return (hash);
}
- # Hack to enable a Terms of Service page missing from Pleroma
- if (req.url ~ "^/about/more$") {
- set req.http.x-redir = "https://" + req.http.host + "/static/terms-of-service.html";
- return (synth(750, ""));
- }
-
# Strip headers that will affect caching from all other static content
# This also permits caching of individual toots and AP Activities
- if ((req.url ~ "^/(media|notice|objects|static)/") ||
- (req.url ~ "^/(activities/|api/v1/statuses/\d+$)") ||
- (req.url ~ "^/(activities/|api/v1/statuses/\d+/card$)") ||
+ if ((req.url ~ "^/(media|static)/") ||
(req.url ~ "(?i)\.(html|js|css|jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|svg|swf|ttf|pdf|woff|woff2)$"))
{
unset req.http.Cookie;
# Strip cache-restricting headers from Pleroma on static content that we want to cache
# Also enable streaming of cached content to clients (no waiting for Varnish to complete backend fetch)
- if ((bereq.url ~ "^/(notice|objects)/") ||
- (bereq.url ~ "^/(activities/|api/v1/statuses/\d+$)") ||
- (bereq.url ~ "^/(activities/|api/v1/statuses/\d+/card$)") ||
- (bereq.url ~ "(?i)\.(js|css|jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|svg|swf|ttf|pdf|woff|woff2)$"))
+ if (bereq.url ~ "(?i)\.(js|css|jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|svg|swf|ttf|pdf|woff|woff2)$")
{
unset beresp.http.set-cookie;
unset beresp.http.Cache-Control;
}
}
-# The synthetic response for the HTTP to HTTPS upgrade
+# The synthetic response for 301 redirects
sub vcl_synth {
if (resp.status == 750) {
set resp.status = 301;
set bereq.http.connection = req.http.connection;
}
}
+
+sub vcl_deliver {
+ set resp.http.X-Frame-Options = "DENY";
+ set resp.http.X-XSS-Protection = "1; mode=block";
+ set resp.http.X-Content-Type-Options = "nosniff";
+ set resp.http.Referrer-Policy = "same-origin";
+ set resp.http.Content-Security-Policy = "default-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://" + req.http.host + "; upgrade-insecure-requests;";
+ # Uncomment this only after you get HTTPS working.
+ # set resp.http.Strict-Transport-Security= "max-age=31536000; includeSubDomains";
+}