Your company's policies might require specific HTTP headers and values to be set based on a security audit or other requirements. You can use the steps in this article to add custom HTTP headers to NGINX to meet your security requirements.
Version and installation information
PE version: All supported versions
Solution
Caution: We provide support for headers that ship with Puppet Enterprise. HTTP headers in future versions of Puppet Enterprise might change. Adding custom headers that aren’t tested and shipped with Puppet Enterprise might result in unexpected behavior. As such, we are unable to provide support for any custom headers that you implement in your deployment.
To add custom headers to NGINX, complete all of the following steps on the master.
-
Define the headers in a separate file.
We'll use the custom module
nginxcustom
as an example, with the following location and structure:/etc/puppetlabs/code/environments/production/modules/nginxcustom
├── files │ └── headers.conf └── manifests └── init.pp
[root@pe-201920-master nginxcustom]# cat files/headers.conf #Custom headers add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection '1; mode=block'; add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains; preload;';
-
Manage
headers.conf
with a file resource in Puppet. In source, point to the module that you’re using to manage your NGINXheaders.conf
file.[root@pe-201920-master nginxcustom]# cat manifests/init.pp
#File resource to create headers.conf
class nginxcustom {
file { '/etc/puppetlabs/nginx/headers.conf':
ensure => file,
group => 'root',
owner => 'root',
mode => '0644',
source =>'puppet:///modules/nginxcustom/headers.conf',
}
} -
In the same manifest, add the following to use
pe_nginx::directive
to include headers.conf in proxy.conf#Nginx directive to add include statement pe_nginx::directive { 'include custom headers': directive_ensure => 'present', target => '/etc/puppetlabs/nginx/conf.d/proxy.conf', directive_name => 'include', value => 'headers.conf', server_context => $::fqdn, } }
-
Run puppet:
puppet agent -t
If the custom headers are not generated, in header.conf
add the always
directive to the end of add_header directive
. For example:
add_header X-Frame-Options SAMEORIGIN always;
Learn more about the directive from NGINX’s documentation.
How can we improve this article?
0 comments
Please sign in to leave a comment.
Related articles