From 48978407b847d546e01df31cb2264ae895cd9bdc Mon Sep 17 00:00:00 2001 From: Alan Orth Date: Sun, 27 Sep 2015 00:24:58 +0300 Subject: [PATCH] roles/nginx: Move HTTP Strict Transport Security toggle to vhosts This is really a per-site setting, so it doesn't make sense to have a role default. Anyways, HSTS is kinda tricky and potentially dang- erous, so unless a vhost explicitly sets it to "yes" we shouldn't enable it. Note: also switch from using a boolean to using a string; it is st- ill declarative, but at least now I don't have to guess whether it is being treated as a bool or not. Signed-off-by: Alan Orth --- roles/nginx/defaults/main.yml | 4 ---- roles/nginx/templates/https.j2 | 4 +++- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index 029c09f..0ca35bd 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -16,10 +16,6 @@ nginx_ssl_buffer_size: 1400 nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem nginx_ssl_protocols: 'TLSv1 TLSv1.1 TLSv1.2' -# Enable HTTP Strict Transport Security? -# True on production, False on development! -nginx_enable_hsts: True - # TLS key directory tls_key_dir: /etc/ssl/private diff --git a/roles/nginx/templates/https.j2 b/roles/nginx/templates/https.j2 index a04889c..4f47ef3 100644 --- a/roles/nginx/templates/https.j2 +++ b/roles/nginx/templates/https.j2 @@ -1,4 +1,6 @@ {% set domain_name = item.nginx_domain_name %} +{# assume HSTS is off unless a vhost explicitly sets it to "yes" #} +{% set enable_hsts = item.nginx_enable_hsts | default("no") %} # concatenated key + cert # See: http://nginx.org/en/docs/http/configuring_https_servers.html @@ -28,7 +30,7 @@ # of such infrastructure, consider turning off session tickets: ssl_session_tickets off; - {% if nginx_enable_hsts == True %} + {% if enable_hsts == "yes" %} # Enable this if you want HSTS (recommended, but be careful) # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store # See: https://hstspreload.appspot.com/