From 1e7a0fc855f5c21599b37d8838d690519ab49005 Mon Sep 17 00:00:00 2001 From: Emilien Mantel Date: Tue, 4 Feb 2020 13:06:26 +0100 Subject: [PATCH] Change HSTS header per site or globally --- README.md | 1 + defaults/main.yml | 1 + doc/site.md | 1 + templates/etc/nginx/helper/ssl-legacy.j2 | 1 - templates/etc/nginx/helper/ssl-strong.j2 | 1 - templates/etc/nginx/sites-available/_base.j2 | 2 ++ tests/test.yml | 1 + 7 files changed, 6 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f894dd8..ee8246f 100644 --- a/README.md +++ b/README.md @@ -55,6 +55,7 @@ FreeBSD: - `nginx_error_log_level`: default log level - `nginx_auto_config_httpv2`: boolean, auto configure HTTP2 where possible - `nginx_fastcgi_fix_realpath`: boolean, use realpath for fastcgi (fix problems with symlinks and PHP opcache) +- `nginx_default_hsts`: string, default header sent for HSTS ### Nginx Configuration diff --git a/defaults/main.yml b/defaults/main.yml index a6b825e..d106b14 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -19,6 +19,7 @@ nginx_auto_config_httpv2: true nginx_default_site: null nginx_default_site_ssl: null nginx_fastcgi_fix_realpath: true +nginx_default_hsts: 'max-age=63072000; includeSubDomains' # # Nginx directories diff --git a/doc/site.md b/doc/site.md index 7dcdf4f..a3201c8 100644 --- a/doc/site.md +++ b/doc/site.md @@ -31,6 +31,7 @@ Common - `ssl_template` (O) "strong" (default) or "legacy". You can disable SSL helpers and add your own directives by setting "false". - `listen_proxy_protocol` (O) Enable proxy protocol on http port. - `listen_proxy_protocol_ssl` (O) Enable proxy protocol on https port. +- `hsts` (O) overwrite default header for hsts (O): Optional (M): Mandatory diff --git a/templates/etc/nginx/helper/ssl-legacy.j2 b/templates/etc/nginx/helper/ssl-legacy.j2 index 0fd1245..0fa269e 100644 --- a/templates/etc/nginx/helper/ssl-legacy.j2 +++ b/templates/etc/nginx/helper/ssl-legacy.j2 @@ -9,7 +9,6 @@ ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; -add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }}; resolver_timeout {{ nginx_resolver_timeout }}; ssl_dhparam {{ nginx_dh_path }}; diff --git a/templates/etc/nginx/helper/ssl-strong.j2 b/templates/etc/nginx/helper/ssl-strong.j2 index fe9340a..7cf04f6 100644 --- a/templates/etc/nginx/helper/ssl-strong.j2 +++ b/templates/etc/nginx/helper/ssl-strong.j2 @@ -11,7 +11,6 @@ ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; -add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }}; resolver_timeout {{ nginx_resolver_timeout }}; ssl_dhparam {{ nginx_dh_path }}; diff --git a/templates/etc/nginx/sites-available/_base.j2 b/templates/etc/nginx/sites-available/_base.j2 index 2f88e08..c5aa5e4 100644 --- a/templates/etc/nginx/sites-available/_base.j2 +++ b/templates/etc/nginx/sites-available/_base.j2 @@ -89,6 +89,7 @@ server { {{ ssl(__ssl_name) }} {% if item.ssl_template is not defined or item.ssl_template != false %} include {{ nginx_helper_dir + '/ssl-' + item.ssl_template | default('strong') }}; + add_header Strict-Transport-Security "{{ item.hsts | default(nginx_default_hsts) }}" always; {% endif %} {% endif %} server_name {{ server_name(item.name) }}; @@ -217,6 +218,7 @@ server { {{ ssl(__ssl_name) }} {% if item.ssl_template is not defined or item.ssl_template != false %} include {{ nginx_helper_dir + '/ssl-' + item.ssl_template | default('strong') }}; + add_header Strict-Transport-Security "{{ item.hsts | default(nginx_default_hsts) }}" always; {% endif %} server_name {{ server_name(item.redirect_from) }}; location / { diff --git a/tests/test.yml b/tests/test.yml index 563ecf6..a2315bd 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -240,6 +240,7 @@ - 'www.test-ssl-selfsigned.local' proto: ['http', 'https'] template: '_base' + hsts: 'max-age=1664;' - name: 'test-ssl-predeployed.local' proto: ['http', 'https'] template: '_base'