Mercurial > repos > other > Puppet

changeset 263:f99974dc0f1a

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add a way to skip setting CSP NextCloud manages CSP itself, so we don't need the header in the PIM subdomain causing confusion and incorrect results
author IBBoard <dev@ibboard.co.uk>
date Sun, 29 Dec 2019 16:43:55 +0000
parents 241fbf45e6f3
children ea72ea1f7320
files modules/website/manifests/https.pp modules/website/manifests/https/multitld.pp modules/website/templates/https_core_conf.erb
diffstat 3 files changed, 17 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/modules/website/manifests/https.pp	Sun Dec 29 11:00:05 2019 -0500
+++ b/modules/website/manifests/https.pp	Sun Dec 29 16:43:55 2019 +0000
@@ -16,7 +16,9 @@
     $force_no_www       = true,
     $force_no_index     = true,
     $lockdown_requests  = true,
+    $csp                = true,
     $csp_override       = undef,
+    $csp_report         = true,
     $csp_report_override = undef,
   ) {
 
@@ -37,8 +39,12 @@
     $primary_name = $name
   }
 
-  $csp_string = hash_to_csp($website::csp_base, $csp_override)
-  $csp_report_string = hash_to_csp($website::csp_report_base, $csp_report_override)
+  if $csp {
+    $csp_string = hash_to_csp($website::csp_base, $csp_override)
+  }
+  if $csp_report {
+    $csp_report_string = hash_to_csp($website::csp_report_base, $csp_report_override)
+  }
 
   $custom_conf0 = template('website/https_core_conf.erb')
 
--- a/modules/website/manifests/https/multitld.pp	Sun Dec 29 11:00:05 2019 -0500
+++ b/modules/website/manifests/https/multitld.pp	Sun Dec 29 16:43:55 2019 +0000
@@ -12,7 +12,9 @@
   $custom_fragment = undef,
   $force_no_index  = undef,
   $force_no_www    = undef,
-  $csp_override       = undef,
+  $csp             = true,
+  $csp_override    = undef,
+  $csp_report      = true,
   $csp_report_override = undef,
   ) {
 
@@ -45,7 +47,9 @@
     custom_fragment => $custom_fragment,
     force_no_index  => $force_no_index,
     force_no_www    => $force_no_www,
+    csp             => $csp,
     csp_override    => $csp_override,
+    csp_report      => $csp_report,
     csp_report_override => $csp_report_override,
   }
 }
--- a/modules/website/templates/https_core_conf.erb	Sun Dec 29 11:00:05 2019 -0500
+++ b/modules/website/templates/https_core_conf.erb	Sun Dec 29 16:43:55 2019 +0000
@@ -1,6 +1,10 @@
 Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains"
+<%- if @csp -%>
 Header always set Content-Security-Policy "upgrade-insecure-requests; <%= @csp_string %>"
+<%- end -%>
+<%- if @csp_report -%>
 Header always set Content-Security-Policy-Report-Only "<%= @csp_report_string %>"
+<%- end -%>
 Header always set X-Xss-Protection "1; mode=block"
 Header always set X-Content-Type-Options "nosniff"
 Header always set X-Frame-Options "SAMEORIGIN"