Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to use nginx::resource::vhost:add_header ? #899

Closed
leponot opened this issue Oct 5, 2016 · 10 comments
Closed

How to use nginx::resource::vhost:add_header ? #899

leponot opened this issue Oct 5, 2016 · 10 comments

Comments

@leponot
Copy link

leponot commented Oct 5, 2016

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: 3.8.7
  • Ruby:
  • Distribution: CentOS 6 / 7
  • Module version: 4.0.0

Hi

sorry i'm a beginer with hiera,
how i can configure nginx::resource::vhost:add_header:

i want to add secure header but i have always this error : is not a hash

from my srv-reverse-01.xxxx.xx.yaml

nginx::nginx_vhosts:
'xxx.xxxx.xx':
proxy: 'xxx.xxxx.xx'
ssl: true
ssl_cert: /etc/pki/tls/certs/xxx.xxxx.xx.crt
ssl_key: /etc/pki/tls/private/xxx.xxxx.xx.key
rewrite_to_https: true
add_header: ??

for this value for example :
add_header X-Frame-Options SAMEORIGIN

templates/vhost/vhost_header.erb
<% if @add_header -%>
<%- @add_header.keys.sort.each do |key| -%>
add_header '<%= key %>' '<%= @add_header[key] %>';
<%- end -%>
<% end -%>

many thanks

regards
@wyardley
Copy link
Collaborator

wyardley commented Oct 7, 2016
edited
Loading

It's a hash:
https://github.com/voxpupuli/puppet-nginx/blob/master/manifests/resource/vhost.pp#L343
Basically, the key will be the header and the value will be its value.
So I think you'll want (untested):

nginx::nginx_vhosts:
  [...]
  add_header:
    X-Frame-Options: SAMEORIGIN

HTH. Even though the module is encouraging using hiera for data, there are a lot of improvements that could be made in terms of docs.

@leponot
Copy link
Author

leponot commented Oct 7, 2016
edited
Loading

thanks for your help

i try but always this error :

nginx::nginx_vhosts:
[...]
add_header:
X-Frame-Options: SAMEORIGIN

Error 400 on SERVER: Invalid parameter X-Frame-Options on Nginx::Resource::Vhost

working in my site file (.pp) with :
::nginx::resource::vhost {
[...]
add_header=> {
'X-Frame-Options' => 'SAMEORIGIN',
}
}

@wyardley
Copy link
Collaborator

wyardley commented Oct 7, 2016

Can you wrap your yaml in a code block?
I added a yaml file with the following, and applied it:

lana% cat throwaway_test.yaml 
nginx::nginx_vhosts:
  'foo.example.com':
    ssl: true
    ssl_cert: /etc/pki/tls/certs/server.crt
    ssl_key: /etc/pki/tls/private/server.key
    proxy: 'http://127.0.0.1:3000'
    rewrite_to_https: true
    add_header:
      X-Foo: Bar

and in the generated config for foo.example.com:

# MANAGED BY PUPPET
server {
  listen *:80;
  server_name           foo.example.com;

  add_header              'X-Foo' 'Bar';

@wyardley
Copy link
Collaborator

wyardley commented Oct 7, 2016

@leponot: does this help?

@leponot
Copy link
Author

leponot commented Oct 8, 2016

i try Monday when i m back to work

@Zophar78
Copy link
Contributor

Zophar78 commented Oct 12, 2016
edited
Loading

One issue here as there's no way to implement the always flag... one easy workaround might be to add the always flag in any cases in the vhost template...
This use-case might apply for SSL-Checker sites/tools that scan your site and for some reasons you've protected it so it lead to 403 http code... therefore don't add headers... What do you think about this one?
http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header

@wyardley
Copy link
Collaborator

@Zophar78 Which headers are you talking about re: always flag?
There is an option in the module to force the redirect to SSL, but guessing you're talking about something else?

@Zophar78
Copy link
Contributor

Forget the ssl topic... let's focus on the add_header directive:
In Nginx documentation it is said:

Adds the specified field to a response header provided that the response code equals 200, 201, 204, 206, 301, 302, 303, 304, or 307. A value can contain variables.
If the always parameter is specified (1.7.5), the header field will be added regardless of the response code."

So for some reasons i want my header to be added regardless of the response code i need to add the always flag like this:
add_header 'X-Foo' 'Bar' always;

And the current module implementation (Look at the template) doesn't allow it.

@wyardley
Copy link
Collaborator

@Zophar78: Yes, it doesn't look like that's possible in the current implementation.

That's a separate issue, though, as the OP doesn't have seemed to have had a need for that. I believe it should be possible to do that using the config append / prepend or raw append / prepend directives. Feel free to open a separate issue requesting that an optional 'always' flag be added as a feature (or a pull request implementing the feature and tests for it). I'm not sure how it would be implemented without breaking the current key => value pattern... maybe if the hash value is an string, use the current pattern, and if it's an array, with the second element as a boolean, toggle the 'always' flag.

@wyardley wyardley mentioned this issue Oct 13, 2016
Closed
@leponot
Copy link
Author

leponot commented Nov 14, 2016

Hello

i have found my problem, i have some tabulation on my config file...

after remove it, no more problem

thanks for your help

@leponot leponot closed this as completed Nov 14, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Zophar78 @leponot @wyardley