From 06e7d4ec191fa93939df30407b8c980ab567046c Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <anders@zulipchat.com>
Date: Fri, 3 Apr 2020 16:52:02 -0700
Subject: [PATCH] =?UTF-8?q?nginx:=20Don=E2=80=99t=20override=20HSTS,=20X-F?=
 =?UTF-8?q?rame-Options=20with=20other=20=E2=80=98add=5Fheader=E2=80=99s.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The nginx ‘add_header’ directive doesn’t inherit the way you’d
want (https://trac.nginx.org/nginx/ticket/854), so we need to manually
simulate inheritance using ‘include’, like we previously did with
api_headers.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
---
 puppet/zulip/files/nginx/zulip-include-common/api_headers  | 1 +
 puppet/zulip/files/nginx/zulip-include-common/headers      | 5 +++++
 puppet/zulip/files/nginx/zulip-include-frontend/app        | 6 +-----
 puppet/zulip/templates/nginx/zulip-enterprise.template.erb | 1 +
 4 files changed, 8 insertions(+), 5 deletions(-)
 create mode 100644 puppet/zulip/files/nginx/zulip-include-common/headers

diff --git a/puppet/zulip/files/nginx/zulip-include-common/api_headers b/puppet/zulip/files/nginx/zulip-include-common/api_headers
index b662a900d8..eb840b4f90 100644
--- a/puppet/zulip/files/nginx/zulip-include-common/api_headers
+++ b/puppet/zulip/files/nginx/zulip-include-common/api_headers
@@ -1,3 +1,4 @@
+include /etc/nginx/zulip-include/headers;
 add_header Access-Control-Allow-Origin * always;
 add_header Access-Control-Allow-Headers Authorization always;
 add_header Access-Control-Allow-Methods 'GET, POST, DELETE, PUT, PATCH, HEAD' always;
diff --git a/puppet/zulip/files/nginx/zulip-include-common/headers b/puppet/zulip/files/nginx/zulip-include-common/headers
new file mode 100644
index 0000000000..0c9d4c2caf
--- /dev/null
+++ b/puppet/zulip/files/nginx/zulip-include-common/headers
@@ -0,0 +1,5 @@
+# Enable HSTS: tell browsers to always use HTTPS
+add_header Strict-Transport-Security max-age=15768000 always;
+
+# Set X-Frame-Options to deny to prevent clickjacking
+add_header X-Frame-Options DENY always;
diff --git a/puppet/zulip/files/nginx/zulip-include-frontend/app b/puppet/zulip/files/nginx/zulip-include-frontend/app
index 938d5805bc..dfa79bc3ee 100644
--- a/puppet/zulip/files/nginx/zulip-include-frontend/app
+++ b/puppet/zulip/files/nginx/zulip-include-frontend/app
@@ -1,11 +1,7 @@
 access_log /var/log/nginx/access.log;
 error_log /var/log/nginx/error.log;
 
-# Enable HSTS: tell browsers to always use HTTPS
-add_header Strict-Transport-Security max-age=15768000 always;
-
-# Set X-Frame-Options to deny to prevent clickjacking
-add_header X-Frame-Options DENY always;
+include /etc/nginx/zulip-include/headers;
 
 # Serve a custom error page when the app is down
 error_page 502 503 504 /static/webpack-bundles/5xx.html;
diff --git a/puppet/zulip/templates/nginx/zulip-enterprise.template.erb b/puppet/zulip/templates/nginx/zulip-enterprise.template.erb
index 37946ce027..c5004be894 100644
--- a/puppet/zulip/templates/nginx/zulip-enterprise.template.erb
+++ b/puppet/zulip/templates/nginx/zulip-enterprise.template.erb
@@ -24,6 +24,7 @@ server {
 
 <% if @no_serve_uploads == '' -%>
     location /user_avatars {
+        include /etc/nginx/zulip-include/headers;
         add_header X-Content-Type-Options nosniff;
         add_header Content-Security-Policy "default-src 'none' img-src 'self'";
         include /etc/nginx/zulip-include/uploads.types;