi?id=247421, it's preferable to use MIME Type application/gzip instead. + add_header Content-Type application/wasm; # The correct MIME type here would be application/octet-stream, but due to Safari bug https://bugs.webkit.org/show_bug.cgi?id=247421, it's preferable to use MIME Type application/gzip instead. + set $proxy_upstream_name "nos1000jours-landing-app-http"; + proxy_pass http://upstream_balancer; + } + nginx.ingress.kubernetes.io/configuration-snippet: | + more_set_headers "Content-Security-Policy: default-src 'none'; connect-src 'self' https://*.gouv.fr; font-src 'self' data:; img-src 'self'; script-src 'self' https://*.gouv.fr 'unsafe-inline' 'unsafe-eval'; frame-src 'self' https://*.gouv.fr; style-src 'self' 'unsafe-inline'"; + more_set_headers "X-Frame-Options: sameorigin"; + more_set_headers "X-XSS-Protection: 1; mode=block"; + more_set_headers "X-Content-Type-Options: none"; diff --git a/.kontinuous/values.yaml b/.kontinuous/values.yaml index bd93a30..3a95958 100644 --- a/.kontinuous/values.yaml +++ b/.kontinuous/values.yaml @@ -9,6 +9,8 @@ app: runAsUser: 101 ingress: # adjustments for /acvc path + # proxy_upstream_name must be set to correct upstream + # https://docs.unity3d.com/Manual/webgl-deploying.html annotations: nginx.ingress.kubernetes.io/server-snippet: | location ~ .+\.(data|symbols\.json)\.gz$ {