From 41855abc259b7b48e0c41c840036de65681b15b8 Mon Sep 17 00:00:00 2001 From: Dale Anderson <634971+dale-c-anderson@users.noreply.github.com> Date: Mon, 6 May 2024 12:47:01 -0700 Subject: [PATCH] Add support for not only HSTS, but any other arbitrary headers needed. (#44) * Add support for not only HSTS, but any other arbitrary headers needed. Closes #43 * Test headers with molecule * Find out why test fails --- README.md | 4 ++++ defaults/main.yml | 2 +- molecule/default/group_vars/all.yml | 4 ++++ molecule/default/verify.yml | 17 +++++++++++++++++ .../sites-available/ACCOUNT-PROJECT.conf.j2 | 3 +++ 5 files changed, 29 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index d826786..1c300a2 100644 --- a/README.md +++ b/README.md @@ -112,6 +112,10 @@ nginx_listeners: - port: 443 ssl: true http2: true + add_headers: + - name: Strict-Transport-Security + value: "max-age=31536000; includeSubDomains" + always: true server_name: www.example.com aliases: - example.com diff --git a/defaults/main.yml b/defaults/main.yml index 121d96a..7403457 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -39,7 +39,7 @@ ssl_protocols: 'TLSv1.2' default_document: 'index.html index.php' web_application: 'undefined' -nginx_aliases: [] +nginx_aliases: [] # Deprecated and ignored. Use nginx_listeners[] instead. # Location patterns to help enforce security. nginx_drupal_uploads_dir_pattern: '/sites/.*/files' # Don't include a trailing slash. diff --git a/molecule/default/group_vars/all.yml b/molecule/default/group_vars/all.yml index c1780a9..f82b339 100644 --- a/molecule/default/group_vars/all.yml +++ b/molecule/default/group_vars/all.yml @@ -29,6 +29,10 @@ nginx_server_name: www.bigcorp.com nginx_listeners: - server_name: "{{ nginx_server_name }}" port: 80 + add_headers: + - name: 'x-molecule-foo' + value: 'headers-are-fun' + always: true php_version: "{{ php_default_version }}" web_root_dir_name: wwwroot web_application: php diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index 8a31986..f3269b9 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -44,6 +44,23 @@ - curl_unauth_result.failed - '"401 Unauthorized" in curl_unauth_result.stdout or "401 Unauthorized" in curl_unauth_result.stderr' + - name: Output running nginx config + command: /usr/sbin/nginx -T + register: nginx_config + + - name: Debug nginx_config + debug: + var: nginx_config + + - name: Run a new test to examine headers + command: curl --fail -sSLI http://test:test@{{ nginx_server_name }}/molecule-curl-test.php --resolve {{ nginx_server_name }}:80:127.0.0.1 + register: curl_headers_result + + - name: Make sure our x-foo header was present in the response. + assert: + that: + - '"x-molecule-foo: headers-are-fun" in curl_headers_result.stdout' + - name: Verify role part 2 - change PHP version on the vhost to make sure things don't blow up. hosts: all diff --git a/templates/etc/nginx/sites-available/ACCOUNT-PROJECT.conf.j2 b/templates/etc/nginx/sites-available/ACCOUNT-PROJECT.conf.j2 index 26c0846..06ef07d 100644 --- a/templates/etc/nginx/sites-available/ACCOUNT-PROJECT.conf.j2 +++ b/templates/etc/nginx/sites-available/ACCOUNT-PROJECT.conf.j2 @@ -4,6 +4,9 @@ server { listen {{ listener.port | default('80') }} {%- if listener.ssl | default(false) %} ssl {%- if listener.http2 | default(true) %} http2 {%- endif -%}{%- endif -%}; +{% for header in listener.add_headers|default([]) %} + add_header {{ header.name }} "{{ header.value }}"{{ header.always | default(false) | ternary(' always', '') }}; +{% endfor %} server_name {{ listener.server_name }} {{ (listener.aliases | default([])) | join(' ') }}; access_log {{ nginx_access_log_conf }}; error_log /var/log/vhosts/{{ linux_owner }}/{{ project }}/nginx-error.log;