From 623dcf6bfde3757e54fcc275ae2bbf48582fae61 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Tue, 16 Jan 2018 09:20:40 +0000 Subject: [PATCH] Enable HSTS for all nginx served SSL sites --- cookbooks/apache/templates/default/ssl.erb | 4 +++- cookbooks/imagery/templates/default/nginx_imagery.conf.erb | 4 ++++ cookbooks/ssl/attributes/default.rb | 1 + cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb | 4 ++++ 4 files changed, 12 insertions(+), 1 deletion(-) diff --git a/cookbooks/apache/templates/default/ssl.erb b/cookbooks/apache/templates/default/ssl.erb index df7c2578d..547c1eaa2 100644 --- a/cookbooks/apache/templates/default/ssl.erb +++ b/cookbooks/apache/templates/default/ssl.erb @@ -15,5 +15,7 @@ SSLStaplingErrorCacheTimeout 60 SSLStaplingReturnResponderErrors off SSLStaplingFakeTryLater off SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_ocspcache(512000) +<% if node[:ssl][:strict_transport_security] -%> -Header setifempty Strict-Transport-Security max-age=86400 env=HTTPS +Header setifempty Strict-Transport-Security "<%= node[:ssl][:strict_transport_security] %>" env=HTTPS +<% end -%> diff --git a/cookbooks/imagery/templates/default/nginx_imagery.conf.erb b/cookbooks/imagery/templates/default/nginx_imagery.conf.erb index 405949e24..ec8a7ca31 100644 --- a/cookbooks/imagery/templates/default/nginx_imagery.conf.erb +++ b/cookbooks/imagery/templates/default/nginx_imagery.conf.erb @@ -14,6 +14,10 @@ server { ssl_certificate /etc/ssl/certs/<%= @name %>.pem; ssl_certificate_key /etc/ssl/private/<%= @name %>.key; +<% if node[:ssl][:strict_transport_security] -%> + + add_header Strict-Transport-Security "<%= node[:ssl][:strict_transport_security] %>" always; +<% end -%> root "/srv/<%= @name %>"; diff --git a/cookbooks/ssl/attributes/default.rb b/cookbooks/ssl/attributes/default.rb index 1494dfe75..d7e56d118 100644 --- a/cookbooks/ssl/attributes/default.rb +++ b/cookbooks/ssl/attributes/default.rb @@ -1 +1,2 @@ default[:ssl][:ciphers] = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS" +default[:ssl][:strict_transport_security] = "max-age=86400" diff --git a/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb b/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb index 7024817ae..a517b2075 100644 --- a/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb +++ b/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb @@ -52,6 +52,10 @@ server { ssl_certificate /etc/ssl/certs/tile.openstreetmap.org.pem; ssl_certificate_key /etc/ssl/private/tile.openstreetmap.org.key; +<% if node[:ssl][:strict_transport_security] -%> + + add_header Strict-Transport-Security "<%= node[:ssl][:strict_transport_security] %>" always; +<% end -%> location / { proxy_pass http://tile_cache_backend; -- 2.43.2