feat: add dynamic nginx environment variable to add additional headers

intershop · Jul 7, 2023 · d21b31c · d21b31c
1 parent 38d8662
commit d21b31c
Show file tree

Hide file tree

Showing 6 changed files with 42 additions and 1 deletion.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -96,6 +96,9 @@ services:
           - baseHref: /b2c
             channel: default
             theme: b2c
+      # ADDITIONAL_HEADERS: |
+      #   headers:
+      #     - X-Frame-Options: 'SAMEORIGIN'
 
     # Logging to an External Device (see logging.md)
     # volumes:

diff --git a/docs/guides/nginx-startup.md b/docs/guides/nginx-startup.md
@@ -136,6 +136,24 @@ Alternatively, the source can be supplied by setting `OVERRIDE_IDENTITY_PROVIDER
 
 If no environment variable is set, this feature is disabled.
 
+### Add additional headers
+
+For some security or functional reasons it is necessary to add additional headers to page responses.
+To make this feature more configurable, the environment variable `ADDITIONAL_HEADERS` is introduced.
+
+```yaml
+nginx:
+  environment:
+    ADDITIONAL_HEADERS: |
+      headers:
+        - header-a: 'value-a'
+        - header-b: 'value-b'
+```
+
+Alternatively, the source can be supplied by setting `ADDITIONAL_HEADERS_SOURCE` in any [supported format by gomplate](https://docs.gomplate.ca/datasources/).
+For every entry nginx will add this header to every possible response.
+To make the additional headers available during build-time, the value for the environment variable `ADDITIONAL_HEADERS` can be put into the [additional-headers.yaml](../../nginx/additional-headers.yaml) file.
+
 ### Other
 
 Built-in features can be enabled and disabled:

diff --git a/nginx/additional-headers.yaml b/nginx/additional-headers.yaml
@@ -0,0 +1 @@
+headers:
diff --git a/nginx/docker-entrypoint.d/40-gomplate.sh b/nginx/docker-entrypoint.d/40-gomplate.sh
@@ -29,4 +29,14 @@ then
   fi
 fi
 
-/gomplate -d "domains=$MULTI_CHANNEL_SOURCE" -d "overrideIdentityProviders=$OVERRIDE_IDENTITY_PROVIDERS_SOURCE" -d "cachingIgnoreParams=$CACHING_IGNORE_PARAMS_SOURCE" -d 'ipwhitelist=env:///BASIC_AUTH_IP_WHITELIST?type=application/yaml' --input-dir="/etc/nginx/templates" --output-map='/etc/nginx/conf.d/{{ .in | strings.ReplaceAll ".conf.tmpl" ".conf" }}'
+if [ -z "$ADDITIONAL_HEADERS_SOURCE" ]
+then
+  if [ -z "$ADDITIONAL_HEADERS" ]
+  then
+    ADDITIONAL_HEADERS_SOURCE="./additional-headers.yaml"
+  else
+    ADDITIONAL_HEADERS_SOURCE="env:///ADDITIONAL_HEADERS?type=application/yaml"
+  fi
+fi
+
+/gomplate -d "domains=$MULTI_CHANNEL_SOURCE" -d "overrideIdentityProviders=$OVERRIDE_IDENTITY_PROVIDERS_SOURCE" -d "cachingIgnoreParams=$CACHING_IGNORE_PARAMS_SOURCE" -d "additionalHeaders=$ADDITIONAL_HEADERS_SOURCE" -d 'ipwhitelist=env:///BASIC_AUTH_IP_WHITELIST?type=application/yaml' --input-dir="/etc/nginx/templates" --output-map='/etc/nginx/conf.d/{{ .in | strings.ReplaceAll ".conf.tmpl" ".conf" }}'
diff --git a/nginx/templates/add-header.conf.tmpl b/nginx/templates/add-header.conf.tmpl
@@ -0,0 +1,7 @@
+{{ $headers := (datasource "additionalHeaders").headers -}}
+
+{{- range $headers }}
+  {{- range $key, $val := (.) }}
+    add_header {{ $key }} "{{ $val }}";
+  {{- end}}
+{{- end }}
diff --git a/nginx/templates/multi-channel.conf.tmpl b/nginx/templates/multi-channel.conf.tmpl
@@ -169,6 +169,7 @@ server {
   {{ if (has $mapping "channel") }}
     location / {
         {{- tmpl.Exec "LOCATION_TEMPLATE" $mapping }}
+        include /etc/nginx/conf.d/add-header.conf;
     }
     location ^~ /sitemap_ {
         {{- tmpl.Exec "LOCATION_TEMPLATE_FOR_SITEMAP" $mapping }}
@@ -177,6 +178,7 @@ server {
     {{ range $mapping }}
     location {{ .baseHref }} {
         {{- tmpl.Exec "LOCATION_TEMPLATE" . }}
+        include /etc/nginx/conf.d/add-header.conf;
     }
     location ^~ {{ .baseHref }}{{if not ( .baseHref | strings.HasSuffix "/")}}/{{end}}sitemap_ {
         {{- tmpl.Exec "LOCATION_TEMPLATE_FOR_SITEMAP" . }}