Add support for not only HSTS, but any other arbitrary headers needed.

Closes #43
AcroMedia · May 6, 2024 · c93847e · c93847e
1 parent dbe6345
commit c93847e
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -112,6 +112,10 @@ nginx_listeners:
   - port: 443
     ssl: true
     http2: true
+    add_headers:
+      - name: Strict-Transport-Security
+        value: "max-age=31536000; includeSubDomains"
+        always: true
     server_name: www.example.com
     aliases:
       - example.com

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -39,7 +39,7 @@ ssl_protocols: 'TLSv1.2'
 default_document: 'index.html index.php'
 web_application: 'undefined'
 
-nginx_aliases: []
+nginx_aliases: []  # Deprecated and ignored. Use nginx_listeners[] instead.
 
 # Location patterns to help enforce security.
 nginx_drupal_uploads_dir_pattern: '/sites/.*/files'   #  Don't include a trailing slash.

diff --git a/templates/etc/nginx/sites-available/ACCOUNT-PROJECT.conf.j2 b/templates/etc/nginx/sites-available/ACCOUNT-PROJECT.conf.j2
@@ -4,6 +4,9 @@
 server {
   listen {{ listener.port | default('80') }}
 {%- if listener.ssl | default(false) %} ssl {%- if listener.http2 | default(true) %} http2 {%- endif -%}{%- endif -%};
+{% for header in listener.add_headers|default([]) %}
+  add_header {{ header.name }} "{{ header.value }}"{{ header.always | default(false) | ternary(' always', '') }};
+{% endfor %}
   server_name {{ listener.server_name }} {{ (listener.aliases | default([])) | join(' ') }};
   access_log {{ nginx_access_log_conf }};
   error_log /var/log/vhosts/{{ linux_owner }}/{{ project }}/nginx-error.log;