Add opt-in search indexing middleware#75
Open
crack-kitty wants to merge 1 commit into
Open
Conversation
Replace the original kitty-test approach with a safer router-level opt-in model for search indexing. The kitty-test branch tried to make indexing configurable by moving the X-Robots-Tag header out of default-headers into a separate noindex middleware, then adding per-service middleware env vars. That inverted the existing safety model: any route that still used only default-headers, especially file-provider/external routes and other unconverted edge paths, would silently lose the noindex header and become indexable by default. It also made service examples risky because setting a middleware env var to only default-headers could drop functional middleware such as redirects, compression, buffering limits, or other route-specific behavior. This change keeps the existing architecture intact: default-headers continues to send the current noindex X-Robots-Tag; Traefik entrypoint defaults still protect routes that do not define router-level middleware; a new allow-indexing-headers file-provider middleware clears X-Robots-Tag only when explicitly appended after default-headers; and Docker service routers get env-var middleware overrides whose defaults preserve their current behavior. Existing functional middleware defaults are retained, including MinIO gzip, Pi-hole redirects, and upload-size limit middleware. New scaffolded services default to default-headers@file and can opt in by appending allow-indexing-headers@file. Documentation covers the ordering requirement and warns against removing existing functional middleware, while validation checks ensure services do not allow indexing by default and that websecure routers expose middleware overrides. This preserves OnRamp's default private/noindex posture while giving users an explicit, per-service escape hatch for public services that should be searchable.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This replaces the original kitty-test approach with a safer router-level opt-in model for search indexing.
The kitty-test branch tried to make indexing configurable by moving
X-Robots-Tagout ofdefault-headersinto a separate noindex middleware, then adding per-service middleware env vars. That inverted OnRamp's existing safety model: routes that still used onlydefault-headers, especially file-provider/external routes and other unconverted edge paths, could silently lose the noindex header and become indexable by default. It also made examples risky because replacing a middleware chain with onlydefault-headerscould drop functional middleware such as redirects, compression, buffering limits, or other route-specific behavior.This PR keeps the existing architecture intact:
default-headerscontinues to send the current noindexX-Robots-Tagallow-indexing-headersclearsX-Robots-Tagonly when explicitly appended afterdefault-headersdefault-headers@fileand can opt in by appendingallow-indexing-headers@filewebsecurerouters expose middleware overridesValidation
python3 make.d/scripts/check-search-indexing.pygit diff --checkyamllinton changed core YAML and representative service YAMLNotes
Full
yamllint -c .yamllint services-availableis currently blocked by a pre-existing duplicatehealthcheckkey inservices-available/jellyfin.yml. This PR intentionally leaves Jellyfin unchanged so that can be handled as a separate main-branch cleanup.