Change HSTS header per site or globally
parent
93b90c748f
commit
1e7a0fc855
|
@ -55,6 +55,7 @@ FreeBSD:
|
|||
- `nginx_error_log_level`: default log level
|
||||
- `nginx_auto_config_httpv2`: boolean, auto configure HTTP2 where possible
|
||||
- `nginx_fastcgi_fix_realpath`: boolean, use realpath for fastcgi (fix problems with symlinks and PHP opcache)
|
||||
- `nginx_default_hsts`: string, default header sent for HSTS
|
||||
|
||||
### Nginx Configuration
|
||||
|
||||
|
|
|
@ -19,6 +19,7 @@ nginx_auto_config_httpv2: true
|
|||
nginx_default_site: null
|
||||
nginx_default_site_ssl: null
|
||||
nginx_fastcgi_fix_realpath: true
|
||||
nginx_default_hsts: 'max-age=63072000; includeSubDomains'
|
||||
|
||||
#
|
||||
# Nginx directories
|
||||
|
|
|
@ -31,6 +31,7 @@ Common
|
|||
- `ssl_template` (O) "strong" (default) or "legacy". You can disable SSL helpers and add your own directives by setting "false".
|
||||
- `listen_proxy_protocol` (O) Enable proxy protocol on http port.
|
||||
- `listen_proxy_protocol_ssl` (O) Enable proxy protocol on https port.
|
||||
- `hsts` (O) overwrite default header for hsts
|
||||
|
||||
(O): Optional
|
||||
(M): Mandatory
|
||||
|
|
|
@ -9,7 +9,6 @@ ssl_session_cache shared:SSL:10m;
|
|||
ssl_session_tickets off;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
|
||||
resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
|
||||
resolver_timeout {{ nginx_resolver_timeout }};
|
||||
ssl_dhparam {{ nginx_dh_path }};
|
||||
|
|
|
@ -11,7 +11,6 @@ ssl_session_cache shared:SSL:10m;
|
|||
ssl_session_tickets off;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
|
||||
resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
|
||||
resolver_timeout {{ nginx_resolver_timeout }};
|
||||
ssl_dhparam {{ nginx_dh_path }};
|
||||
|
|
|
@ -89,6 +89,7 @@ server {
|
|||
{{ ssl(__ssl_name) }}
|
||||
{% if item.ssl_template is not defined or item.ssl_template != false %}
|
||||
include {{ nginx_helper_dir + '/ssl-' + item.ssl_template | default('strong') }};
|
||||
add_header Strict-Transport-Security "{{ item.hsts | default(nginx_default_hsts) }}" always;
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
server_name {{ server_name(item.name) }};
|
||||
|
@ -217,6 +218,7 @@ server {
|
|||
{{ ssl(__ssl_name) }}
|
||||
{% if item.ssl_template is not defined or item.ssl_template != false %}
|
||||
include {{ nginx_helper_dir + '/ssl-' + item.ssl_template | default('strong') }};
|
||||
add_header Strict-Transport-Security "{{ item.hsts | default(nginx_default_hsts) }}" always;
|
||||
{% endif %}
|
||||
server_name {{ server_name(item.redirect_from) }};
|
||||
location / {
|
||||
|
|
|
@ -240,6 +240,7 @@
|
|||
- 'www.test-ssl-selfsigned.local'
|
||||
proto: ['http', 'https']
|
||||
template: '_base'
|
||||
hsts: 'max-age=1664;'
|
||||
- name: 'test-ssl-predeployed.local'
|
||||
proto: ['http', 'https']
|
||||
template: '_base'
|
||||
|
|
Loading…
Reference in New Issue