diff --git a/README.md b/README.md index 35fcba0..d0a9de0 100644 --- a/README.md +++ b/README.md @@ -365,6 +365,15 @@ nginx_http_template: auth_basic_user_file: null try_files: $uri $uri/index.html $uri.html =404 #auth_request: /auth + add_headers: + strict_transport_security: + name: Strict-Transport-Security + value: max-age=15768000; includeSubDomains + always: true + #header_name: + #name: Header-X + #value: Value-X + #always: false ssl: cert: /etc/ssl/certs/default.crt key: /etc/ssl/private/default.key @@ -377,6 +386,15 @@ nginx_http_template: locations: default: location: / + add_headers: + strict_transport_security: + name: Strict-Transport-Security + value: max-age=15768000; includeSubDomains + always: true + #header_name: + #name: Header-X + #value: Value-X + #always: false html_file_location: /usr/share/nginx/html html_file_name: index.html autoindex: false @@ -412,6 +430,15 @@ nginx_http_template: locations: backend: location: / + add_headers: + strict_transport_security: + name: Strict-Transport-Security + value: max-age=15768000; includeSubDomains + always: true + #header_name: + #name: Header-X + #value: Value-X + #always: false proxy_connect_timeout: null proxy_pass: http://backend #proxy_pass_request_body: off diff --git a/defaults/main.yml b/defaults/main.yml index 11e2c56..6277d74 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -177,6 +177,15 @@ nginx_http_template: auth_basic_user_file: null try_files: $uri $uri/index.html $uri.html =404 #auth_request: /auth + add_headers: + strict_transport_security: + name: Strict-Transport-Security + value: max-age=15768000; includeSubDomains + always: true + #header_name: + #name: Header-X + #value: Value-X + #always: false ssl: cert: /etc/ssl/certs/default.crt key: /etc/ssl/private/default.key @@ -189,6 +198,15 @@ nginx_http_template: locations: default: location: / + add_headers: + strict_transport_security: + name: Strict-Transport-Security + value: max-age=15768000; includeSubDomains + always: true + #header_name: + #name: Header-X + #value: Value-X + #always: false html_file_location: /usr/share/nginx/html html_file_name: index.html autoindex: false @@ -224,6 +242,15 @@ nginx_http_template: locations: backend: location: / + add_headers: + strict_transport_security: + name: Strict-Transport-Security + value: max-age=15768000; includeSubDomains + always: true + #header_name: + #name: Header-X + #value: Value-X + #always: false proxy_connect_timeout: null proxy_pass: http://backend #proxy_pass_request_body: off diff --git a/templates/http/default.conf.j2 b/templates/http/default.conf.j2 index bd53dd5..4855394 100644 --- a/templates/http/default.conf.j2 +++ b/templates/http/default.conf.j2 @@ -73,6 +73,11 @@ server { listen {{ item.value.port }}; {% endif %} server_name {{ item.value.server_name | default('localhost') }}; +{% if item.value.add_headers is defined %} +{% for header in item.value.add_headers %} + add_header {{ item.value.add_headers[header].name }} "{{ item.value.add_headers[header].value }}"{% if item.value.add_headers[header].always is defined and item.value.add_headers[header].always %} always{% endif %}; +{% endfor %} +{% endif %} {% if item.value.auth_basic is defined and item.value.auth_basic %} auth_basic "{{ item.value.auth_basic }}"; {% endif %} @@ -101,6 +106,11 @@ server { {% if item.value.reverse_proxy.locations[location].internal is sameas true %} internal; {% endif %} +{% if item.value.reverse_proxy.locations[location].add_headers is defined %} +{% for header in item.value.reverse_proxy.locations[location].add_headers %} + add_header {{ item.value.reverse_proxy.locations[location].add_headers[header].name }} "{{ item.value.reverse_proxy.locations[location].add_headers[header].value }}"{% if item.value.reverse_proxy.locations[location].add_headers[header].always is defined and item.value.reverse_proxy.locations[location].add_headers[header].always %} always{% endif %}; +{% endfor %} +{% endif %} {% if item.value.reverse_proxy.locations[location].auth_request is defined %} auth_request {{ item.value.reverse_proxy.locations[location].auth_request }}; {% endif %} @@ -222,6 +232,11 @@ server { {% if item.value.web_server.locations[location].try_files is defined %} try_files {{ item.value.web_server.locations[location].try_files }}; {% endif %} +{% if item.value.web_server.locations[location].add_headers is defined %} +{% for header in item.value.web_server.locations[location].add_headers %} + add_header {{ item.value.web_server.locations[location].add_headers[header].name }} "{{ item.value.web_server.locations[location].add_headers[header].value }}"{% if item.value.web_server.locations[location].add_headers[header].always is defined and item.value.web_server.locations[location].add_headers[header].always %} always{% endif %}; +{% endfor %} +{% endif %} {% if item.value.web_server.locations[location].returns is defined %} {% for code in item.value.web_server.locations[location].returns %} {% if item.value.web_server.locations[location].returns[code] is defined %} diff --git a/tests/playbooks/nginx-http-template.yml b/tests/playbooks/nginx-http-template.yml index 7b9e3b3..18e91ac 100644 --- a/tests/playbooks/nginx-http-template.yml +++ b/tests/playbooks/nginx-http-template.yml @@ -15,6 +15,11 @@ port: 80 server_name: localhost error_page: /usr/share/nginx/html + add_headers: + strict_transport_security: + name: Strict-Transport-Security + value: max-age=15768000; includeSubDomains + always: true reverse_proxy: proxy_cache_path: - path: /var/cache/nginx/proxy/frontend @@ -46,6 +51,15 @@ locations: frontend: location: / + add_headers: + strict_transport_security: + name: Strict-Transport-Security + value: max-age=15768000; includeSubDomains + always: true + another_header: + name: Fancy-New-Header-To-Test + value: testing=true + always: false proxy_pass: http://frontend_servers/ proxy_cache: frontend_proxy_cache proxy_temp_path: