Enable HSTS for all nginx served SSL sites
authorTom Hughes <tom@compton.nu>
Tue, 16 Jan 2018 09:20:40 +0000 (09:20 +0000)
committerTom Hughes <tom@compton.nu>
Tue, 16 Jan 2018 09:24:34 +0000 (09:24 +0000)
cookbooks/apache/templates/default/ssl.erb
cookbooks/imagery/templates/default/nginx_imagery.conf.erb
cookbooks/ssl/attributes/default.rb
cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb

index df7c2578d7bf547d501a3ccfb85c7f8cd54fcd6c..547c1eaa21010c0153412ff7dcf63634d9d77c7e 100644 (file)
@@ -15,5 +15,7 @@ SSLStaplingErrorCacheTimeout 60
 SSLStaplingReturnResponderErrors off
 SSLStaplingFakeTryLater off
 SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_ocspcache(512000)
+<% if node[:ssl][:strict_transport_security] -%>
 
-Header setifempty Strict-Transport-Security max-age=86400 env=HTTPS
+Header setifempty Strict-Transport-Security "<%= node[:ssl][:strict_transport_security] %>" env=HTTPS
+<% end -%>
index 405949e24ae8bea66b99cdb4f2c0e67af7bff47a..ec8a7ca312fe815f475bcf44d94b8fe65afa4592 100644 (file)
@@ -14,6 +14,10 @@ server {
 
     ssl_certificate /etc/ssl/certs/<%= @name %>.pem;
     ssl_certificate_key /etc/ssl/private/<%= @name %>.key;
+<% if node[:ssl][:strict_transport_security] -%>
+
+    add_header Strict-Transport-Security "<%= node[:ssl][:strict_transport_security] %>" always;
+<% end -%>
 
     root "/srv/<%= @name %>";
 
index 1494dfe75044f05f860c08e4a782ce8defee0c2c..d7e56d118e26e6bb9b7de386f93cf049dd55d113 100644 (file)
@@ -1 +1,2 @@
 default[:ssl][:ciphers] = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
+default[:ssl][:strict_transport_security] = "max-age=86400"
index 7024817aece06780b6c279a59e40f3b05f8c69af..a517b20757cada4c97e4153f0f886d9939026b54 100644 (file)
@@ -52,6 +52,10 @@ server {
 
     ssl_certificate      /etc/ssl/certs/tile.openstreetmap.org.pem;
     ssl_certificate_key  /etc/ssl/private/tile.openstreetmap.org.key;
+<% if node[:ssl][:strict_transport_security] -%>
+
+    add_header Strict-Transport-Security "<%= node[:ssl][:strict_transport_security] %>" always;
+<% end -%>
 
     location / {
       proxy_pass http://tile_cache_backend;