radityo
/
ansible-nginx
mirror of https://github.com/HanXHX/ansible-nginx.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Change HSTS header per site or globally

py3
Emilien Mantel 2020-02-04 13:06:26 +01:00
parent 93b90c748f
commit 1e7a0fc855
7 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@ -55,6 +55,7 @@ FreeBSD:
- `nginx_error_log_level`: default log level - `nginx_error_log_level`: default log level
- `nginx_auto_config_httpv2`: boolean, auto configure HTTP2 where possible - `nginx_auto_config_httpv2`: boolean, auto configure HTTP2 where possible
- `nginx_fastcgi_fix_realpath`: boolean, use realpath for fastcgi (fix problems with symlinks and PHP opcache) - `nginx_fastcgi_fix_realpath`: boolean, use realpath for fastcgi (fix problems with symlinks and PHP opcache)
- `nginx_default_hsts`: string, default header sent for HSTS
### Nginx Configuration ### Nginx Configuration

1
defaults/main.yml
View File

@ -19,6 +19,7 @@ nginx_auto_config_httpv2: true
nginx_default_site: null nginx_default_site: null
nginx_default_site_ssl: null nginx_default_site_ssl: null
nginx_fastcgi_fix_realpath: true nginx_fastcgi_fix_realpath: true
nginx_default_hsts: 'max-age=63072000; includeSubDomains'
# #
# Nginx directories # Nginx directories

1
doc/site.md
View File

@ -31,6 +31,7 @@ Common
- `ssl_template` (O) "strong" (default) or "legacy". You can disable SSL helpers and add your own directives by setting "false". - `ssl_template` (O) "strong" (default) or "legacy". You can disable SSL helpers and add your own directives by setting "false".
- `listen_proxy_protocol` (O) Enable proxy protocol on http port. - `listen_proxy_protocol` (O) Enable proxy protocol on http port.
- `listen_proxy_protocol_ssl` (O) Enable proxy protocol on https port. - `listen_proxy_protocol_ssl` (O) Enable proxy protocol on https port.
- `hsts` (O) overwrite default header for hsts
(O): Optional (O): Optional
(M): Mandatory (M): Mandatory

1
templates/etc/nginx/helper/ssl-legacy.j2
View File

@ -9,7 +9,6 @@ ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; ssl_session_tickets off;
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }}; resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
resolver_timeout {{ nginx_resolver_timeout }}; resolver_timeout {{ nginx_resolver_timeout }};
ssl_dhparam {{ nginx_dh_path }}; ssl_dhparam {{ nginx_dh_path }};

1
templates/etc/nginx/helper/ssl-strong.j2
View File

@ -11,7 +11,6 @@ ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; ssl_session_tickets off;
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }}; resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
resolver_timeout {{ nginx_resolver_timeout }}; resolver_timeout {{ nginx_resolver_timeout }};
ssl_dhparam {{ nginx_dh_path }}; ssl_dhparam {{ nginx_dh_path }};

2
templates/etc/nginx/sites-available/_base.j2
View File

@ -89,6 +89,7 @@ server {
{{ ssl(__ssl_name) }} {{ ssl(__ssl_name) }}
{% if item.ssl_template is not defined or item.ssl_template != false %} {% if item.ssl_template is not defined or item.ssl_template != false %}
include {{ nginx_helper_dir + '/ssl-' + item.ssl_template | default('strong') }}; include {{ nginx_helper_dir + '/ssl-' + item.ssl_template | default('strong') }};
add_header Strict-Transport-Security "{{ item.hsts | default(nginx_default_hsts) }}" always;
{% endif %} {% endif %}
{% endif %} {% endif %}
server_name {{ server_name(item.name) }}; server_name {{ server_name(item.name) }};
@ -217,6 +218,7 @@ server {
{{ ssl(__ssl_name) }} {{ ssl(__ssl_name) }}
{% if item.ssl_template is not defined or item.ssl_template != false %} {% if item.ssl_template is not defined or item.ssl_template != false %}
include {{ nginx_helper_dir + '/ssl-' + item.ssl_template | default('strong') }}; include {{ nginx_helper_dir + '/ssl-' + item.ssl_template | default('strong') }};
add_header Strict-Transport-Security "{{ item.hsts | default(nginx_default_hsts) }}" always;
{% endif %} {% endif %}
server_name {{ server_name(item.redirect_from) }}; server_name {{ server_name(item.redirect_from) }};
location / { location / {

1
tests/test.yml
View File

@ -240,6 +240,7 @@
- 'www.test-ssl-selfsigned.local' - 'www.test-ssl-selfsigned.local'
proto: ['http', 'https'] proto: ['http', 'https']
template: '_base' template: '_base'
hsts: 'max-age=1664;'
- name: 'test-ssl-predeployed.local' - name: 'test-ssl-predeployed.local'
proto: ['http', 'https'] proto: ['http', 'https']
template: '_base' template: '_base'