Edit headers core plugins to use lua Code + Add new setting KEEP_UPSTREAM_HEADERS

src/common/core/headers/confs/server-http/cookies.conf

@@ -0,0 +1,9 @@
+{% for k, v in all.items() %}
+	{% if k.startswith("COOKIE_FLAGS") and v != "" +%}
+		{% if COOKIE_AUTO_SECURE_FLAG == "yes" and (AUTO_LETS_ENCRYPT == "yes" or USE_CUSTOM_SSL == "yes" or GENERATE_SELF_SIGNED_SSL == "yes") +%}
+			set_cookie_flag {{ v }} secure;
+		{% else +%}
+			set_cookie_flag {{ v }};
+		{% endif +%}
+	{% endif +%}
+{% endfor %}

src/common/core/headers/confs/server-http/custom-headers.conf

@@ -1,5 +0,0 @@
-{% for k, v in all.items() +%}
-	{% if k.startswith("CUSTOM_HEADER") and v != "" +%}
-more_set_headers "{{ v }}";
-	{% endif %}
-{% endfor %}

src/common/core/headers/confs/server-http/remove-headers.conf

@@ -1,5 +0,0 @@
-{% if REMOVE_HEADERS != "" %}
-	{% for header in REMOVE_HEADERS.split(" ") +%}
-more_clear_headers '{{ header }}';
-	{% endfor %}
-{% endif %}

src/common/core/headers/confs/server-http/security-headers.conf

@@ -1,41 +0,0 @@
-{% if STRICT_TRANSPORT_SECURITY != "" and (AUTO_LETS_ENCRYPT == "yes" or USE_CUSTOM_SSL == "yes" or GENERATE_SELF_SIGNED_SSL == "yes") +%}
-more_set_headers "Strict-Transport-Security: {{ STRICT_TRANSPORT_SECURITY }}";
-{% endif +%}
-
-{% for k, v in all.items() %}
-	{% if k.startswith("COOKIE_FLAGS") and v != "" +%}
-		{% if COOKIE_AUTO_SECURE_FLAG == "yes" and (AUTO_LETS_ENCRYPT == "yes" or USE_CUSTOM_SSL == "yes" or GENERATE_SELF_SIGNED_SSL == "yes") +%}
-			set_cookie_flag {{ v }} secure;
-		{% else +%}
-			set_cookie_flag {{ v }};
-		{% endif +%}
-	{% endif +%}
-{% endfor %}
-
-{% if CONTENT_SECURITY_POLICY != "" +%}
-more_set_headers "Content-Security-Policy: {{ CONTENT_SECURITY_POLICY }}";
-{% endif +%}
-
-{% if REFERRER_POLICY != "" +%}
-more_set_headers "Referrer-Policy: {{ REFERRER_POLICY }}";
-{% endif +%}
-
-{% if PERMISSIONS_POLICY != "" +%}
-more_set_headers "Permissions-Policy: {{ PERMISSIONS_POLICY }}";
-{% endif +%}
-
-{% if FEATURE_POLICY != "" +%}
-more_set_headers "Feature-Policy: {{ FEATURE_POLICY }}";
-{% endif +%}
-
-{% if X_FRAME_OPTIONS != "" +%}
-more_set_headers "X-Frame-Options: {{ X_FRAME_OPTIONS }}";
-{% endif +%}
-
-{% if X_CONTENT_TYPE_OPTIONS != "" +%}
-more_set_headers "X-Content-Type-Options: {{ X_CONTENT_TYPE_OPTIONS }}";
-{% endif +%}
-
-{% if X_XSS_PROTECTION != "" +%}
-more_set_headers "X-XSS-Protection: {{ X_XSS_PROTECTION }}";
-{% endif +%}

src/common/core/headers/headers.lua

@@ -0,0 +1,70 @@
+local class  = require "middleclass"
+local plugin = require "bunkerweb.plugin"
+local utils  = require "bunkerweb.utils"
+
+local headers   = class("headers", plugin)
+
+function headers:initialize()
+	-- Call parent initialize
+	plugin.initialize(self, "headers")
+	self.all_headers = {
+		["STRICT_TRANSPORT_SECURITY"] = "Strict-Transport-Security",
+    ["CONTENT_SECURITY_POLICY"] = "Content-Security-Policy",
+    ["REFERRER_POLICY"] = "Referrer-Policy",
+    ["PERMISSIONS_POLICY"] = "Permissions-Policy",
+    ["FEATURE_POLICY"] = "Feature-Policy",
+    ["X_FRAME_OPTIONS"] = "X-Frame-Options",
+    ["X_CONTENT_TYPE_OPTIONS"] = "X-Content-Type-Options",
+    ["X_XSS_PROTECTION"] = "X-XSS-Protection"
+	}
+end
+
+function headers:header()
+	-- Override upstream headers if needed
+	for variable, header in pairs(self.all_headers) do
+    if ngx.header[header] == nil or self.variables[variable] and self.variables["KEEP_UPSTREAM_HEADERS"] ~= "*" and utils.regex_match(self.variables["KEEP_UPSTREAM_HEADERS"], "(^| )" .. header .. "($| )") == nil then
+      if header ~= "Strict-Transport-Security" or self.variables["AUTO_LETS_ENCRYPT"] == "yes" or self.variables["USE_CUSTOM_SSL"] == "yes" or self.variables["GENERATE_SELF_SIGNED_SSL"] == "yes" then
+        ngx.header[header] = self.variables[variable]
+      end
+    end
+	end
+  -- Get variables
+	local variables, err = utils.get_multiple_variables({ "CUSTOM_HEADER" })
+  if variables == nil then
+		return self:ret(false, err)
+	end
+  -- Add custom headers
+  for srv, vars in pairs(variables) do
+    if srv == ngx.var.server_name then
+      for var, value in pairs(vars) do
+        if utils.regex_match(var, "CUSTOM_HEADER") and value then
+          local m = utils.regex_match(value, "([\\w-]+): ([^,]+)")
+          if m then
+            ngx.header[m[1]] = m[2]
+          end
+        end
+      end
+    end
+  end
+  -- Remove headers
+  if self.variables["REMOVE_HEADERS"] then
+    local iterator, err = ngx.re.gmatch(self.variables["REMOVE_HEADERS"], "([\\w-]+)")
+    if not iterator then
+        return self:ret(false, "Error while matching remove headers: " .. err)
+    end
+    while true do
+      local m, err = iterator()
+      if err then
+          return self:ret(false, "Error while matching remove headers: " .. err)
+      end
+      if not m then
+          -- No more remove headers
+          break
+      end
+      ngx.header[m[1]] = nil
+    end
+  end
+	return self:ret(true, "Edited headers for request")
+end
+
+return headers

src/common/core/headers/plugin.json

@@ -11,7 +11,7 @@
       "help": "Custom header to add (HeaderName: HeaderValue).",
       "id": "custom-header",
       "label": "Custom header (HeaderName: HeaderValue)",
-      "regex": "^([\\w-]+: .+)?$",
+      "regex": "^([\\w-]+: [^,]+)?$",
       "type": "text",
       "multiple": "custom-headers"
     },
@@ -24,6 +24,15 @@
       "regex": "^(?! )( ?[\\w-]+)*$",
       "type": "text"
     },
+    "KEEP_UPSTREAM_HEADERS": {
+      "context": "multisite",
+      "default": "*",
+      "help": "Headers to keep from upstream (Header1 Header2 Header3 ... or * for all).",
+      "id": "keep-upstream-headers",
+      "label": "Keep upstream headers",
+      "regex": "^((?! )( ?[\\w-]+)+|\\*)?$",
+      "type": "text"
+    },
     "STRICT_TRANSPORT_SECURITY": {
       "context": "multisite",
       "default": "max-age=31536000",