From 96e406c7916c271ea444a0b10712f8ad53916d00 Mon Sep 17 00:00:00 2001
From: Emilien Mantel <emilien.mantel@debianiste.org>
Date: Tue, 15 Mar 2016 15:30:22 +0100
Subject: [PATCH] always directive managed for add_header option

---
 doc/vhost.md                                 | 2 +-
 templates/etc/nginx/helper/ssl-legacy.j2     | 2 +-
 templates/etc/nginx/helper/ssl-strong.j2     | 2 +-
 templates/etc/nginx/sites-available/_base.j2 | 2 +-
 tests/test.yml                               | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/doc/vhost.md b/doc/vhost.md
index 1da8a1b..1d93cde 100644
--- a/doc/vhost.md
+++ b/doc/vhost.md
@@ -15,7 +15,7 @@ Common
 - `delete`: (O) Delete the vhost (default is false)
 - `redirect_from`: (O) Domain list to redirect to the first `name`. You can use this key to redirect non-www to www
 - `redirect_to`: (O) Redirect all requests to this domain. Please set scheme (http:// or https:// or $sheme).
-- `headers`: (O) Set additionals header as key/value list.
+- `headers`: (O) Set additionals header as key/value list. You can append "always" to the value. Show [nginx doc](http://nginx.org/en/docs/http/ngx_http_headers_module.html).
 - `redirect_to_code`: Redirect code (default: 302)
 - `redirect_https`: (O) Boolean. Redirect HTTP to HTTPS. If "true", you _MUST_ set `proto` to ```['https']```.
 - `location`: (O) Add new custom locations (it does not overwrite!)
diff --git a/templates/etc/nginx/helper/ssl-legacy.j2 b/templates/etc/nginx/helper/ssl-legacy.j2
index 3a4a05c..96caa22 100644
--- a/templates/etc/nginx/helper/ssl-legacy.j2
+++ b/templates/etc/nginx/helper/ssl-legacy.j2
@@ -6,7 +6,7 @@ ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_prefer_server_ciphers on;
 ssl_session_cache shared:SSL:10m;
-add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"{% if nginx_version.stdout | version_compare('1.7.5', 'ge') %} always{% endif %};
 {% if nginx_version.stdout | version_compare('1.3.7', 'ge') %}
 ssl_stapling on;
 ssl_stapling_verify on;
diff --git a/templates/etc/nginx/helper/ssl-strong.j2 b/templates/etc/nginx/helper/ssl-strong.j2
index 25dcbf3..e23d88f 100644
--- a/templates/etc/nginx/helper/ssl-strong.j2
+++ b/templates/etc/nginx/helper/ssl-strong.j2
@@ -6,7 +6,7 @@ ssl_ciphers "AES256+EECDH:AES256+EDH";
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_prefer_server_ciphers on;
 ssl_session_cache shared:SSL:10m;
-add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"{% if nginx_version.stdout | version_compare('1.7.5', 'ge') %} always{% endif %};
 {% if nginx_version.stdout | version_compare('1.3.7', 'ge') %}
 ssl_stapling on;
 ssl_stapling_verify on;
diff --git a/templates/etc/nginx/sites-available/_base.j2 b/templates/etc/nginx/sites-available/_base.j2
index fae9f37..8fb6432 100644
--- a/templates/etc/nginx/sites-available/_base.j2
+++ b/templates/etc/nginx/sites-available/_base.j2
@@ -62,7 +62,7 @@ server {
 
 	# --> Custom headers
 {% for key, value in __headers.iteritems() %}
-	add_header {{ key }} {{ value }};
+	add_header {{ key }} {{ value | replace(' always', '') }}{% if nginx_version.stdout | version_compare('1.7.5', 'ge') and ' always' in value %} always{% endif %};
 {% endfor %}
 	# <-- Custom headers
 
diff --git a/tests/test.yml b/tests/test.yml
index a73fcaa..4940547 100644
--- a/tests/test.yml
+++ b/tests/test.yml
@@ -108,7 +108,7 @@
         filename : 'first-test'
         override_try_files: '$uri $uri index.htm index.html'
         headers:
-          'X-Frame-Options': 'deny'
+          'X-Frame-Options': 'deny always'
           'X-ansible-default': '1'
         manage_local_content: false
         use_error_log: false