feat: add custom response headers with NGINX

.vscode/intershop.txt

@@ -79,6 +79,7 @@ keyvalue
 kubernetes
 lessthan
 logformat
+loglevel
 maxlength
 mergeable
 minibasket

docker-compose.yml

@@ -109,6 +109,9 @@ services:
           - baseHref: /b2c
             channel: default
             theme: b2c
+      # ADDITIONAL_HEADERS: |
+      #   headers:
+      #     - X-Frame-Options: 'SAMEORIGIN'
 
     # Logging to an External Device (see logging.md)
     # volumes:

docs/guides/nginx-startup.md

@@ -136,6 +136,26 @@ Alternatively, the source can be supplied by setting `OVERRIDE_IDENTITY_PROVIDER
 
 If no environment variable is set, this feature is disabled.
 
+### Add additional headers
+
+For some security or functional reasons it is necessary to add additional headers to page responses.
+To make such headers configurable, the environment variable `ADDITIONAL_HEADERS` is introduced.
+
+```yaml
+nginx:
+  environment:
+    ADDITIONAL_HEADERS: |
+      headers:
+        - header-a: 'value-a'
+        - header-b: 'value-b'
+```
+
+Alternatively, the source can be supplied by setting `ADDITIONAL_HEADERS_SOURCE` in any [supported format by gomplate](https://docs.gomplate.ca/datasources/).
+
+For every entry nginx will add this header to every possible response.
+
+To make the additional headers available during build-time, the value for the environment variable `ADDITIONAL_HEADERS` can be put into the [additional-headers.yaml](../../nginx/additional-headers.yaml) file.
+
 ### Other
 
 Built-in features can be enabled and disabled:

nginx/additional-headers.yaml

@@ -0,0 +1 @@
+headers:

nginx/docker-entrypoint.d/40-gomplate.sh

@@ -29,4 +29,14 @@ then
   fi
 fi
 
-/gomplate -d "domains=$MULTI_CHANNEL_SOURCE" -d "overrideIdentityProviders=$OVERRIDE_IDENTITY_PROVIDERS_SOURCE" -d "cachingIgnoreParams=$CACHING_IGNORE_PARAMS_SOURCE" -d 'ipwhitelist=env:///BASIC_AUTH_IP_WHITELIST?type=application/yaml' --input-dir="/etc/nginx/templates" --output-map='/etc/nginx/conf.d/{{ .in | strings.ReplaceAll ".conf.tmpl" ".conf" }}'
+if [ -z "$ADDITIONAL_HEADERS_SOURCE" ]
+then
+  if [ -z "$ADDITIONAL_HEADERS" ]
+  then
+    ADDITIONAL_HEADERS_SOURCE="./additional-headers.yaml"
+  else
+    ADDITIONAL_HEADERS_SOURCE="env:///ADDITIONAL_HEADERS?type=application/yaml"
+  fi
+fi
+
+/gomplate -d "domains=$MULTI_CHANNEL_SOURCE" -d "overrideIdentityProviders=$OVERRIDE_IDENTITY_PROVIDERS_SOURCE" -d "cachingIgnoreParams=$CACHING_IGNORE_PARAMS_SOURCE" -d "additionalHeaders=$ADDITIONAL_HEADERS_SOURCE" -d 'ipwhitelist=env:///BASIC_AUTH_IP_WHITELIST?type=application/yaml' --input-dir="/etc/nginx/templates" --output-map='/etc/nginx/conf.d/{{ .in | strings.ReplaceAll ".conf.tmpl" ".conf" }}'

nginx/templates/add-header.conf.tmpl

@@ -0,0 +1,7 @@
+{{ $headers := (datasource "additionalHeaders").headers -}}
+
+{{- range $headers }}
+  {{- range $key, $val := (.) }}
+    add_header {{ $key }} "{{ $val }}";
+  {{- end}}
+{{- end }}

nginx/templates/multi-channel.conf.tmpl

@@ -161,6 +161,7 @@ server {
   {{ if (has $mapping "channel") }}
     location / {
         {{- tmpl.Exec "LOCATION_TEMPLATE" $mapping }}
+        include /etc/nginx/conf.d/add-header.conf;
     }
     location ^~ /sitemap_ {
         {{- tmpl.Exec "LOCATION_TEMPLATE_FOR_SITEMAP" $mapping }}
@@ -169,6 +170,7 @@ server {
     {{ range $mapping }}
     location {{ .baseHref }} {
         {{- tmpl.Exec "LOCATION_TEMPLATE" . }}
+        include /etc/nginx/conf.d/add-header.conf;
     }
     location ^~ {{ .baseHref }}{{if not ( .baseHref | strings.HasSuffix "/")}}/{{end}}sitemap_ {
         {{- tmpl.Exec "LOCATION_TEMPLATE_FOR_SITEMAP" . }}