let the HSTS header be controlled by the management daemon so some domains can choose to enable preload
This commit is contained in:
parent
bd7a4dedc1
commit
93c2258d23
|
@ -16,7 +16,9 @@
|
||||||
#ssl_certificate_key /path/to/my-private-decrypted.key;
|
#ssl_certificate_key /path/to/my-private-decrypted.key;
|
||||||
|
|
||||||
# Tell browsers to require SSL (warning: difficult to change your mind)
|
# Tell browsers to require SSL (warning: difficult to change your mind)
|
||||||
add_header Strict-Transport-Security max-age=31536000;
|
# Handled by the management daemon because we can toggle this version or a
|
||||||
|
# preload version.
|
||||||
|
#add_header Strict-Transport-Security max-age=31536000;
|
||||||
|
|
||||||
# Prefer certain ciphersuites, to enforce Forward Secrecy and avoid known vulnerabilities.
|
# Prefer certain ciphersuites, to enforce Forward Secrecy and avoid known vulnerabilities.
|
||||||
#
|
#
|
||||||
|
|
|
@ -135,16 +135,28 @@ def make_domain_config(domain, templates, env):
|
||||||
nginx_conf_extra += "# ssl files sha1: %s / %s\n" % (hashfile(ssl_key), hashfile(ssl_certificate))
|
nginx_conf_extra += "# ssl files sha1: %s / %s\n" % (hashfile(ssl_key), hashfile(ssl_certificate))
|
||||||
|
|
||||||
# Add in any user customizations in YAML format.
|
# Add in any user customizations in YAML format.
|
||||||
|
hsts = "yes"
|
||||||
nginx_conf_custom_fn = os.path.join(env["STORAGE_ROOT"], "www/custom.yaml")
|
nginx_conf_custom_fn = os.path.join(env["STORAGE_ROOT"], "www/custom.yaml")
|
||||||
if os.path.exists(nginx_conf_custom_fn):
|
if os.path.exists(nginx_conf_custom_fn):
|
||||||
yaml = rtyaml.load(open(nginx_conf_custom_fn))
|
yaml = rtyaml.load(open(nginx_conf_custom_fn))
|
||||||
if domain in yaml:
|
if domain in yaml:
|
||||||
yaml = yaml[domain]
|
yaml = yaml[domain]
|
||||||
|
|
||||||
|
# any proxy or redirect here?
|
||||||
for path, url in yaml.get("proxies", {}).items():
|
for path, url in yaml.get("proxies", {}).items():
|
||||||
nginx_conf_extra += "\tlocation %s {\n\t\tproxy_pass %s;\n\t}\n" % (path, url)
|
nginx_conf_extra += "\tlocation %s {\n\t\tproxy_pass %s;\n\t}\n" % (path, url)
|
||||||
for path, url in yaml.get("redirects", {}).items():
|
for path, url in yaml.get("redirects", {}).items():
|
||||||
nginx_conf_extra += "\trewrite %s %s permanent;\n" % (path, url)
|
nginx_conf_extra += "\trewrite %s %s permanent;\n" % (path, url)
|
||||||
|
|
||||||
|
# override the HSTS directive type
|
||||||
|
hsts = yaml.get("hsts", hsts)
|
||||||
|
|
||||||
|
# Add the HSTS header.
|
||||||
|
if hsts == "yes":
|
||||||
|
nginx_conf_extra += "add_header Strict-Transport-Security max-age=31536000;\n"
|
||||||
|
elif hsts == "preload":
|
||||||
|
nginx_conf_extra += "add_header Strict-Transport-Security \"max-age=10886400; includeSubDomains; preload\";\n"
|
||||||
|
|
||||||
# Add in any user customizations in the includes/ folder.
|
# Add in any user customizations in the includes/ folder.
|
||||||
nginx_conf_custom_include = os.path.join(env["STORAGE_ROOT"], "www", safe_domain_name(domain) + ".conf")
|
nginx_conf_custom_include = os.path.join(env["STORAGE_ROOT"], "www", safe_domain_name(domain) + ".conf")
|
||||||
if os.path.exists(nginx_conf_custom_include):
|
if os.path.exists(nginx_conf_custom_include):
|
||||||
|
|
Loading…
Reference in New Issue