[traefik] Remove broken rewrite-body plugin and all rybbit/anti-AI injection
The rewrite-body Traefik plugin (both packruler/rewrite-body v1.2.0 and the-ccsn/traefik-plugin-rewritebody v0.1.3) silently fails on Traefik v3.6.12 due to Yaegi interpreter issues with ResponseWriter wrapping. Both plugins load without errors but never inject content. Removed: - rewrite-body plugin download (init container) and registration - strip-accept-encoding middleware (only existed for rewrite-body bug) - anti-ai-trap-links middleware (used rewrite-body for injection) - rybbit_site_id variable from ingress_factory and reverse_proxy factory - rybbit_site_id from 25 service stacks (39 instances) - Per-service rybbit-analytics middleware CRD resources Kept: - compress middleware (entrypoint-level, working correctly) - ai-bot-block middleware (ForwardAuth to bot-block-proxy) - anti-ai-headers middleware (X-Robots-Tag: noai, noimageai) - All CrowdSec, Authentik, rate-limit middleware unchanged Next: Cloudflare Workers with HTMLRewriter for edge-side injection. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin
parent
b24545ffdb
commit
b034c868db
29 changed files with 32 additions and 197 deletions
|
|
@ -37,10 +37,6 @@ variable "max_body_size" {
|
|||
variable "extra_annotations" {
|
||||
default = {}
|
||||
}
|
||||
variable "rybbit_site_id" {
|
||||
default = null
|
||||
type = string
|
||||
}
|
||||
variable "custom_content_security_policy" {
|
||||
default = null
|
||||
type = string
|
||||
|
|
@ -143,8 +139,6 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
|
|||
"traefik-crowdsec@kubernetescrd",
|
||||
var.protected ? "traefik-authentik-forward-auth@kubernetescrd" : null,
|
||||
var.strip_auth_headers ? "traefik-strip-auth-headers@kubernetescrd" : null,
|
||||
var.rybbit_site_id != null ? "traefik-strip-accept-encoding@kubernetescrd" : null,
|
||||
var.rybbit_site_id != null ? "${var.namespace}-rybbit-analytics-${var.name}@kubernetescrd" : null,
|
||||
var.custom_content_security_policy != null ? "${var.namespace}-custom-csp-${var.name}@kubernetescrd" : null,
|
||||
], var.extra_middlewares)))
|
||||
"traefik.ingress.kubernetes.io/router.entrypoints" = "websecure"
|
||||
|
|
@ -186,33 +180,6 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
|
|||
}
|
||||
}
|
||||
|
||||
# Rybbit analytics middleware (rewrite-body plugin with content-type filtering) - created per service when rybbit_site_id is set
|
||||
resource "kubernetes_manifest" "rybbit_analytics" {
|
||||
count = var.rybbit_site_id != null ? 1 : 0
|
||||
|
||||
manifest = {
|
||||
apiVersion = "traefik.io/v1alpha1"
|
||||
kind = "Middleware"
|
||||
metadata = {
|
||||
name = "rybbit-analytics-${var.name}"
|
||||
namespace = var.namespace
|
||||
}
|
||||
spec = {
|
||||
plugin = {
|
||||
traefik-plugin-rewritebody = {
|
||||
rewrites = [{
|
||||
regex = "</head>"
|
||||
replacement = "<script src=\"https://rybbit.viktorbarzin.me/api/script.js\" data-site-id=\"${var.rybbit_site_id}\" defer></script></head>"
|
||||
}]
|
||||
monitoring = {
|
||||
types = ["text/html"]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Custom CSP headers middleware - created per service when custom_content_security_policy is set
|
||||
resource "kubernetes_manifest" "custom_csp" {
|
||||
count = var.custom_content_security_policy != null ? 1 : 0
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ module "tls_secret" {
|
|||
# https://pfsense.viktorbarzin.me/
|
||||
module "pfsense" {
|
||||
source = "./factory"
|
||||
dns_type = "proxied"
|
||||
dns_type = "proxied"
|
||||
name = "pfsense"
|
||||
external_name = "pfsense.viktorbarzin.lan"
|
||||
tls_secret_name = var.tls_secret_name
|
||||
|
|
@ -47,14 +47,13 @@ module "pfsense" {
|
|||
"gethomepage.dev/widget.fields" = "[\"load\", \"memory\", \"temp\", \"disk\"]"
|
||||
"gethomepage.dev/widget.wan" = "vtnet0"
|
||||
}
|
||||
depends_on = [kubernetes_namespace.reverse-proxy]
|
||||
rybbit_site_id = "b029580e5a7c"
|
||||
depends_on = [kubernetes_namespace.reverse-proxy]
|
||||
}
|
||||
|
||||
# https://nas.viktorbarzin.me/
|
||||
module "nas" {
|
||||
source = "./factory"
|
||||
dns_type = "proxied"
|
||||
dns_type = "proxied"
|
||||
name = "nas"
|
||||
external_name = "nas.viktorbarzin.lan"
|
||||
port = 5001
|
||||
|
|
@ -62,7 +61,6 @@ module "nas" {
|
|||
backend_protocol = "HTTPS"
|
||||
max_body_size = "0m"
|
||||
depends_on = [kubernetes_namespace.reverse-proxy]
|
||||
rybbit_site_id = "1e11f8449f7d"
|
||||
extra_annotations = {
|
||||
"gethomepage.dev/enabled" = "true"
|
||||
"gethomepage.dev/name" = "Synology NAS"
|
||||
|
|
@ -76,7 +74,7 @@ module "nas" {
|
|||
# https://files.viktorbarzin.me/
|
||||
module "nas-files" {
|
||||
source = "./factory"
|
||||
dns_type = "non-proxied"
|
||||
dns_type = "non-proxied"
|
||||
name = "files"
|
||||
external_name = "nas.viktorbarzin.lan"
|
||||
port = 5001
|
||||
|
|
@ -92,7 +90,7 @@ module "nas-files" {
|
|||
# https://idrac.viktorbarzin.me/
|
||||
module "idrac" {
|
||||
source = "./factory"
|
||||
dns_type = "proxied"
|
||||
dns_type = "proxied"
|
||||
name = "idrac"
|
||||
external_name = "idrac.viktorbarzin.lan"
|
||||
port = 443
|
||||
|
|
@ -114,7 +112,7 @@ module "idrac" {
|
|||
# TODO: Not working yet
|
||||
module "tp-link-gateway" {
|
||||
source = "./factory"
|
||||
dns_type = "proxied"
|
||||
dns_type = "proxied"
|
||||
name = "gw"
|
||||
external_name = "gw.viktorbarzin.lan"
|
||||
port = 443
|
||||
|
|
@ -148,8 +146,7 @@ module "truenas" {
|
|||
# "gethomepage.dev/widget.enablePools" : "true"
|
||||
# "gethomepage.dev/pod-selector" : ""
|
||||
}
|
||||
depends_on = [kubernetes_namespace.reverse-proxy]
|
||||
rybbit_site_id = "b66fbd3cb58a"
|
||||
depends_on = [kubernetes_namespace.reverse-proxy]
|
||||
}
|
||||
|
||||
# https://r730.viktorbarzin.me/
|
||||
|
|
@ -174,7 +171,7 @@ module "r730" {
|
|||
# https://proxmox.viktorbarzin.me/
|
||||
module "proxmox" {
|
||||
source = "./factory"
|
||||
dns_type = "proxied"
|
||||
dns_type = "proxied"
|
||||
name = "proxmox"
|
||||
external_name = "proxmox.viktorbarzin.lan"
|
||||
port = 8006
|
||||
|
|
@ -182,7 +179,6 @@ module "proxmox" {
|
|||
backend_protocol = "HTTPS"
|
||||
max_body_size = "0" # unlimited
|
||||
depends_on = [kubernetes_namespace.reverse-proxy]
|
||||
rybbit_site_id = "190a7ad3e1c7"
|
||||
extra_annotations = {
|
||||
"gethomepage.dev/enabled" = "true"
|
||||
"gethomepage.dev/name" = "Proxmox"
|
||||
|
|
@ -217,14 +213,14 @@ module "docker-registry-ui" {
|
|||
# https://registry.viktorbarzin.me/ (Docker CLI push/pull endpoint)
|
||||
module "docker-registry-cli" {
|
||||
source = "./factory"
|
||||
dns_type = "non-proxied"
|
||||
dns_type = "non-proxied"
|
||||
name = "registry"
|
||||
external_name = "docker-registry.viktorbarzin.lan"
|
||||
port = 5050
|
||||
backend_protocol = "HTTPS"
|
||||
tls_secret_name = var.tls_secret_name
|
||||
protected = false # Docker CLI uses htpasswd, NOT Authentik
|
||||
max_body_size = "0" # unlimited - Docker layers can be large
|
||||
protected = false # Docker CLI uses htpasswd, NOT Authentik
|
||||
max_body_size = "0" # unlimited - Docker layers can be large
|
||||
depends_on = [kubernetes_namespace.reverse-proxy]
|
||||
extra_annotations = {
|
||||
# Skip rate-limit (Docker push/pull generates many rapid requests)
|
||||
|
|
@ -237,7 +233,7 @@ module "docker-registry-cli" {
|
|||
# https://valchedrym.viktorbarzin.me/
|
||||
module "valchedrym" {
|
||||
source = "./factory"
|
||||
dns_type = "proxied"
|
||||
dns_type = "proxied"
|
||||
name = "valchedrym"
|
||||
external_name = "valchedrym.viktorbarzin.lan"
|
||||
tls_secret_name = var.tls_secret_name
|
||||
|
|
@ -303,14 +299,13 @@ resource "kubernetes_manifest" "ha_sofia_rate_limit" {
|
|||
|
||||
module "ha-sofia" {
|
||||
source = "./factory"
|
||||
dns_type = "non-proxied"
|
||||
dns_type = "non-proxied"
|
||||
name = "ha-sofia"
|
||||
external_name = "ha-sofia.viktorbarzin.lan"
|
||||
port = 8123
|
||||
tls_secret_name = var.tls_secret_name
|
||||
depends_on = [kubernetes_namespace.reverse-proxy]
|
||||
protected = false
|
||||
rybbit_site_id = "590fc392690a"
|
||||
skip_global_rate_limit = true
|
||||
extra_middlewares = [
|
||||
"reverse-proxy-ha-sofia-rate-limit@kubernetescrd",
|
||||
|
|
@ -328,7 +323,7 @@ module "ha-sofia" {
|
|||
# https://music-assistant.viktorbarzin.me/
|
||||
module "music-assistant" {
|
||||
source = "./factory"
|
||||
dns_type = "non-proxied"
|
||||
dns_type = "non-proxied"
|
||||
name = "music-assistant"
|
||||
external_name = "ha-sofia.viktorbarzin.lan"
|
||||
port = 8095
|
||||
|
|
@ -364,7 +359,7 @@ module "ha-london" {
|
|||
# https://london.viktorbarzin.me/
|
||||
module "london" {
|
||||
source = "./factory"
|
||||
dns_type = "proxied"
|
||||
dns_type = "proxied"
|
||||
name = "london"
|
||||
external_name = "openwrt-london.viktorbarzin.lan"
|
||||
port = 443
|
||||
|
|
@ -388,7 +383,7 @@ module "london" {
|
|||
}
|
||||
module "pi-lights" {
|
||||
source = "./factory"
|
||||
dns_type = "proxied"
|
||||
dns_type = "proxied"
|
||||
name = "pi"
|
||||
external_name = "ha-london.viktorbarzin.lan"
|
||||
port = 5000
|
||||
|
|
@ -416,7 +411,7 @@ module "pi-lights" {
|
|||
|
||||
module "mbp14" {
|
||||
source = "./factory"
|
||||
dns_type = "proxied"
|
||||
dns_type = "proxied"
|
||||
name = "mbp14"
|
||||
external_name = "mbp14.viktorbarzin.lan"
|
||||
port = 4020
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue