Add support for not only HSTS, but any other arbitrary headers needed. (

#44) * Add support for not only HSTS, but any other arbitrary headers needed. Closes #43 * Test headers with molecule * Find out why test fails
AcroMedia · May 6, 2024 · 41855ab · 41855ab
1 parent dbe6345
commit 41855ab
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -112,6 +112,10 @@ nginx_listeners:
   - port: 443
     ssl: true
     http2: true
+    add_headers:
+      - name: Strict-Transport-Security
+        value: "max-age=31536000; includeSubDomains"
+        always: true
     server_name: www.example.com
     aliases:
       - example.com

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -39,7 +39,7 @@ ssl_protocols: 'TLSv1.2'
 default_document: 'index.html index.php'
 web_application: 'undefined'
 
-nginx_aliases: []
+nginx_aliases: []  # Deprecated and ignored. Use nginx_listeners[] instead.
 
 # Location patterns to help enforce security.
 nginx_drupal_uploads_dir_pattern: '/sites/.*/files'   #  Don't include a trailing slash.

diff --git a/molecule/default/group_vars/all.yml b/molecule/default/group_vars/all.yml
@@ -29,6 +29,10 @@ nginx_server_name: www.bigcorp.com
 nginx_listeners:
   - server_name: "{{ nginx_server_name }}"
     port: 80
+    add_headers:
+      - name: 'x-molecule-foo'
+        value: 'headers-are-fun'
+        always: true
 php_version: "{{ php_default_version }}"
 web_root_dir_name: wwwroot
 web_application: php

diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml
@@ -44,6 +44,23 @@
           - curl_unauth_result.failed
           - '"401 Unauthorized" in curl_unauth_result.stdout or "401 Unauthorized" in curl_unauth_result.stderr'
 
+    - name: Output running nginx config
+      command: /usr/sbin/nginx -T
+      register: nginx_config
+
+    - name: Debug nginx_config
+      debug:
+        var: nginx_config
+
+    - name: Run a new test to examine headers
+      command: curl --fail -sSLI http://test:test@{{ nginx_server_name }}/molecule-curl-test.php --resolve {{ nginx_server_name }}:80:127.0.0.1
+      register: curl_headers_result
+
+    - name: Make sure our x-foo header was present in the response.
+      assert:
+        that:
+          - '"x-molecule-foo: headers-are-fun" in curl_headers_result.stdout'
+
 
 - name: Verify role part 2 - change PHP version on the vhost to make sure things don't blow up.
   hosts: all

diff --git a/templates/etc/nginx/sites-available/ACCOUNT-PROJECT.conf.j2 b/templates/etc/nginx/sites-available/ACCOUNT-PROJECT.conf.j2
@@ -4,6 +4,9 @@
 server {
   listen {{ listener.port | default('80') }}
 {%- if listener.ssl | default(false) %} ssl {%- if listener.http2 | default(true) %} http2 {%- endif -%}{%- endif -%};
+{% for header in listener.add_headers|default([]) %}
+  add_header {{ header.name }} "{{ header.value }}"{{ header.always | default(false) | ternary(' always', '') }};
+{% endfor %}
   server_name {{ listener.server_name }} {{ (listener.aliases | default([])) | join(' ') }};
   access_log {{ nginx_access_log_conf }};
   error_log /var/log/vhosts/{{ linux_owner }}/{{ project }}/nginx-error.log;