From 52dc0c357b88dc430df0c32833c848b3c40349cf Mon Sep 17 00:00:00 2001 From: Alan Orth Date: Sun, 27 Sep 2015 00:27:41 +0300 Subject: [PATCH] roles/nginx: Add HSTS check to vhost template We need to actually check if HSTS was requested before setting the header in the block handing PHP requests. We check in the main vhost block, but nginx headers are only inherited if you don't set ANY headers in child blocks (ie, headers set in parent blocks are cleared if you set any new ones in the child). Signed-off-by: Alan Orth --- roles/nginx/templates/vhost.conf.j2 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/nginx/templates/vhost.conf.j2 b/roles/nginx/templates/vhost.conf.j2 index ce5480b..82cbbb5 100644 --- a/roles/nginx/templates/vhost.conf.j2 +++ b/roles/nginx/templates/vhost.conf.j2 @@ -1,6 +1,8 @@ {% set domain_name = item.nginx_domain_name %} {% set domain_aliases = item.nginx_domain_aliases | default("") %} {% set use_https = item.use_https | default("no") %} +{# assume HSTS is off unless a vhost explicitly sets it to "yes" #} +{% set enable_hsts = item.nginx_enable_hsts | default("no") %} {% set has_wordpress = item.has_wordpress | default("no") %} {% if use_https == "yes" %} @@ -69,7 +71,7 @@ server { fastcgi_cache_bypass $http_pragma $wordpress_logged_in; fastcgi_no_cache $http_pragma $wordpress_logged_in; - {% if use_https == "yes" %} + {% if use_https == "yes" and enable_hsts == "yes" %} # Enable this if you want HSTS (recommended, but be careful) # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store # See: https://hstspreload.appspot.com/