From 2441b7280df60b72417910e576070bc9beb96f20 Mon Sep 17 00:00:00 2001 From: Josh Samuelson Date: Thu, 12 May 2016 09:09:16 -0700 Subject: [PATCH] Support for proxy_hide_header directive. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit I need this to hide X-Frame-Options for a single location block. From nginx docs: By default, nginx does not pass the header fields “Date”, “Server”, “X-Pad”, and “X-Accel-...” from the response of a proxied server to a client. The proxy_hide_header directive sets additional fields that will not be passed. --- manifests/config.pp | 2 ++ manifests/init.pp | 3 +++ manifests/resource/location.pp | 3 +++ manifests/resource/vhost.pp | 3 +++ spec/classes/config_spec.rb | 11 ++++++++++- spec/defines/resource_location_spec.rb | 9 +++++++++ templates/conf.d/nginx.conf.erb | 3 +++ templates/vhost/locations/proxy.erb | 5 +++++ 8 files changed, 38 insertions(+), 1 deletion(-) diff --git a/manifests/config.pp b/manifests/config.pp index cdb989a32..4f8d7f0bf 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -93,6 +93,7 @@ 'X-Real-IP $remote_addr', 'X-Forwarded-For $proxy_add_x_forwarded_for', ], + $proxy_hide_header = [], $sendfile = 'on', $server_tokens = 'on', $spdy = 'off', @@ -121,6 +122,7 @@ } validate_string($multi_accept) validate_array($proxy_set_header) + validate_array($proxy_hide_header) if ($proxy_http_version != undef) { validate_string($proxy_http_version) } diff --git a/manifests/init.pp b/manifests/init.pp index 55ee9c6de..cf3a85f20 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -61,6 +61,7 @@ $proxy_redirect = undef, $proxy_send_timeout = undef, $proxy_set_header = undef, + $proxy_hide_header = undef, $sendfile = undef, $server_tokens = undef, $spdy = undef, @@ -184,6 +185,7 @@ $proxy_redirect or $proxy_send_timeout or $proxy_set_header or + $proxy_hide_header or $proxy_temp_path or $run_dir or $sendfile or @@ -265,6 +267,7 @@ proxy_redirect => $proxy_redirect, proxy_send_timeout => $proxy_send_timeout, proxy_set_header => $proxy_set_header, + proxy_hide_header => $proxy_hide_header, proxy_temp_path => $proxy_temp_path, run_dir => $run_dir, sendfile => $sendfile, diff --git a/manifests/resource/location.pp b/manifests/resource/location.pp index 66c1e653c..291ddb443 100644 --- a/manifests/resource/location.pp +++ b/manifests/resource/location.pp @@ -31,6 +31,7 @@ # [*proxy_connect_timeout*] - Override the default the proxy connect timeout # value of 90 seconds # [*proxy_set_header*] - Array of vhost headers to set +# [*proxy_hide_header*] - Array of vhost headers to hide # [*fastcgi*] - location of fastcgi (host:port) # [*fastcgi_param*] - Set additional custom fastcgi_params # [*fastcgi_params*] - optional alternative fastcgi_params file to use @@ -147,6 +148,7 @@ $proxy_read_timeout = $::nginx::config::proxy_read_timeout, $proxy_connect_timeout = $::nginx::config::proxy_connect_timeout, $proxy_set_header = $::nginx::config::proxy_set_header, + $proxy_hide_header = $::nginx::config::proxy_hide_header, $fastcgi = undef, $fastcgi_param = undef, $fastcgi_params = "${::nginx::config::conf_dir}/fastcgi_params", @@ -216,6 +218,7 @@ validate_string($proxy_read_timeout) validate_string($proxy_connect_timeout) validate_array($proxy_set_header) + validate_array($proxy_hide_header) if ($fastcgi != undef) { validate_string($fastcgi) } diff --git a/manifests/resource/vhost.pp b/manifests/resource/vhost.pp index ad37a095b..2e62e0b46 100644 --- a/manifests/resource/vhost.pp +++ b/manifests/resource/vhost.pp @@ -214,6 +214,7 @@ $proxy_read_timeout = $::nginx::config::proxy_read_timeout, $proxy_connect_timeout = $::nginx::config::proxy_connect_timeout, $proxy_set_header = $::nginx::config::proxy_set_header, + $proxy_hide_header = $::nginx::config::proxy_hide_header, $proxy_cache = false, $proxy_cache_key = undef, $proxy_cache_use_stale = undef, @@ -367,6 +368,7 @@ validate_string($proxy_redirect) } validate_array($proxy_set_header) + validate_array($proxy_hide_header) if ($proxy_cache != false) { validate_string($proxy_cache) } @@ -592,6 +594,7 @@ proxy_cache_valid => $proxy_cache_valid, proxy_method => $proxy_method, proxy_set_header => $proxy_set_header, + proxy_hide_header => $proxy_hide_header, proxy_set_body => $proxy_set_body, fastcgi => $fastcgi, fastcgi_params => $fastcgi_params, diff --git a/spec/classes/config_spec.rb b/spec/classes/config_spec.rb index 2207b790e..2e0680858 100644 --- a/spec/classes/config_spec.rb +++ b/spec/classes/config_spec.rb @@ -476,7 +476,7 @@ :notmatch => 'proxy_http_version', }, { - :title => 'should contain ordered appended directives', + :title => 'should contain ordered appended proxy_set_header directives', :attr => 'proxy_set_header', :value => ['header1','header2'], :match => [ @@ -484,6 +484,15 @@ ' proxy_set_header header2;', ], }, + { + :title => 'should contain ordered appended proxy_hide_header directives', + :attr => 'proxy_hide_header', + :value => ['header1','header2'], + :match => [ + ' proxy_hide_header header1;', + ' proxy_hide_header header2;', + ], + }, { :title => 'should set client_body_temp_path', :attr => 'client_body_temp_path', diff --git a/spec/defines/resource_location_spec.rb b/spec/defines/resource_location_spec.rb index 30e102e1a..48e4a4b86 100644 --- a/spec/defines/resource_location_spec.rb +++ b/spec/defines/resource_location_spec.rb @@ -664,6 +664,15 @@ /^\s+proxy_set_header\s+X-TestHeader2 value2;/, ] }, + { + :title => 'should hide proxy headers', + :attr => 'proxy_hide_header', + :value => [ 'X-TestHeader1 value1', 'X-TestHeader2 value2' ], + :match => [ + /^\s+proxy_hide_header\s+X-TestHeader1 value1;/, + /^\s+proxy_hide_header\s+X-TestHeader2 value2;/, + ] + }, { :title => 'should set proxy_method', :attr => 'proxy_method', diff --git a/templates/conf.d/nginx.conf.erb b/templates/conf.d/nginx.conf.erb index 06b8f2f43..826707e1d 100644 --- a/templates/conf.d/nginx.conf.erb +++ b/templates/conf.d/nginx.conf.erb @@ -120,6 +120,9 @@ http { <% @proxy_set_header.each do |header| -%> proxy_set_header <%= header %>; <% end -%> +<% @proxy_hide_header.each do |header| -%> + proxy_hide_header <%= header %>; +<% end -%> <% if @proxy_headers_hash_bucket_size -%> proxy_headers_hash_bucket_size <%= @proxy_headers_hash_bucket_size %>; <% end -%> diff --git a/templates/vhost/locations/proxy.erb b/templates/vhost/locations/proxy.erb index 73d42bb6b..510c41511 100644 --- a/templates/vhost/locations/proxy.erb +++ b/templates/vhost/locations/proxy.erb @@ -13,6 +13,11 @@ proxy_set_header <%= header %>; <%- end -%> <% end -%> +<% unless @proxy_hide_header.nil? -%> + <%- @proxy_hide_header.each do |header| -%> + proxy_hide_header <%= header %>; + <%- end -%> +<% end -%> <% if @proxy_cache -%> proxy_cache <%= @proxy_cache %>; <% end -%>