roles/nginx: Parameterize HSTS header

This parameterizes the HTTP Strict Transport Security header so we
can use it consistently across all templates. Also, it updates the
max-age to be ~1 year in seconds, which is recommended by Google.

See: https://hstspreload.org/
This commit is contained in:
Alan Orth 2021-03-23 15:36:28 +02:00
parent f85eb2841a
commit 96cefc7f74
Signed by: alanorth
GPG Key ID: 0FB860CC9C45B1B9
4 changed files with 8 additions and 4 deletions

View File

@ -20,6 +20,10 @@ nginx_ssl_protocols: 'TLSv1.2 TLSv1.3'
# See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]'
# HTTP Strict-Transport-Security header, recommended by Google to be ~1 year
# in seconds, see: https://hstspreload.org/
nginx_hsts_max_age: 31536000
# install acme.sh?
# True unless you're in development and using "localhost" + snakeoil certs
use_letsencrypt: True

View File

@ -51,5 +51,5 @@
# Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
{% endif %}

View File

@ -98,7 +98,7 @@ server {
# Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
{% endif %}
include extra-security.conf;

View File

@ -9,7 +9,7 @@
# Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
{% endif %}
}
@ -20,7 +20,7 @@
# Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
{% endif %}
}