From 96cefc7f74d0aaf54d6de955f3e35368b668c16c Mon Sep 17 00:00:00 2001 From: Alan Orth Date: Tue, 23 Mar 2021 15:36:28 +0200 Subject: [PATCH] roles/nginx: Parameterize HSTS header This parameterizes the HTTP Strict Transport Security header so we can use it consistently across all templates. Also, it updates the max-age to be ~1 year in seconds, which is recommended by Google. See: https://hstspreload.org/ --- roles/nginx/defaults/main.yml | 4 ++++ roles/nginx/templates/https.j2 | 2 +- roles/nginx/templates/vhost.conf.j2 | 2 +- roles/nginx/templates/wordpress.j2 | 4 ++-- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index 4f8ea86..64d4b21 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -20,6 +20,10 @@ nginx_ssl_protocols: 'TLSv1.2 TLSv1.3' # See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]' +# HTTP Strict-Transport-Security header, recommended by Google to be ~1 year +# in seconds, see: https://hstspreload.org/ +nginx_hsts_max_age: 31536000 + # install acme.sh? # True unless you're in development and using "localhost" + snakeoil certs use_letsencrypt: True diff --git a/roles/nginx/templates/https.j2 b/roles/nginx/templates/https.j2 index 00b9cc8..27ef0d2 100644 --- a/roles/nginx/templates/https.j2 +++ b/roles/nginx/templates/https.j2 @@ -51,5 +51,5 @@ # Enable this if you want HSTS (recommended, but be careful) # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store # See: https://hstspreload.appspot.com/ - add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; + add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always; {% endif %} diff --git a/roles/nginx/templates/vhost.conf.j2 b/roles/nginx/templates/vhost.conf.j2 index 1c2a4b1..175434b 100644 --- a/roles/nginx/templates/vhost.conf.j2 +++ b/roles/nginx/templates/vhost.conf.j2 @@ -98,7 +98,7 @@ server { # Enable this if you want HSTS (recommended, but be careful) # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store # See: https://hstspreload.appspot.com/ - add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; + add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always; {% endif %} include extra-security.conf; diff --git a/roles/nginx/templates/wordpress.j2 b/roles/nginx/templates/wordpress.j2 index 8d6e2ac..a35f6dd 100644 --- a/roles/nginx/templates/wordpress.j2 +++ b/roles/nginx/templates/wordpress.j2 @@ -9,7 +9,7 @@ # Enable this if you want HSTS (recommended, but be careful) # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store # See: https://hstspreload.appspot.com/ - add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; + add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always; {% endif %} } @@ -20,7 +20,7 @@ # Enable this if you want HSTS (recommended, but be careful) # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store # See: https://hstspreload.appspot.com/ - add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; + add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always; {% endif %} }