From b7a8bc465f15ab633648fce0c956ecae6b36f017 Mon Sep 17 00:00:00 2001
From: vjrj <vjrj@ourproject.org>
Date: Thu, 13 Feb 2020 10:39:40 +0100
Subject: [PATCH 1/3] Added CORS fragment. Fix for #225

---
 ansible/roles/nginx_vhost/defaults/main.yml   |  5 ++
 ansible/roles/nginx_vhost/tasks/main.yml      | 28 +++++++++
 .../roles/nginx_vhost/templates/ala_cors.j2   | 57 +++++++++++++++++++
 .../templates/fragment_74_location_cors.j2    |  3 +
 4 files changed, 93 insertions(+)
 create mode 100644 ansible/roles/nginx_vhost/templates/ala_cors.j2
 create mode 100644 ansible/roles/nginx_vhost/templates/fragment_74_location_cors.j2

diff --git a/ansible/roles/nginx_vhost/defaults/main.yml b/ansible/roles/nginx_vhost/defaults/main.yml
index b2063ce97..850a77a30 100644
--- a/ansible/roles/nginx_vhost/defaults/main.yml
+++ b/ansible/roles/nginx_vhost/defaults/main.yml
@@ -89,3 +89,8 @@ nginx_rate_limit_size: "10m"
 nginx_rate_limit: "300r/m"
 # Default to a burst of 80, tune this in conjunction with nginx_rate_limit
 nginx_rate_limit_burst: "80"
+
+# Set this to configure cors to some regexp
+# Test your regexp of type PCRE with a tool like https://www.regextester.com/
+# Sample:  ^https?:\/\/(localhost|l-a\.site|.*\.l-a\.site)
+# nginx_cors_origin_regexp: '^https?:\/\/(localhost|l-a\.site|.*\.l-a\.site)'
diff --git a/ansible/roles/nginx_vhost/tasks/main.yml b/ansible/roles/nginx_vhost/tasks/main.yml
index 6b86934f5..13b186fe9 100644
--- a/ansible/roles/nginx_vhost/tasks/main.yml
+++ b/ansible/roles/nginx_vhost/tasks/main.yml
@@ -146,6 +146,14 @@
   tags:
     - nginx_vhost
 
+- name: copy cors configuration if required
+  template:
+    src: "ala_cors.j2"
+    dest: "{{nginx_conf_dir}}/conf.d/ala_cors"
+  when: nginx_cors_origin_regexp is defined
+  tags:
+    - nginx_vhost
+
 - name: add upstream fragment
   template:
     src: "fragment_02_upstream.j2"
@@ -273,6 +281,16 @@
   tags:
     - nginx_vhost
 
+- name: add cors fragment if required
+  template:
+    src: "fragment_74_location_cors.j2"
+    dest: "{{nginx_conf_dir}}/vhost_fragments/{{hostname}}/http_70_location_{{ item.sort_label | default(item.path | basename) }}_74_cors"
+  with_items:
+    - "{{ nginx_paths}} "
+  when: (ssl | bool == False or (ssl | bool == True and force_https | bool == False)) and vhost_required | bool == True and nginx_cors_origin_regexp is defined
+  tags:
+    - nginx_vhost
+
 # if not ssl or (ssl and not force_https): copy (75 per path) http
 # basename filter returns last part of path e.g. for /ws returns ws, for / returns empty
 - name: if not using force_https, add location http fragments
@@ -354,6 +372,16 @@
   tags:
     - nginx_vhost
 
+- name: add cors fragment if required
+  template:
+    src: "fragment_74_location_cors.j2"
+    dest: "{{nginx_conf_dir}}/vhost_fragments/{{hostname}}/https_70_location_{{ item.sort_label | default(item.path | basename) }}_74_cors"
+  with_items:
+    - "{{ nginx_paths}} "
+  when: ssl | bool == True and vhost_required | bool == True and nginx_cors_origin_regexp is defined
+  tags:
+    - nginx_vhost
+
 # if ssl, copy (75 per path) https
 # example https location for /ws path: /etc/nginx/vhost_fragments/bie-test.ala.org.au/https_75_location_end_ws
 # basename filter returns last part of path e.g. for /ws returns ws, for / returns empty
diff --git a/ansible/roles/nginx_vhost/templates/ala_cors.j2 b/ansible/roles/nginx_vhost/templates/ala_cors.j2
new file mode 100644
index 000000000..f0f6e1064
--- /dev/null
+++ b/ansible/roles/nginx_vhost/templates/ala_cors.j2
@@ -0,0 +1,57 @@
+# Allow static fonts 
+location ~* .(eot|otf|svg|ttf|woff|woff2)$ {
+  add_header Access-Control-Allow-Origin *;
+}
+
+set $cors '';
+
+# Test your regexp of type PCRE with a tool like https://www.regextester.com/
+# Sample:  ^https?:\/\/(localhost|l-a\.site|.*\.l-a\.site)
+if ($http_origin ~* '{{ nginx_cors_origin_regexp }}') {
+  set $cors 'C';
+}
+
+# As multiple ifs are not allowed we follow this option
+# http://rosslawley.co.uk/archive/old/2010/01/04/nginx-how-to-multiple-if-statements/
+
+if ($request_method = GET) {
+  set $cors '${cors}GET';
+}
+
+if ($request_method = POST) {
+  set $cors '${cors}POST';
+}
+
+if ($request_method = OPTIONS) {
+  set $cors '${cors}OPTIONS';
+}
+
+# This is modified version of: https://enable-cors.org/server_nginx.html restricting to previous regexp
+
+if ($cors = COPTIONS) {
+  add_header 'Access-Control-Allow-Origin' '*';
+  add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+  #
+  # Custom headers and headers various browsers *should* be OK with but aren't
+  #
+  add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
+  #
+  # Tell client that this pre-flight info is valid for 20 days
+  #
+  add_header 'Access-Control-Max-Age' 1728000;
+  add_header 'Content-Type' 'text/plain; charset=utf-8';
+  add_header 'Content-Length' 0;
+  return 204;
+}
+if ($cors = CPOST) {
+  add_header 'Access-Control-Allow-Origin' '*';
+  add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+  add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
+  add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
+}
+if ($cors = CGET) {
+  add_header 'Access-Control-Allow-Origin' '*' always;
+  add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+  add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
+  add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
+}
diff --git a/ansible/roles/nginx_vhost/templates/fragment_74_location_cors.j2 b/ansible/roles/nginx_vhost/templates/fragment_74_location_cors.j2
new file mode 100644
index 000000000..5896c9a1b
--- /dev/null
+++ b/ansible/roles/nginx_vhost/templates/fragment_74_location_cors.j2
@@ -0,0 +1,3 @@
+{% if nginx_cors_origin_regexp is defined and nginx_cors_origin_regexp|length > 0 %}
+        include /etc/nginx/conf.d/ala_cors;
+{% endif %}

From f7009c16c67cbb384658b83b92eeb28fb31bb019 Mon Sep 17 00:00:00 2001
From: vjrj <vjrj@ourproject.org>
Date: Fri, 13 Mar 2020 11:00:52 +0100
Subject: [PATCH 2/3] Added new var following @ansell review

---
 ansible/roles/nginx_vhost/defaults/main.yml          |  2 ++
 ansible/roles/nginx_vhost/tasks/main.yml             |  2 +-
 ansible/roles/nginx_vhost/templates/ala_cors.j2      | 12 ++++++------
 .../templates/fragment_74_location_cors.j2           |  2 +-
 4 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/ansible/roles/nginx_vhost/defaults/main.yml b/ansible/roles/nginx_vhost/defaults/main.yml
index 850a77a30..b5a4f3c85 100644
--- a/ansible/roles/nginx_vhost/defaults/main.yml
+++ b/ansible/roles/nginx_vhost/defaults/main.yml
@@ -94,3 +94,5 @@ nginx_rate_limit_burst: "80"
 # Test your regexp of type PCRE with a tool like https://www.regextester.com/
 # Sample:  ^https?:\/\/(localhost|l-a\.site|.*\.l-a\.site)
 # nginx_cors_origin_regexp: '^https?:\/\/(localhost|l-a\.site|.*\.l-a\.site)'
+nginx_cors_headers: "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range"
+nginx_cors_methods: "GET, POST, OPTIONS"
diff --git a/ansible/roles/nginx_vhost/tasks/main.yml b/ansible/roles/nginx_vhost/tasks/main.yml
index 13b186fe9..b220d4948 100644
--- a/ansible/roles/nginx_vhost/tasks/main.yml
+++ b/ansible/roles/nginx_vhost/tasks/main.yml
@@ -149,7 +149,7 @@
 - name: copy cors configuration if required
   template:
     src: "ala_cors.j2"
-    dest: "{{nginx_conf_dir}}/conf.d/ala_cors"
+    dest: "{{nginx_conf_dir}}/conf.d/ala_cors_{{appname}"
   when: nginx_cors_origin_regexp is defined
   tags:
     - nginx_vhost
diff --git a/ansible/roles/nginx_vhost/templates/ala_cors.j2 b/ansible/roles/nginx_vhost/templates/ala_cors.j2
index f0f6e1064..b5ac2a3dd 100644
--- a/ansible/roles/nginx_vhost/templates/ala_cors.j2
+++ b/ansible/roles/nginx_vhost/templates/ala_cors.j2
@@ -30,11 +30,11 @@ if ($request_method = OPTIONS) {
 
 if ($cors = COPTIONS) {
   add_header 'Access-Control-Allow-Origin' '*';
-  add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+  add_header 'Access-Control-Allow-Methods' '{{ nginx_cors_methods }}';
   #
   # Custom headers and headers various browsers *should* be OK with but aren't
   #
-  add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
+  add_header 'Access-Control-Allow-Headers' '{{ nginx_cors_headers }}';
   #
   # Tell client that this pre-flight info is valid for 20 days
   #
@@ -45,13 +45,13 @@ if ($cors = COPTIONS) {
 }
 if ($cors = CPOST) {
   add_header 'Access-Control-Allow-Origin' '*';
-  add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
-  add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
+  add_header 'Access-Control-Allow-Methods' '{{ nginx_cors_methods }}';
+  add_header 'Access-Control-Allow-Headers' '{{ nginx_cors_headers }}';
   add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
 }
 if ($cors = CGET) {
   add_header 'Access-Control-Allow-Origin' '*' always;
-  add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
-  add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
+  add_header 'Access-Control-Allow-Methods' '{{ nginx_cors_methods }}';
+  add_header 'Access-Control-Allow-Headers' '{{ nginx_cors_headers }}';
   add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
 }
diff --git a/ansible/roles/nginx_vhost/templates/fragment_74_location_cors.j2 b/ansible/roles/nginx_vhost/templates/fragment_74_location_cors.j2
index 5896c9a1b..35bef21f0 100644
--- a/ansible/roles/nginx_vhost/templates/fragment_74_location_cors.j2
+++ b/ansible/roles/nginx_vhost/templates/fragment_74_location_cors.j2
@@ -1,3 +1,3 @@
 {% if nginx_cors_origin_regexp is defined and nginx_cors_origin_regexp|length > 0 %}
-        include /etc/nginx/conf.d/ala_cors;
+        include /etc/nginx/conf.d/ala_cors_{{appname}};
 {% endif %}

From 583b4480eaf92301c8bc010028390b1ffa39b151 Mon Sep 17 00:00:00 2001
From: vjrj <vjrj@ourproject.org>
Date: Thu, 19 Mar 2020 19:25:19 +0100
Subject: [PATCH 3/3] Added missing bracket

---
 ansible/roles/nginx_vhost/tasks/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ansible/roles/nginx_vhost/tasks/main.yml b/ansible/roles/nginx_vhost/tasks/main.yml
index b220d4948..220c1326f 100644
--- a/ansible/roles/nginx_vhost/tasks/main.yml
+++ b/ansible/roles/nginx_vhost/tasks/main.yml
@@ -149,7 +149,7 @@
 - name: copy cors configuration if required
   template:
     src: "ala_cors.j2"
-    dest: "{{nginx_conf_dir}}/conf.d/ala_cors_{{appname}"
+    dest: "{{nginx_conf_dir}}/conf.d/ala_cors_{{appname}}"
   when: nginx_cors_origin_regexp is defined
   tags:
     - nginx_vhost