Merge pull request #32 from digitalist-se/add_extra_labels_remove_naxsi

remove naxsi, and add extra labels
Digitalist-Open-Cloud · Jul 17, 2024 · 374ef65 · 374ef65
2 parents 89c9d20 + 77131c1
commit 374ef65
Show file tree

Hide file tree

Showing 11 changed files with 42 additions and 256 deletions.
diff --git a/charts/matomo/Chart.yaml b/charts/matomo/Chart.yaml
@@ -2,4 +2,4 @@ apiVersion: v2
 appVersion: "5.0.3"
 description: A Helm chart Matomo
 name: matomo
-version: 11.0.29
+version: 11.0.30
diff --git a/charts/matomo/templates/configmap-nginx-matomo-dashboard.yaml b/charts/matomo/templates/configmap-nginx-matomo-dashboard.yaml
@@ -7,7 +7,6 @@ data:
   nginx.conf: |
     worker_processes {{ .Values.matomo.dashboard.nginx.nginxWorkerProcesses | default 5 }};
     load_module modules/ngx_http_geoip2_module.so;
-    # load_module modules/ngx_http_naxsi_module.so;
     events {
       worker_connections 768;
     }
@@ -78,10 +77,6 @@ data:
 
         ## Allow access to index.php to make dashboard work.
         location ~ ^/(index).php  {
-          # include /etc/nginx/naxsi.rules;
-          # # whitelisting and config of naxsi rules.
-          # # whitelist whole rule 11. Need to b debugged why needed.
-          # BasicRule wl:11;
           try_files $uri =404;
           fastcgi_split_path_info ^(.+?\.php)(/.*)$;
           if (!-f $document_root$fastcgi_script_name) {
@@ -118,10 +113,6 @@ data:
 
         ## Allow access to heatmapsessionsrecording plugin is needed to make it work.
         location = /plugins/HeatmapSessionRecording/configs.php {
-          # include /etc/nginx/naxsi.rules;
-          # # whitelisting and config of naxsi rules.
-          # # whitelist whole rule 11. Need to b debugged why needed.
-          # BasicRule wl:11;
           fastcgi_split_path_info ^(.+?\.php)(/.*)$;
           if (!-f $document_root$fastcgi_script_name) {
             return 404;
@@ -318,106 +309,3 @@ data:
       video/x-ms-wmv                                   wmv;
       video/x-msvideo                                  avi;
     }
-  naxsi_core.rules: |
-    ##################################
-    ## INTERNAL RULES IDS:1-999     ##
-    ##################################
-    #@MainRule "msg:weird request, unable to parse" id:1;
-    #@MainRule "msg:request too big, stored on disk and not parsed" id:2;
-    #@MainRule "msg:invalid hex encoding, null bytes" id:10;
-    #@MainRule "msg:unknown content-type" id:11;
-    #@MainRule "msg:invalid formatted url" id:12;
-    #@MainRule "msg:invalid POST format" id:13;
-    #@MainRule "msg:invalid POST boundary" id:14;
-    #@MainRule "msg:invalid JSON" id:15;
-    #@MainRule "msg:empty POST" id:16;
-    #@MainRule "msg:libinjection_sql" id:17;
-    #@MainRule "msg:libinjection_xss" id:18;
-    #@MainRule "msg:no generic rules" id:19;
-    #@MainRule "msg:bad utf8" id:20;
-
-
-
-    ##################################
-    ## SQL Injections IDs:1000-1099 ##
-    ##################################
-    MainRule "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop|load_file|substr|group_concat|dumpfile" "msg:sql keywords" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1000;
-    MainRule "str:\"" "msg:double quote" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8,$XSS:8" id:1001;
-    MainRule "str:0x" "msg:0x, possible hex encoding" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:2" id:1002;
-    ## Hardcore rules
-    MainRule "str:/*" "msg:mysql comment (/*)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1003;
-    MainRule "str:*/" "msg:mysql comment (*/)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1004;
-    MainRule "str:|" "msg:mysql keyword (|)"  "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1005;
-    MainRule "str:&&" "msg:mysql keyword (&&)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1006;
-    ## end of hardcore rules
-    MainRule "str:--" "msg:mysql comment (--)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1007;
-    MainRule "str:;" "msg:semicolon" "mz:BODY|URL|ARGS" "s:$SQL:4,$XSS:8" id:1008;
-    MainRule "str:=" "msg:equal sign in var, probable sql/xss" "mz:ARGS|BODY" "s:$SQL:2" id:1009;
-    MainRule "str:(" "msg:open parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1010;
-    MainRule "str:)" "msg:close parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1011;
-    MainRule "str:'" "msg:simple quote" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1013;
-    MainRule "str:," "msg:comma" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1015;
-    MainRule "str:#" "msg:mysql comment (#)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1016;
-    MainRule "str:@@" "msg:double arobase (@@)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1017;
-
-    ###############################
-    ## OBVIOUS RFI IDs:1100-1199 ##
-    ###############################
-    MainRule "str:http://" "msg:http:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1100;
-    MainRule "str:https://" "msg:https:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1101;
-    MainRule "str:ftp://" "msg:ftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1102;
-    MainRule "str:php://" "msg:php:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1103;
-    MainRule "str:sftp://" "msg:sftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1104;
-    MainRule "str:zlib://" "msg:zlib:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1105;
-    MainRule "str:data://" "msg:data:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1106;
-    MainRule "str:glob://" "msg:glob:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1107;
-    MainRule "str:phar://" "msg:phar:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1108;
-    MainRule "str:file://" "msg:file:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1109;
-    MainRule "str:gopher://" "msg:gopher:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1110;
-    MainRule "str:zip://" "msg:zip:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1111;
-    MainRule "str:expect://" "msg:expect:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1112;
-    MainRule "str:input://" "msg:input:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1113;
-
-    #######################################
-    ## Directory traversal IDs:1200-1299 ##
-    #######################################
-    MainRule "str:.." "msg:double dot" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1200;
-    MainRule "str:/etc/passwd" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1202;
-    MainRule "str:c:\\" "msg:obvious windows path" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1203;
-    MainRule "str:cmd.exe" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1204;
-    MainRule "str:\\" "msg:backslash" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1205;
-    #MainRule "str:/" "msg:slash in args" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1206;
-    MainRule "str:/..;/" "msg:dir traversal bypass" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1207;
-
-    ########################################
-    ## Cross Site Scripting IDs:1300-1399 ##
-    ########################################
-    MainRule "str:<" "msg:html open tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1302;
-    MainRule "str:>" "msg:html close tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1303;
-    MainRule "str:[" "msg:open square backet ([), possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1310;
-    MainRule "str:]" "msg:close square bracket (]), possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1311;
-    MainRule "str:~" "msg:tilde (~) character" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1312;
-    MainRule "str:`"  "msg:grave accent (`)" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1314;
-    MainRule "rx:%[23]."  "msg:double encoding" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1315;
-
-    ####################################
-    ## Evading tricks IDs: 1400-1500 ##
-    ####################################
-    MainRule "str:&#" "msg:utf7/8 encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1400;
-    MainRule "str:%U" "msg:M$ encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1401;
-
-    #############################
-    ## File uploads: 1500-1600 ##
-    #############################
-    MainRule "rx:\.ph|\.asp|\.ht|\.jsp" "msg:asp/php/jsp file upload" "mz:FILE_EXT" "s:$UPLOAD:8" id:1500;
-
-  naxsi.rules: |
-    SecRulesEnabled;
-    DeniedUrl "/RequestDenied";
-
-    ## check rules
-    CheckRule "$SQL >= 8" BLOCK;
-    CheckRule "$RFI >= 8" BLOCK;
-    CheckRule "$TRAVERSAL >= 4" BLOCK;
-    CheckRule "$EVADE >= 4" BLOCK;
-    CheckRule "$XSS >= 8" BLOCK;
diff --git a/charts/matomo/templates/configmap-nginx-matomo-tracker.yaml b/charts/matomo/templates/configmap-nginx-matomo-tracker.yaml
@@ -287,106 +287,3 @@ data:
       video/x-ms-wmv                                   wmv;
       video/x-msvideo                                  avi;
     }
-  naxsi_core.rules: |
-    ##################################
-    ## INTERNAL RULES IDS:1-999     ##
-    ##################################
-    #@MainRule "msg:weird request, unable to parse" id:1;
-    #@MainRule "msg:request too big, stored on disk and not parsed" id:2;
-    #@MainRule "msg:invalid hex encoding, null bytes" id:10;
-    #@MainRule "msg:unknown content-type" id:11;
-    #@MainRule "msg:invalid formatted url" id:12;
-    #@MainRule "msg:invalid POST format" id:13;
-    #@MainRule "msg:invalid POST boundary" id:14;
-    #@MainRule "msg:invalid JSON" id:15;
-    #@MainRule "msg:empty POST" id:16;
-    #@MainRule "msg:libinjection_sql" id:17;
-    #@MainRule "msg:libinjection_xss" id:18;
-    #@MainRule "msg:no generic rules" id:19;
-    #@MainRule "msg:bad utf8" id:20;
-
-
-
-    ##################################
-    ## SQL Injections IDs:1000-1099 ##
-    ##################################
-    MainRule "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop|load_file|substr|group_concat|dumpfile" "msg:sql keywords" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1000;
-    MainRule "str:\"" "msg:double quote" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8,$XSS:8" id:1001;
-    MainRule "str:0x" "msg:0x, possible hex encoding" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:2" id:1002;
-    ## Hardcore rules
-    MainRule "str:/*" "msg:mysql comment (/*)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1003;
-    MainRule "str:*/" "msg:mysql comment (*/)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1004;
-    MainRule "str:|" "msg:mysql keyword (|)"  "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1005;
-    MainRule "str:&&" "msg:mysql keyword (&&)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1006;
-    ## end of hardcore rules
-    MainRule "str:--" "msg:mysql comment (--)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1007;
-    MainRule "str:;" "msg:semicolon" "mz:BODY|URL|ARGS" "s:$SQL:4,$XSS:8" id:1008;
-    MainRule "str:=" "msg:equal sign in var, probable sql/xss" "mz:ARGS|BODY" "s:$SQL:2" id:1009;
-    MainRule "str:(" "msg:open parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1010;
-    MainRule "str:)" "msg:close parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1011;
-    MainRule "str:'" "msg:simple quote" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1013;
-    MainRule "str:," "msg:comma" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1015;
-    MainRule "str:#" "msg:mysql comment (#)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1016;
-    MainRule "str:@@" "msg:double arobase (@@)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1017;
-
-    ###############################
-    ## OBVIOUS RFI IDs:1100-1199 ##
-    ###############################
-    MainRule "str:http://" "msg:http:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1100;
-    MainRule "str:https://" "msg:https:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1101;
-    MainRule "str:ftp://" "msg:ftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1102;
-    MainRule "str:php://" "msg:php:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1103;
-    MainRule "str:sftp://" "msg:sftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1104;
-    MainRule "str:zlib://" "msg:zlib:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1105;
-    MainRule "str:data://" "msg:data:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1106;
-    MainRule "str:glob://" "msg:glob:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1107;
-    MainRule "str:phar://" "msg:phar:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1108;
-    MainRule "str:file://" "msg:file:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1109;
-    MainRule "str:gopher://" "msg:gopher:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1110;
-    MainRule "str:zip://" "msg:zip:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1111;
-    MainRule "str:expect://" "msg:expect:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1112;
-    MainRule "str:input://" "msg:input:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1113;
-
-    #######################################
-    ## Directory traversal IDs:1200-1299 ##
-    #######################################
-    MainRule "str:.." "msg:double dot" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1200;
-    MainRule "str:/etc/passwd" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1202;
-    MainRule "str:c:\\" "msg:obvious windows path" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1203;
-    MainRule "str:cmd.exe" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1204;
-    MainRule "str:\\" "msg:backslash" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1205;
-    #MainRule "str:/" "msg:slash in args" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1206;
-    MainRule "str:/..;/" "msg:dir traversal bypass" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1207;
-
-    ########################################
-    ## Cross Site Scripting IDs:1300-1399 ##
-    ########################################
-    MainRule "str:<" "msg:html open tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1302;
-    MainRule "str:>" "msg:html close tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1303;
-    MainRule "str:[" "msg:open square backet ([), possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1310;
-    MainRule "str:]" "msg:close square bracket (]), possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1311;
-    MainRule "str:~" "msg:tilde (~) character" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1312;
-    MainRule "str:`"  "msg:grave accent (`)" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1314;
-    MainRule "rx:%[23]."  "msg:double encoding" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1315;
-
-    ####################################
-    ## Evading tricks IDs: 1400-1500 ##
-    ####################################
-    MainRule "str:&#" "msg:utf7/8 encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1400;
-    MainRule "str:%U" "msg:M$ encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1401;
-
-    #############################
-    ## File uploads: 1500-1600 ##
-    #############################
-    MainRule "rx:\.ph|\.asp|\.ht|\.jsp" "msg:asp/php/jsp file upload" "mz:FILE_EXT" "s:$UPLOAD:8" id:1500;
-
-  naxsi.rules: |
-    SecRulesEnabled;
-    DeniedUrl "/RequestDenied";
-
-    ## check rules
-    CheckRule "$SQL >= 8" BLOCK;
-    CheckRule "$RFI >= 8" BLOCK;
-    CheckRule "$TRAVERSAL >= 4" BLOCK;
-    CheckRule "$EVADE >= 4" BLOCK;
-    CheckRule "$XSS >= 8" BLOCK;
diff --git a/charts/matomo/templates/deployment-matomo-cli.yaml b/charts/matomo/templates/deployment-matomo-cli.yaml
@@ -7,6 +7,9 @@ metadata:
   namespace: {{.Values.namespace}}
   labels:
     app: matomo-cli
+{{- if .Values.matomo.extralabels }}
+{{ toYaml .Values.matomo.extralabels | indent 4 }}
+{{- end }}
 spec:
   replicas: {{.Values.matomo.cli.replicas}}
   selector:
@@ -16,6 +19,9 @@ spec:
     metadata:
       labels:
         app: matomo-cli
+{{- if .Values.matomo.extralabels }}
+{{ toYaml .Values.matomo.extralabels | indent 8 }}
+{{- end }}
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/configmap-matomo.yaml") . | sha256sum }}
     spec:

diff --git a/charts/matomo/templates/deployment-matomo-dashboard.yaml b/charts/matomo/templates/deployment-matomo-dashboard.yaml
@@ -7,6 +7,9 @@ metadata:
   namespace: {{.Values.namespace}}
   labels:
     app: matomo-dashboard
+{{- if .Values.matomo.extralabels }}
+{{ toYaml .Values.matomo.extralabels | indent 4 }}
+{{- end }}
 spec:
   replicas: {{.Values.matomo.dashboard.replicas}}
   selector:
@@ -16,6 +19,9 @@ spec:
     metadata:
       labels:
         app: matomo-dashboard
+{{- if .Values.matomo.extralabels }}
+{{ toYaml .Values.matomo.extralabels | indent 8 }}
+{{- end }}
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/configmap-matomo.yaml") . | sha256sum }}
     spec:
@@ -76,14 +82,6 @@ spec:
             mountPath: /etc/nginx/mime.types
             subPath: mime.types
             readOnly: true
-          - name: naxsi-rules
-            mountPath: /etc/nginx/naxsi.rules
-            subPath: naxsi.rules
-            readOnly: true
-          - name: naxsi-core-rules
-            mountPath: /etc/nginx/naxsi_core.rules
-            subPath: naxsi_core.rules
-            readOnly: true
           - name: static-data
             mountPath: /var/www/html
             readOnly: true
@@ -167,18 +165,6 @@ spec:
           items:
           - key: mime.types
             path: mime.types
-      - name: naxsi-rules
-        configMap:
-          name: nginx-matomo-dashboard
-          items:
-          - key: naxsi.rules
-            path: naxsi.rules
-      - name: naxsi-core-rules
-        configMap:
-          name: nginx-matomo-dashboard
-          items:
-          - key: naxsi_core.rules
-            path: naxsi_core.rules
       - name: matomo-configuration
         configMap:
           name: matomo-configuration
@@ -206,6 +192,9 @@ metadata:
   namespace: {{.Values.namespace}}
   labels:
     app: matomo-dashboard
+{{- if .Values.matomo.extralabels }}
+{{ toYaml .Values.matomo.extralabels | indent 4 }}
+{{- end }}
 spec:
   ports:
     - port: 8080

diff --git a/charts/matomo/templates/deployment-matomo-queuedtrackingmonitor.yaml b/charts/matomo/templates/deployment-matomo-queuedtrackingmonitor.yaml
@@ -7,6 +7,9 @@ metadata:
   namespace: {{.Values.namespace}}
   labels:
     app: matomo-queuedtracking-monitor
+{{- if .Values.matomo.extralabels }}
+{{ toYaml .Values.matomo.extralabels | indent 4 }}
+{{- end }}
 spec:
   replicas: {{.Values.matomo.queuedTrackingMonitor.replicas | default 1}}
   selector:
@@ -16,6 +19,9 @@ spec:
     metadata:
       labels:
         app: matomo-queuedtracking-monitor
+{{- if .Values.matomo.extralabels }}
+{{ toYaml .Values.matomo.extralabels | indent 8 }}
+{{- end }}
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/configmap-matomo.yaml") . | sha256sum }}
     spec:

diff --git a/charts/matomo/templates/deployment-matomo-queuedtrackingprocess.yaml b/charts/matomo/templates/deployment-matomo-queuedtrackingprocess.yaml
@@ -7,6 +7,9 @@ metadata:
   namespace: {{.Values.namespace}}
   labels:
     app: matomo-queuedtracking-process
+{{- if .Values.matomo.extralabels }}
+{{ toYaml .Values.matomo.extralabels | indent 4 }}
+{{- end }}
 spec:
   replicas: {{.Values.matomo.queuedTrackingProcess.replicas}}
   selector:
@@ -16,6 +19,9 @@ spec:
     metadata:
       labels:
         app: matomo-queuedtracking-process
+{{- if .Values.matomo.extralabels }}
+{{ toYaml .Values.matomo.extralabels | indent 8 }}
+{{- end }}
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/configmap-matomo.yaml") . | sha256sum }}
     spec: