From 1e03648387cf5efb9b7fdf99366b2d8a1f8d8ea0 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sat, 7 Jan 2023 14:40:22 -0300 Subject: Adds x_frame_options and fix other params --- manifests/site.pp | 47 +++++++++++++++++++++++++++-------------------- manifests/site/config.pp | 18 ++++++++++++------ templates/site-ssl.erb | 2 +- 3 files changed, 40 insertions(+), 27 deletions(-) diff --git a/manifests/site.pp b/manifests/site.pp index 983fc88..4455f45 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -1,16 +1,17 @@ define nginx::site( - $ensure = present, - $ssl = present, - $source = 'template', - $certbot = true, - $template = 'site', - $backend = 'weblocal', - $aliases = "*.${name}", - $cache = false, - $cache_levels = '1:2', - $cache_size = '10m', - $cache_inactive = '600s', - $cache_max_size = '1m', + $ensure = present, + $ssl = present, + $source = 'template', + $certbot = true, + $template = 'site', + $backend = 'weblocal', + $aliases = "*.${name}", + $cache = false, + $cache_levels = '1:2', + $cache_size = '10m', + $cache_inactive = '600s', + $cache_max_size = '1m', + $x_frame_options = 'DENY', ) { nginx::site::config { $name: ensure => $ensure, @@ -32,17 +33,23 @@ define nginx::site( } nginx::site::config { "${name}-ssl": - server_name => $name, - ensure => $ensure ? { + server_name => $name, + ensure => $ensure ? { 'present' => $ssl, default => absent, }, - source => $source, - template => "${template}-ssl", - backend => $backend, - aliases => $aliases, - require => $certbot ? { - true => $ensure ? { + source => $source, + template => "${template}-ssl", + backend => $backend, + aliases => $aliases, + cache => $cache, + cache_levels => $cache_levels, + cache_size => $cache_size, + cache_inactive => $cache_inactive, + cache_max_size => $cache_max_size, + x_frame_options => $x_frame_options, + require => $certbot ? { + true => $ensure ? { 'present' => Certbot::Manage[$name], default => undef, }, diff --git a/manifests/site/config.pp b/manifests/site/config.pp index 9822795..0cdceea 100644 --- a/manifests/site/config.pp +++ b/manifests/site/config.pp @@ -1,10 +1,16 @@ define nginx::site::config( - $server_name = $name, - $ensure = present, - $source = 'template', - $template = 'site', - $backend = 'weblocal', - $aliases = "*.${name}", + $server_name = $name, + $ensure = present, + $source = 'template', + $template = 'site', + $backend = 'weblocal', + $aliases = "*.${name}", + $cache = false, + $cache_levels = '1:2', + $cache_size = '10m', + $cache_inactive = '600s', + $cache_max_size = '1m', + $x_frame_options = 'DENY', ){ case $source { 'file': { diff --git a/templates/site-ssl.erb b/templates/site-ssl.erb index 5b9ce04..c852954 100644 --- a/templates/site-ssl.erb +++ b/templates/site-ssl.erb @@ -15,7 +15,7 @@ server { # clickjacking protection add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; - add_header X-Frame-Options DENY; + add_header X-Frame-Options <%= @x_frame_options %>; location / { # preserve http header and set forwarded proto -- cgit v1.2.3