From e133e38764718e6a0891df0232b61d3baa66b15d Mon Sep 17 00:00:00 2001 From: VC Date: Fri, 5 Jul 2024 11:53:37 +0200 Subject: [PATCH] feat: create an exception to embed iframe for peertube --- roles/nginx/tasks/main.yml | 1 + roles/nginx/templates/nginx.conf.j2 | 3 +++ roles/nginx/templates/nginx.other_headers.conf.j2 | 4 ++++ roles/nginx/templates/nginx.ssl.conf.j2 | 5 ----- 4 files changed, 8 insertions(+), 5 deletions(-) create mode 100644 roles/nginx/templates/nginx.other_headers.conf.j2 diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 314b327..27817db 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -20,6 +20,7 @@ loop: - {src: nginx.conf.j2, dest: /etc/nginx/nginx.conf} - {src: nginx.ssl.conf.j2, dest: /etc/nginx/nginx.ssl.conf} + - {src: nginx.other_headers.conf.j2, dest: /etc/nginx/nginx.other_headers.conf} - {src: fastcgi_params.j2, dest: /etc/nginx/fastcgi_params} - {src: proxy_params.j2, dest: /etc/nginx/proxy_params} - {src: default.j2, dest: /etc/nginx/sites-available/default} diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index bfb3627..165dda7 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -54,6 +54,9 @@ http { gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml; include nginx.ssl.conf; +{% if inventory_hostname != 'pt1.dmz.mateu.be' %} + include nginx.other_headers.conf; +{% endif %} ## FLoC off Google! add_header Permissions-Policy interest-cohort=(); diff --git a/roles/nginx/templates/nginx.other_headers.conf.j2 b/roles/nginx/templates/nginx.other_headers.conf.j2 new file mode 100644 index 0000000..67b3f4a --- /dev/null +++ b/roles/nginx/templates/nginx.other_headers.conf.j2 @@ -0,0 +1,4 @@ + # Other security headers + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Xss-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; diff --git a/roles/nginx/templates/nginx.ssl.conf.j2 b/roles/nginx/templates/nginx.ssl.conf.j2 index 712dd41..acad5b2 100644 --- a/roles/nginx/templates/nginx.ssl.conf.j2 +++ b/roles/nginx/templates/nginx.ssl.conf.j2 @@ -24,8 +24,3 @@ ## verify chain of trust of OCSP response using Root CA and Intermediate certs ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; - - # Other security headers - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Xss-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always;