diff --git a/defaults/main.yml b/defaults/main.yml index 882b99a..280f837 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -94,6 +94,7 @@ nginx_cors_allowed_headers: 'Accept,Authorization,Cache-Control,Content-Type,DNT # Set them only if the application behind the server does not set them by itself. nginx_set_xss_protection: False nginx_set_content_security_options: False +nginx_disable_content_security_options: False # Choiches: 'self', 'none', a list of domains nginx_content_security_src_acl: - "'self'" @@ -144,11 +145,13 @@ nginx_robots_disallowed_useragent_list: nginx_robots_disallowed_uris: False nginx_robots_disallowed_uris_list: [] +# List any options here, ending with ; nginx_use_common_virthost: False # # Virtualhost example nginx_virthosts: [] # - virthost_name: '{{ ansible_fqdn }}' +# plain_http_enabled: True # listen: '{{ http_port }}' # server_name: '{{ ansible_fqdn }}' # server_aliases: '' @@ -163,6 +166,7 @@ nginx_virthosts: [] # ssl_letsencrypt_certs: '{{ nginx_letsencrypt_managed }}' # root: {{ nginx_webroot }} # server_tokens: 'off' +# additional_options: [] # proxy_standard_setup: True # proxy_additional_options: # - 'proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=cache:30m max_size=250m;' diff --git a/templates/nginx-virthost.j2 b/templates/nginx-virthost.j2 index c5133e2..8bf8ead 100644 --- a/templates/nginx-virthost.j2 +++ b/templates/nginx-virthost.j2 @@ -16,6 +16,8 @@ upstream {{ u_bk.name }} { {% endfor %} {% endif %} + +{% if item.plain_http_enabled | default(True) %} server { listen {{ item.http_port | default ('80') }}; server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %}; @@ -54,6 +56,9 @@ server { {% endif %} {% if nginx_set_content_security_options %} proxy_hide_header Content-Security-Policy; + {% if nginx_disable_content_security_options %} + add_header Content-Security-Policy ""; + {% else %} add_header Content-Security-Policy "frame-src{% for s in nginx_content_security_src_acl %} {{ s }}{% endfor %}; frame-ancestors{% for l in nginx_content_security_ancestor_acl %} {{ l }}{% endfor %};"; {% endif %} server_tokens {{ item.server_tokens | default('off') }}; @@ -126,6 +131,10 @@ server { {% endif %} {% endif %} + {% for global_opt in item.additional_options %} + {{ global_opt }} + {% endfor %} + {% if item.proxy_standard_setup is defined and item.proxy_standard_setup %} # Proxy stuff @@ -148,13 +157,13 @@ server { {% if nginx_cors_enabled %} {% if not nginx_cors_global %} {% if location.cors is defined and location.cors %} - include /etc/nginx/snippets/nginx-cors.conf; + include /etc/nginx/snippets/nginx-cors.conf; {% endif %} {% endif %} {% endif %} {% if location.target is defined %} - proxy_pass {{ location.target }}; + proxy_pass {{ location.target }}; {% elif location.php_target is defined %} try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; @@ -181,7 +190,7 @@ server { {% endfor %} {% endif %} - {% if location.other_opts is defined %} + {% if location.other_opts is defined %} {% for opt in location.other_opts %} {{ opt }}; {% endfor %} @@ -198,6 +207,7 @@ server { {% endif %} } +{% endif %} {% if item.ssl_enabled %} server { @@ -271,6 +281,9 @@ server { {% endif %} {% if nginx_set_content_security_options %} proxy_hide_header Content-Security-Policy; + {% if nginx_disable_content_security_options %} + add_header Content-Security-Policy ""; + {% else %} add_header Content-Security-Policy "frame-src{% for s in nginx_content_security_src_acl %} {{ s }}{% endfor %}; frame-ancestors{% for l in nginx_content_security_ancestor_acl %} {{ l }}{% endfor %};"; {% endif %} server_tokens {{ item.server_tokens | default('off') }}; @@ -303,6 +316,10 @@ server { {% endfor %} {% endif %} + {% for global_opt in item.additional_options %} + {{ global_opt }} + {% endfor %} + {% if item.proxy_standard_setup is defined and item.proxy_standard_setup %} # Proxy stuff @@ -324,13 +341,13 @@ server { {% if nginx_cors_enabled %} {% if not nginx_cors_global %} {% if location.cors is defined and location.cors %} - include /etc/nginx/snippets/nginx-cors.conf; + include /etc/nginx/snippets/nginx-cors.conf; {% endif %} {% endif %} {% endif %} {% if location.target is defined %} - proxy_pass {{ location.target }}; + proxy_pass {{ location.target }}; {% elif location.php_target is defined %} try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; @@ -357,7 +374,7 @@ server { {% endfor %} {% endif %} - {% if location.other_opts is defined %} + {% if location.other_opts is defined %} {% for opt in location.other_opts %} {{ opt }}; {% endfor %}