From 3331a96cbc81bf037a05ae1d8ebce8e0f9ee2d4f Mon Sep 17 00:00:00 2001
From: uumas <gitcommit@uumas.fi>
Date: Sun, 28 Jul 2024 00:45:37 +0300
Subject: [PATCH] vhost: Support manipulating headers

---
 roles/vhost/defaults/main.yml       |  2 ++
 roles/vhost/meta/argument_specs.yml | 28 ++++++++++++++++++++++++++--
 roles/vhost/tasks/caddy.yml         |  6 ++++++
 roles/vhost/tasks/main.yml          |  4 +++-
 4 files changed, 37 insertions(+), 3 deletions(-)

diff --git a/roles/vhost/defaults/main.yml b/roles/vhost/defaults/main.yml
index ba0dde8..dc13c94 100644
--- a/roles/vhost/defaults/main.yml
+++ b/roles/vhost/defaults/main.yml
@@ -7,12 +7,14 @@ web_server: caddy
 
 vhost_locations: []
 vhost_headers: {}
+vhost_delete_headers: []
 
 vhost_basicauth: false
 vhost_basicauth_users: {}
 
 proxy_target_protocol: http
 proxy_target_host: localhost
+proxy_delete_headers: []
 
 redirect_type: temporary
 redirect_preserve_path: false
diff --git a/roles/vhost/meta/argument_specs.yml b/roles/vhost/meta/argument_specs.yml
index 69cc904..907cfc8 100644
--- a/roles/vhost/meta/argument_specs.yml
+++ b/roles/vhost/meta/argument_specs.yml
@@ -37,10 +37,16 @@ argument_specs:
           - caddy
           - none
       vhost_headers:
-        description: dict of headers and their values
+        description: Dict of response headers and their values
         type: dict
         required: false
         default: {}
+      vhost_delete_headers:
+        description: List of reponse headers to delete
+        type: list
+        elements: str
+        required: false
+        default: []
 
       vhost_basicauth:
         description: Whether to require basic auth for the vhost
@@ -70,6 +76,12 @@ argument_specs:
         choices:
           - http
           - https
+      proxy_delete_headers:
+        description: List of headers to delete from proxied requests
+        type: list
+        elements: str
+        required: false
+        default: []
 
       redirect_target:
         description: "Only applicable if vhost_type is redirect. Example: https://www.domain.tld/location"
@@ -122,10 +134,16 @@ argument_specs:
               - redirect
               - respond
           headers:
-            description: dict of headers and their values
+            description: Dict of response headers and their values
             type: dict
             required: false
             default: "{{ vhost_headers }}"
+          delete_headers:
+            description: List of response headers to delete
+            type: list
+            elements: str
+            required: false
+            default: "{{ vhost_delete_headers }}"
 
           basicauth:
             description: Whether to require basic auth for the location
@@ -155,6 +173,12 @@ argument_specs:
             choices:
               - http
               - https
+          proxy_delete_headers:
+            description: List of request headers to delete from proxied requests
+            type: list
+            elements: str
+            required: false
+            default: "{{ proxy_delete_headers }}"
 
           redirect_target:
             description: "Only applicable if vhost_type is redirect. Example: https://www.domain.tld/location"
diff --git a/roles/vhost/tasks/caddy.yml b/roles/vhost/tasks/caddy.yml
index c23360c..b08c390 100644
--- a/roles/vhost/tasks/caddy.yml
+++ b/roles/vhost/tasks/caddy.yml
@@ -8,6 +8,9 @@
       {{ vhost_domains | join(' ') }} {
         {% for location in vhost_locations_all %}
         handle {{ location.path }} {
+          {% for header in location.delete_headers %}
+          header -{{ header }}
+          {% endfor %}
           {% for header in location.headers | dict2items %}
           header {{ header.key }} `{{ header.value }}`
           {% endfor %}
@@ -26,6 +29,9 @@
             }
             {% endif %}
           }
+          {% for header in location.proxy_delete_headers %}
+          request_header -{{ header }}
+          {% endfor %}
           {% elif location.type == 'redirect' %}
           redir {{ location.redirect_target }}{{ '{uri}' if location.redirect_preserve_path }} {{ location.redirect_type }}
           {% elif location.type == 'respond' %}
diff --git a/roles/vhost/tasks/main.yml b/roles/vhost/tasks/main.yml
index d0c6417..efdbac9 100644
--- a/roles/vhost/tasks/main.yml
+++ b/roles/vhost/tasks/main.yml
@@ -8,7 +8,7 @@
     - redirect_target.split('://') | length < 2
     - not redirect_target.startswith('/')
 
-- name: Fail if redirect_tartget ends with / and redirect_preserve_path is true
+- name: Fail if redirect_target ends with / and redirect_preserve_path is true
   ansible.builtin.fail:
     msg: redirect_target must not end with / if redirect_preserve_path is true
   when:
@@ -25,6 +25,7 @@
       'path': item.path,
       'type': item.type | default(vhost_type),
       'headers': item.headers | default(vhost_headers),
+      'delete_headers': item.delete_headers | default(vhost_delete_headers),
 
       'basicauth': item.basicauth | default(vhost_basicauth),
       'basicauth_users': item.basicauth_users | default(vhost_basicauth_users),
@@ -32,6 +33,7 @@
       'proxy_target_port': item.proxy_target_port | default(proxy_target_port if vhost_type == 'reverse_proxy' else ''),
       'proxy_target_host': item.proxy_target_host | default(proxy_target_host),
       'proxy_target_protocol': item.proxy_target_protocol | default(proxy_target_protocol),
+      'proxy_delete_headers': item.proxy_delete_headers | default(proxy_delete_headers),
 
       'redirect_target': item.redirect_target | default(redirect_target if vhost_type == 'redirect' else ''),
       'redirect_preserve_path': item.redirect_preserve_path | default(redirect_preserve_path),