nginx: Don’t override HSTS, X-Frame-Options with other ‘add_header’s.

The nginx ‘add_header’ directive doesn’t inherit the way you’d
want (https://trac.nginx.org/nginx/ticket/854), so we need to manually
simulate inheritance using ‘include’, like we previously did with
api_headers.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>

puppet/zulip/files/nginx/zulip-include-common/api_headers

@@ -1,3 +1,4 @@
+include /etc/nginx/zulip-include/headers;
 add_header Access-Control-Allow-Origin * always;
 add_header Access-Control-Allow-Headers Authorization always;
 add_header Access-Control-Allow-Methods 'GET, POST, DELETE, PUT, PATCH, HEAD' always;

puppet/zulip/files/nginx/zulip-include-common/headers

@@ -0,0 +1,5 @@
+# Enable HSTS: tell browsers to always use HTTPS
+add_header Strict-Transport-Security max-age=15768000 always;
+
+# Set X-Frame-Options to deny to prevent clickjacking
+add_header X-Frame-Options DENY always;

puppet/zulip/files/nginx/zulip-include-frontend/app

@@ -1,11 +1,7 @@
 access_log /var/log/nginx/access.log;
 error_log /var/log/nginx/error.log;
 
-# Enable HSTS: tell browsers to always use HTTPS
-add_header Strict-Transport-Security max-age=15768000 always;
-
-# Set X-Frame-Options to deny to prevent clickjacking
-add_header X-Frame-Options DENY always;
+include /etc/nginx/zulip-include/headers;
 
 # Serve a custom error page when the app is down
 error_page 502 503 504 /static/webpack-bundles/5xx.html;

puppet/zulip/templates/nginx/zulip-enterprise.template.erb

@@ -24,6 +24,7 @@ server {
 
 <% if @no_serve_uploads == '' -%>
     location /user_avatars {
+        include /etc/nginx/zulip-include/headers;
         add_header X-Content-Type-Options nosniff;
         add_header Content-Security-Policy "default-src 'none' img-src 'self'";
         include /etc/nginx/zulip-include/uploads.types;