Merge branch 'bugfix/no-cc-mentions' into 'develop'

[akkoma] / installation / pleroma.vcl

diff --git a/installation/pleroma.vcl b/installation/pleroma.vcl
index 8ba67069aa24ec7148ab9fef51e824fa8b9493af..74490be2aa251a85d402a26a71cccb8c3b8a063d 100644 (file)
--- a/installation/pleroma.vcl
+++ b/installation/pleroma.vcl
@@ -6,6 +6,11 @@ backend default {
     .port = "4000";
 }
 
+# ACL for IPs that are allowed to PURGE data from the cache
+acl purge {
+    "127.0.0.1";
+}
+
 sub vcl_recv {
     # Redirect HTTP to HTTPS
     if (std.port(server.ip) != 443) {
@@ -18,6 +23,14 @@ sub vcl_recv {
         return (pipe);
     }
 
+    # Allow purging of the cache
+    if (req.method == "PURGE") {
+        if (!client.ip ~ purge) {
+          return(synth(405,"Not allowed."));
+        }
+        return(purge);
+    }
+
     # Pleroma MediaProxy - strip headers that will affect caching
     if (req.url ~ "^/proxy/") {
         unset req.http.Cookie;
@@ -26,17 +39,9 @@ sub vcl_recv {
         return (hash);
     }
 
-    # Hack to enable a Terms of Service page missing from Pleroma
-    if (req.url ~ "^/about/more$") {
-        set req.http.x-redir = "https://" + req.http.host + "/static/terms-of-service.html";
-        return (synth(750, ""));
-    }
-
     # Strip headers that will affect caching from all other static content
     # This also permits caching of individual toots and AP Activities
-    if ((req.url ~ "^/(media|notice|objects|static)/") ||
-    (req.url ~ "^/(activities/|api/v1/statuses/\d+$)") ||
-    (req.url ~ "^/(activities/|api/v1/statuses/\d+/card$)") ||
+    if ((req.url ~ "^/(media|static)/") ||
     (req.url ~ "(?i)\.(html|js|css|jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|svg|swf|ttf|pdf|woff|woff2)$"))
     {
       unset req.http.Cookie;
@@ -88,10 +93,7 @@ sub vcl_backend_response {
 
     # Strip cache-restricting headers from Pleroma on static content that we want to cache
     # Also enable streaming of cached content to clients (no waiting for Varnish to complete backend fetch)
-    if ((bereq.url ~ "^/(notice|objects)/") ||
-    (bereq.url ~ "^/(activities/|api/v1/statuses/\d+$)") ||
-    (bereq.url ~ "^/(activities/|api/v1/statuses/\d+/card$)") ||
-    (bereq.url ~ "(?i)\.(js|css|jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|svg|swf|ttf|pdf|woff|woff2)$"))
+    if (bereq.url ~ "(?i)\.(js|css|jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|svg|swf|ttf|pdf|woff|woff2)$")
     {
       unset beresp.http.set-cookie;
       unset beresp.http.Cache-Control;
@@ -101,7 +103,7 @@ sub vcl_backend_response {
     }
 }
 
-# The synthetic response for the HTTP to HTTPS upgrade
+# The synthetic response for 301 redirects
 sub vcl_synth {
     if (resp.status == 750) {
       set resp.status = 301;
@@ -117,3 +119,13 @@ sub vcl_pipe {
         set bereq.http.connection = req.http.connection;
     }
 }
+
+sub vcl_deliver {
+  set resp.http.X-Frame-Options = "DENY";
+  set resp.http.X-XSS-Protection = "1; mode=block";
+  set resp.http.X-Content-Type-Options = "nosniff";
+  set resp.http.Referrer-Policy = "same-origin";
+  set resp.http.Content-Security-Policy = "default-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://" + req.http.host + "; upgrade-insecure-requests;";
+  # Uncomment this only after you get HTTPS working.
+  # set resp.http.Strict-Transport-Security= "max-age=31536000; includeSubDomains";
+}