New configuration options for the virtualhost.

2022-05-01 15:36:33 +02:00 · 2022-05-01 15:36:33 +02:00 · 3d8f2f46c9
parent b6d005a3b5
commit 3d8f2f46c9
2 changed files with 27 additions and 6 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -94,6 +94,7 @@ nginx_cors_allowed_headers: 'Accept,Authorization,Cache-Control,Content-Type,DNT
 # Set them only if the application behind the server does not set them by itself.
 nginx_set_xss_protection: False
 nginx_set_content_security_options: False
+nginx_disable_content_security_options: False
 # Choiches: 'self', 'none', a list of domains
 nginx_content_security_src_acl:
  - "'self'"
@ -144,11 +145,13 @@ nginx_robots_disallowed_useragent_list:
 nginx_robots_disallowed_uris: False
 nginx_robots_disallowed_uris_list: []

+# List any options here, ending with ;
 nginx_use_common_virthost: False
 #
 # Virtualhost example
 nginx_virthosts: []
 #   - virthost_name: '{{ ansible_fqdn }}'
+#     plain_http_enabled: True
 #     listen: '{{ http_port }}'
 #     server_name: '{{ ansible_fqdn }}'
 #     server_aliases: ''
@ -163,6 +166,7 @@ nginx_virthosts: []
 #     ssl_letsencrypt_certs: '{{ nginx_letsencrypt_managed }}'
 #     root: {{ nginx_webroot }}
 #     server_tokens: 'off'
+#     additional_options: []
 #     proxy_standard_setup: True
 #     proxy_additional_options:
 #       - 'proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=cache:30m max_size=250m;'
--- a/templates/nginx-virthost.j2
+++ b/templates/nginx-virthost.j2
@ -16,6 +16,8 @@ upstream {{ u_bk.name }} {

 {% endfor %}
 {% endif %}
+
+{% if item.plain_http_enabled | default(True) %}
 server {
    listen {{ item.http_port | default ('80') }};
    server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %};
@ -54,6 +56,9 @@ server {
    {% endif %}
    {% if nginx_set_content_security_options %}
    proxy_hide_header Content-Security-Policy;
+    {% if nginx_disable_content_security_options %}
+    add_header Content-Security-Policy "";
+    {% else %}
    add_header Content-Security-Policy "frame-src{% for s in nginx_content_security_src_acl %} {{ s }}{% endfor %}; frame-ancestors{% for l in nginx_content_security_ancestor_acl %} {{ l }}{% endfor %};";
    {% endif %}
    server_tokens {{ item.server_tokens | default('off') }};
@ -126,6 +131,10 @@ server {
    {% endif %}
    {% endif %}

+    {% for global_opt in item.additional_options %}
+    {{ global_opt }}
+    {% endfor %}
+
    {% if item.proxy_standard_setup is defined and item.proxy_standard_setup %}

    # Proxy stuff
@ -148,13 +157,13 @@ server {
        {% if nginx_cors_enabled %}
        {% if not nginx_cors_global %}
        {% if location.cors is defined and location.cors %}
-		include /etc/nginx/snippets/nginx-cors.conf;
+	include /etc/nginx/snippets/nginx-cors.conf;
        {% endif %}
        {% endif %}
        {% endif %}

        {% if location.target is defined %}
-		proxy_pass {{ location.target }};
+	proxy_pass {{ location.target }};
        {% elif location.php_target is defined %}
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
@ -181,7 +190,7 @@ server {
        {% endfor %}
        {% endif %}

-	    {% if location.other_opts is defined %}
+        {% if location.other_opts is defined %}
        {% for opt in location.other_opts %}
        {{ opt }};
        {% endfor %}
@ -198,6 +207,7 @@ server {
 {% endif %}

 }
+{% endif %}

 {% if item.ssl_enabled %}
 server {
@ -271,6 +281,9 @@ server {
    {% endif %}
    {% if nginx_set_content_security_options %}
    proxy_hide_header Content-Security-Policy;
+    {% if nginx_disable_content_security_options %}
+    add_header Content-Security-Policy "";
+    {% else %}
    add_header Content-Security-Policy "frame-src{% for s in nginx_content_security_src_acl %} {{ s }}{% endfor %}; frame-ancestors{% for l in nginx_content_security_ancestor_acl %} {{ l }}{% endfor %};";
    {% endif %}
    server_tokens {{ item.server_tokens | default('off') }};
@ -303,6 +316,10 @@ server {
    {% endfor %}
    {% endif %}

+     {% for global_opt in item.additional_options %}
+     {{ global_opt }}
+     {% endfor %}
+
    {% if item.proxy_standard_setup is defined and item.proxy_standard_setup %}

    # Proxy stuff
@ -324,13 +341,13 @@ server {
        {% if nginx_cors_enabled %}
        {% if not nginx_cors_global %}
        {% if location.cors is defined and location.cors %}
-		include /etc/nginx/snippets/nginx-cors.conf;
+	include /etc/nginx/snippets/nginx-cors.conf;
        {% endif %}
        {% endif %}
        {% endif %}

        {% if location.target is defined %}
-		proxy_pass {{ location.target }};
+	proxy_pass {{ location.target }};
        {% elif location.php_target is defined %}
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
@ -357,7 +374,7 @@ server {
        {% endfor %}
        {% endif %}

-	    {% if location.other_opts is defined %}
+        {% if location.other_opts is defined %}
        {% for opt in location.other_opts %}
        {{ opt }};
        {% endfor %}