From 5663c725beeac3b5b3f832b8c67b4873d587142f Mon Sep 17 00:00:00 2001
From: Manuel de Brito Fontes <aledbf@gmail.com>
Date: Fri, 15 Apr 2016 09:35:39 -0300
Subject: [PATCH] Make optional redirect to SSL

---
 controllers/nginx/README.md  | 3 +++
 controllers/nginx/nginx.tmpl | 8 +++-----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/controllers/nginx/README.md b/controllers/nginx/README.md
index def7affb5..a975a5cfd 100644
--- a/controllers/nginx/README.md
+++ b/controllers/nginx/README.md
@@ -120,6 +120,9 @@ Please follow [test.sh](https://github.com/bprashanth/Ingress/blob/master/exampl
 
 Check the [example](examples/tls/README.md)
 
+### Force HTTPS
+
+By default the controller redirects (301) to HTTPS if there is a TLS Ingress rule. To disable this behavior use `use-hts=false` in the NGINX ConfigMap.
 
 
 #### Optimizing TLS Time To First Byte (TTTFB)
diff --git a/controllers/nginx/nginx.tmpl b/controllers/nginx/nginx.tmpl
index 86fb102a0..046ffc7cd 100644
--- a/controllers/nginx/nginx.tmpl
+++ b/controllers/nginx/nginx.tmpl
@@ -80,10 +80,6 @@ http {
       ''      $scheme;
     }
 
-    map $pass_access_scheme $sts {
-      'https' 'max-age={{ $cfg.htsMaxAge }}{{ if $cfg.htsIncludeSubdomains }}; includeSubDomains{{ end }}; preload';
-    }
-
     # Map a response error watching the header Content-Type
     map $http_accept $httpAccept {
         default          html;
@@ -163,10 +159,12 @@ http {
 
         server_name {{ $server.Name }};
 
-        {{ if $server.SSL }}
+        {{ if (and $server.SSL $cfg.UseHTS) }}
         if ($scheme = http) {
             return 301 https://$host$request_uri;
         }
+
+        more_set_headers                            "Strict-Transport-Security: max-age={{ $cfg.htsMaxAge }}{{ if $cfg.htsIncludeSubdomains }}; includeSubDomains{{ end }}; preload";
         {{ end }}
 
         {{ range $location := $server.Locations }}