[traefik] Remove broken rewrite-body plugin and all rybbit/anti-AI injection

The rewrite-body Traefik plugin (both packruler/rewrite-body v1.2.0 and the-ccsn/traefik-plugin-rewritebody v0.1.3) silently fails on Traefik v3.6.12 due to Yaegi interpreter issues with ResponseWriter wrapping. Both plugins load without errors but never inject content. Removed: - rewrite-body plugin download (init container) and registration - strip-accept-encoding middleware (only existed for rewrite-body bug) - anti-ai-trap-links middleware (used rewrite-body for injection) - rybbit_site_id variable from ingress_factory and reverse_proxy factory - rybbit_site_id from 25 service stacks (39 instances) - Per-service rybbit-analytics middleware CRD resources Kept: - compress middleware (entrypoint-level, working correctly) - ai-bot-block middleware (ForwardAuth to bot-block-proxy) - anti-ai-headers middleware (X-Robots-Tag: noai, noimageai) - All CrowdSec, Authentik, rate-limit middleware unchanged Next: Cloudflare Workers with HTMLRewriter for edge-side injection. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-17 12:41:17 +00:00 · 2026-04-17 12:41:17 +00:00 · b034c868db
commit b034c868db
parent b24545ffdb
29 changed files with 32 additions and 197 deletions
--- a/modules/kubernetes/ingress_factory/main.tf
+++ b/modules/kubernetes/ingress_factory/main.tf
@ -58,10 +58,6 @@ variable "root_domain" {
  default = "viktorbarzin.me"
  type    = string
 }
-variable "rybbit_site_id" {
-  default = null
-  type    = string
-}
 variable "custom_content_security_policy" {
  type    = string
  default = null
@ -237,12 +233,8 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
        var.exclude_crowdsec ? null : "traefik-crowdsec@kubernetescrd",
        local.effective_anti_ai ? "traefik-ai-bot-block@kubernetescrd" : null,
        local.effective_anti_ai ? "traefik-anti-ai-headers@kubernetescrd" : null,
-        local.effective_anti_ai ? "traefik-strip-accept-encoding@kubernetescrd" : null,
-        local.effective_anti_ai ? "traefik-anti-ai-trap-links@kubernetescrd" : null,
        var.protected ? "traefik-authentik-forward-auth@kubernetescrd" : null,
        var.allow_local_access_only ? "traefik-local-only@kubernetescrd" : null,
-        var.rybbit_site_id != null ? "traefik-strip-accept-encoding@kubernetescrd" : null,
-        var.rybbit_site_id != null ? "${var.namespace}-rybbit-analytics-${var.name}@kubernetescrd" : null,
        var.custom_content_security_policy != null ? "${var.namespace}-custom-csp-${var.name}@kubernetescrd" : null,
      ], var.extra_middlewares)))
      "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure"
@ -282,33 +274,6 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
  }
 }

-# Rybbit analytics middleware (rewrite-body plugin with content-type filtering) - created per service when rybbit_site_id is set
-resource "kubernetes_manifest" "rybbit_analytics" {
-  count = var.rybbit_site_id != null ? 1 : 0
-
-  manifest = {
-    apiVersion = "traefik.io/v1alpha1"
-    kind       = "Middleware"
-    metadata = {
-      name      = "rybbit-analytics-${var.name}"
-      namespace = var.namespace
-    }
-    spec = {
-      plugin = {
-        traefik-plugin-rewritebody = {
-          rewrites = [{
-            regex       = "</head>"
-            replacement = "<script src=\"https://rybbit.viktorbarzin.me/api/script.js\" data-site-id=\"${var.rybbit_site_id}\" defer></script></head>"
-          }]
-          monitoring = {
-            types = ["text/html"]
-          }
-        }
-      }
-    }
-  }
-}
-
 # Custom CSP headers middleware - created per service when custom_content_security_policy is set
 resource "kubernetes_manifest" "custom_csp" {
  count = var.custom_content_security_policy != null ? 1 : 0