Support for custom Permissions Policy HTTP header in Nginx

[jessuppi]

This is an issue we knew would eventually need to be discussed, and here it is being requested:

https://slickstack.io/forum/topic/feature-policy-header-blocking-camera-request

It gets to a bigger issue which is better support for "sub-config" files added under e.g. /etc/nginx/conf.d/ however, the official Nginx.com docs suggest feature-specific files which doesn't really apply to SlickStack since it's mostly just http... their docs suggest child config files for e.g. http, events, stream, etc.

Ref: https://docs.nginx.com/nginx/admin-guide/basic-functionality/managing-configuration-files/

I think we need to be even narrower than that for SlickStack. For example maybe featurepolicy.conf to focus specifically on that HTTP header, since other HTTP headers will likely remain hardcoded in SlickStack...

[jessuppi]

Since we are using a unique Nginx server blocks directory /var/www/sites/ we probably should ensure that any custom child config files are in a subdirectory there to avoid confusion.

For example like:

/var/www/sites/custom/

[jessuppi]

I was going back on forth on this but I don't think custom is a good sudirectory name. It sounds like maybe users could replace default server blocks with their own but that's not true, it's just for Nginx includes only.

So I'm proceeding with calling this /var/www/sites/includes/

91ac5a6

After a few Google searches it looks like Roots Trellis uses a similar folder name nginx-includes so that's good, at least some similar naming helps the community.

Ref: https://roots.io/trellis/docs/nginx-includes/

Still pending integration with SlickStack installer scripts and the main Nginx config file...

[jessuppi]

See here:

## pending testing ##
# include /var/www/sites/includes/featurepolicy.conf;

For better security/control perhaps we can include specific child includes only as they become approved by the community instead of just a wildcard include...

https://github.com/littlebizzy/slickstack/blob/master/modules/nginx/nginx-conf.txt

[jessuppi]

https://forum.nginx.org/read.php?11,256135

Hi, you may use the include directive with some glob() pattern tricks

For instance, replace this

include /path/to/something/nonexisting.conf

with

include /path/to/something/nonexisting[.]conf

the config parser won't complain if such file does not exist.

Not sure if still relevant.

[jessuppi]

Related: https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/

[jessuppi]

New default Permissions Policy submodule called perms-policy.conf

https://github.com/littlebizzy/slickstack/blob/master/modules/nginx/includes/perms-policy-conf.txt

You can now customize this in SlickStack. Simply edit your own file under /var/www/sites-includes/perms-policy.conf and SlickStack will validate that file during installation... if it's missing the string add_header Permissions-Policy then our default submodule will be installed in that file location instead.

Ref: https://github.com/littlebizzy/slickstack/blob/master/bash/ss-install-nginx-config.txt