roles/nginx: Add HSTS check to vhost template

We need to actually check if HSTS was requested before setting the header in the block handing PHP requests. We check in the main vhost block, but nginx headers are only inherited if you don't set ANY headers in child blocks (ie, headers set in parent blocks are cleared if you set any new ones in the child). Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-27 00:27:41 +03:00 · 2015-09-27 00:27:41 +03:00 · 52dc0c357b
parent 48978407b8
commit 52dc0c357b
1 changed files with 3 additions and 1 deletions
--- a/roles/nginx/templates/vhost.conf.j2
+++ b/roles/nginx/templates/vhost.conf.j2
@ -1,6 +1,8 @@
 {% set domain_name      = item.nginx_domain_name %}
 {% set domain_aliases   = item.nginx_domain_aliases | default("") %}
 {% set use_https        = item.use_https | default("no") %}
+{# assume HSTS is off unless a vhost explicitly sets it to "yes" #}
+{% set enable_hsts      = item.nginx_enable_hsts | default("no") %}
 {% set has_wordpress    = item.has_wordpress | default("no") %}

 {% if use_https == "yes" %}
@ -69,7 +71,7 @@ server {
        fastcgi_cache_bypass $http_pragma $wordpress_logged_in;
        fastcgi_no_cache $http_pragma $wordpress_logged_in;

-        {% if use_https == "yes" %}
+        {% if use_https == "yes" and enable_hsts == "yes" %}
        # Enable this if you want HSTS (recommended, but be careful)
        # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
        # See: https://hstspreload.appspot.com/