alanorth/ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity

roles/nginx: Move HTTP Strict Transport Security toggle to vhosts

Browse Source 
This is really a per-site setting, so it doesn't make sense to have
a role default. Anyways, HSTS is kinda tricky and potentially dang-
erous, so unless a vhost explicitly sets it to "yes" we shouldn't
enable it.

Note: also switch from using a boolean to using a string; it is st-
ill declarative, but at least now I don't have to guess whether it
is being treated as a bool or not.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
This commit is contained in:
Alan Orth
2015-09-27 00:24:58 +03:00
parent f098b114d3
commit 48978407b8
2 changed files with 3 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
roles/nginx/templates/https.j2
View File

@ -1,4 +1,6 @@
{% set domain_name = item.nginx_domain_name %}
{# assume HSTS is off unless a vhost explicitly sets it to "yes" #}
{% set enable_hsts = item.nginx_enable_hsts | default("no") %}
# concatenated key + cert
# See: http://nginx.org/en/docs/http/configuring_https_servers.html
@ -28,7 +30,7 @@
# of such infrastructure, consider turning off session tickets:
ssl_session_tickets off;
{% if nginx_enable_hsts == True %}
{% if enable_hsts == "yes" %}
# Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/