Merge pull request #1 from mattk42/referrer-policy

Feat(router): Add ability to set Referrer-Policy header globally and per application.

Author: Cryptophobia

README.md

@@ -273,6 +273,7 @@ _Note that Kubernetes annotation maps are all of Go type `map[string]string`.  A
 | <a name="proxy-buffers-number"></a>deis-router | deployment | [router.deis.io/nginx.proxyBuffers.number](#proxy-buffers-number) | `"8"` | `number` argument to the nginx `proxy_buffers` directive for all applications (this can be overridden on an application basis). |
 | <a name="proxy-buffers-size"></a>deis-router | deployment | [router.deis.io/nginx.proxyBuffers.size](#proxy-buffers-size) | `"4k"` | `size` argument to the nginx `proxy_buffers` directive expressed in bytes (no suffix), kilobytes (suffixes `k` and `K`), or megabytes (suffixes `m` and `M`). This setting applies to all applications, but can be overridden on an application basis. |
 | <a name="proxy-buffers-busy-size"></a>deis-router | deployment | [router.deis.io/nginx.proxyBuffers.busySize](#proxy-buffers-busy-size) | `"8k"` | nginx `proxy_busy_buffers_size` expressed in bytes (no suffix), kilobytes (suffixes `k` and `K`), or megabytes (suffixes `m` and `M`). This setting applies to all applications, but can be overridden on an application basis. |
+| <a neme="referrer-policy"></a>deis-router | deployment | [router.deis.io/nginx.referrerPolicy](#referrer-policy) | `""` | The Referrer-Policy header to send for all apps. |
 | <a name="builder-connect-timeout"></a>deis-builder | service | [router.deis.io/nginx.connectTimeout](#builder-connect-timeout) | `"10s"` | nginx `proxy_connect_timeout` setting expressed in units `ms`, `s`, `m`, `h`, `d`, `w`, `M`, or `y`. |
 | <a name="builder-tcp-timeout"></a>deis-builder | service | [router.deis.io/nginx.tcpTimeout](#builder-tcp-timeout) | `"1200s"` | nginx `proxy_timeout` setting expressed in units `ms`, `s`, `m`, `h`, `d`, `w`, `M`, or `y`. |
 | <a name="app-domains"></a>routable application | service | [router.deis.io/domains](#app-domains) | N/A | Comma-delimited list of domains for which traffic should be routed to the application.  These may be fully qualified (e.g. `foo.example.com`) or, if not containing any `.` character, will be considered subdomains of the router's domain, if that is defined. |
@@ -288,6 +289,7 @@ _Note that Kubernetes annotation maps are all of Go type `map[string]string`.  A
 | <a name="app-nginx-proxy-buffers-number"></a>routable application | service | [router.deis.io/nginx.proxyBuffers.number](#app-nginx-proxy-buffers-number) | `"8"` | `number` argument to the nginx `proxy_buffers` directive. This can be used to override the same option set globally on the router. |
 | <a name="app-nginx-proxy-buffers-size"></a>routable application | service | [router.deis.io/nginx.proxyBuffers.size](#app-nginx-proxy-buffers-size) | `"4k"` | `size` argument to the nginx `proxy_buffers` directive expressed in bytes (no suffix), kilobytes (suffixes `k` and `K`), or megabytes (suffixes `m` and `M`). This can be used to override the same option set globally on the router. |
 | <a name="app-nginx-proxy-buffers-busy-size"></a>routable application | service | [router.deis.io/nginx.proxyBuffers.busySize](#app-nginx-proxy-buffers-busy-size) | `"8k"` | nginx `proxy_busy_buffers_size` expressed in bytes (no suffix), kilobytes (suffixes `k` and `K`), or megabytes (suffixes `m` and `M`). This can be used to override the same option set globally on the router. |
+| <a neme="app-referrer-policy"></a>routable application | service | [router.deis.io/referrerPolicy](#referrer-policy) | `""` | The Referrer-Policy header to send for this specific application. Overrides the global setting if necessary. |
 |<a name="app-proxy-locations"></a>routable application | service | [router.deis.io/proxyLocations](#app-proxy-locations) | N/A | A list of locations of this service to plug-in into another service determined by `router.deis.io/proxyDomain`  (see example below)  |
 |<a name="app-proxy-domain"></a>routable application | service | [router.deis.io/proxyDomain](#app-proxy-domain) | N/A | A reference to another service to plug-in `router.deis.io/proxyLocations` to (see example below) |
 

model/model.go

@@ -72,6 +72,7 @@ type RouterConfig struct {
 	HTTP2Enabled             bool                `key:"http2Enabled" constraint:"(?i)^(true|false)$"`
 	LogFormat                string              `key:"logFormat"`
 	ProxyBuffersConfig       *ProxyBuffersConfig `key:"proxyBuffers"`
+	ReferrerPolicy           string              `key:"referrerPolicy" constraint:"^(no-referrer|no-referrer-when-downgrade|origin|origin-when-cross-origin|same-origin|strict-origin|strict-origin-when-cross-origin|unsafe-url|none)$"`
 }
 
 func newRouterConfig() (*RouterConfig, error) {
@@ -107,6 +108,7 @@ func newRouterConfig() (*RouterConfig, error) {
 		HTTP2Enabled:             true,
 		LogFormat:                `[$time_iso8601] - $app_name - $remote_addr - $remote_user - $status - "$request" - $bytes_sent - "$http_referer" - "$http_user_agent" - "$server_name" - $upstream_addr - $http_host - $upstream_response_time - $request_time`,
 		ProxyBuffersConfig:       proxyBuffersConfig,
+		ReferrerPolicy:           "",
 	}, nil
 }
 
@@ -149,6 +151,7 @@ type AppConfig struct {
 	Certificates   map[string]*Certificate
 	Available      bool
 	Maintenance    bool            `key:"maintenance" constraint:"(?i)^(true|false)$"`
+	ReferrerPolicy string          `key:"referrerPolicy" constraint:"^(no-referrer|no-referrer-when-downgrade|origin|origin-when-cross-origin|same-origin|strict-origin|strict-origin-when-cross-origin|unsafe-url|none)$"`
 	SSLConfig      *SSLConfig      `key:"ssl"`
 	Nginx          *NginxAppConfig `key:"nginx"`
 	ProxyLocations []string        `key:"proxyLocations"`

model/model_validation_test.go

@@ -159,6 +159,14 @@ func TestInvalidHTTP2Enabled(t *testing.T) {
 	testInvalidValues(t, newTestRouterConfig, "HTTP2Enabled", "http2Enabled", []string{"0", "-1", "foobar"})
 }
 
+func TestValidReferrerPolicy(t *testing.T) {
+	testValidValues(t, newTestRouterConfig, "ReferrerPolicy", "referrerPolicy", []string{"no-referrer", "no-referrer-when-downgrade", "origin", "origin-when-cross-origin", "same-origin", "strict-origin", "strict-origin-when-cross-origin", "unsafe-url", "none"})
+}
+
+func TestInvalidReferrerPolicy(t *testing.T) {
+	testInvalidValues(t, newTestRouterConfig, "ReferrerPolicy", "referrerPolicy", []string{"0", "-1", "foobar", ""})
+}
+
 func TestInvalidGzipEnabled(t *testing.T) {
 	testInvalidValues(t, newTestGzipConfig, "Enabled", "enabled", []string{"0", "-1", "foobar"})
 }
@@ -255,6 +263,14 @@ func TestValidCertMappings(t *testing.T) {
 	testValidValues(t, newTestAppConfig, "CertMappings", "certificates", []string{"foobar.com:foobar,*.foobar.deis.ninja:foobar-deis-ninja"})
 }
 
+func TestValidAppReferrerPolicy(t *testing.T) {
+	testValidValues(t, newTestAppConfig, "ReferrerPolicy", "referrerPolicy", []string{"no-referrer", "no-referrer-when-downgrade", "origin", "origin-when-cross-origin", "same-origin", "strict-origin", "strict-origin-when-cross-origin", "unsafe-url", "none"})
+}
+
+func TestInvalidAppReferrerPolicy(t *testing.T) {
+	testInvalidValues(t, newTestAppConfig, "ReferrerPolicy", "referrerPolicy", []string{"0", "-1", "foobar", ""})
+}
+
 func TestInvalidBuilderConnectTimeout(t *testing.T) {
 	testInvalidValues(t, newTestBuilderConfig, "ConnectTimeout", "connectTimeout", []string{"0", "-1", "foobar"})
 }

nginx/config.go

@@ -193,6 +193,9 @@ http {
 		ssl_certificate /opt/router/ssl/default/default.crt;
 		ssl_certificate_key /opt/router/ssl/default/default.key;
 		{{ end }}
+		{{ if ne $routerConfig.ReferrerPolicy "" }}
+		add_header Referrer-Policy {{ $routerConfig.ReferrerPolicy }};
+		{{ end }}
 		server_name _;
 		location ~ ^/healthz/?$ {
 			access_log off;
@@ -277,6 +280,9 @@ http {
 				add_header X-Correlation-Id $correlation_id always;
 				{{end}}
 
+				{{ if (and (ne $appConfig.ReferrerPolicy "")  (ne $appConfig.ReferrerPolicy "none")) }}add_header Referrer-Policy {{ $appConfig.ReferrerPolicy }};
+				{{ else if (and (ne $routerConfig.ReferrerPolicy "") (and (ne $appConfig.ReferrerPolicy "none") (ne $routerConfig.ReferrerPolicy "none"))) }}add_header Referrer-Policy {{ $routerConfig.ReferrerPolicy }};{{ end }}
+
 				{{ if $location.App.Maintenance }}return 503;{{ else if $location.App.Available }}
 				proxy_buffering {{ if $location.App.Nginx.ProxyBuffersConfig.Enabled }}on{{ else }}off{{ end }};
 				proxy_buffer_size {{ $location.App.Nginx.ProxyBuffersConfig.Size }};