diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 314b327..27817db 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -20,6 +20,7 @@ loop: - {src: nginx.conf.j2, dest: /etc/nginx/nginx.conf} - {src: nginx.ssl.conf.j2, dest: /etc/nginx/nginx.ssl.conf} + - {src: nginx.other_headers.conf.j2, dest: /etc/nginx/nginx.other_headers.conf} - {src: fastcgi_params.j2, dest: /etc/nginx/fastcgi_params} - {src: proxy_params.j2, dest: /etc/nginx/proxy_params} - {src: default.j2, dest: /etc/nginx/sites-available/default} diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index bfb3627..165dda7 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -54,6 +54,9 @@ http { gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml; include nginx.ssl.conf; +{% if inventory_hostname != 'pt1.dmz.mateu.be' %} + include nginx.other_headers.conf; +{% endif %} ## FLoC off Google! add_header Permissions-Policy interest-cohort=(); diff --git a/roles/nginx/templates/nginx.other_headers.conf.j2 b/roles/nginx/templates/nginx.other_headers.conf.j2 new file mode 100644 index 0000000..67b3f4a --- /dev/null +++ b/roles/nginx/templates/nginx.other_headers.conf.j2 @@ -0,0 +1,4 @@ + # Other security headers + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Xss-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; diff --git a/roles/nginx/templates/nginx.ssl.conf.j2 b/roles/nginx/templates/nginx.ssl.conf.j2 index 712dd41..acad5b2 100644 --- a/roles/nginx/templates/nginx.ssl.conf.j2 +++ b/roles/nginx/templates/nginx.ssl.conf.j2 @@ -24,8 +24,3 @@ ## verify chain of trust of OCSP response using Root CA and Intermediate certs ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; - - # Other security headers - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Xss-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always;