DevFW-CICD/ingress-nginx-helm
12
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #563 from aledbf/hsts-preload

Browse source 
Add option to disable hsts preload
This commit is contained in:
Manuel Alejandro de Brito Fontes 2017-04-05 23:20:35 -03:00 committed by GitHub
commit 7ca7652ab2
3 changed files with 7 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
controllers/nginx/configuration.md
View file

@ -285,6 +285,7 @@ https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-
**hsts-max-age:** Sets the time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS. **hsts-max-age:** Sets the time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS.
**hsts-preload:** Enables or disables the preload attribute in the HSTS feature (if is enabled)
**keep-alive:** Sets the time during which a keep-alive client connection will stay open on the server side. **keep-alive:** Sets the time during which a keep-alive client connection will stay open on the server side.
The zero value disables keep-alive client connections. The zero value disables keep-alive client connections.
@ -420,6 +421,7 @@ The following table shows the options, the default value and a description.
|hsts|"true"| |hsts|"true"|
|hsts-include-subdomains|"true"| |hsts-include-subdomains|"true"|
|hsts-max-age|"15724800"| |hsts-max-age|"15724800"|
|hsts-preload|"false"|
|keep-alive|"75"| |keep-alive|"75"|
|map-hash-bucket-size|"64"| |map-hash-bucket-size|"64"|
|max-worker-connections|"16384"| |max-worker-connections|"16384"|

4
controllers/nginx/pkg/config/config.go
View file

@ -144,6 +144,9 @@ type Configuration struct {
// accessed using HTTPS. // accessed using HTTPS.
HSTSMaxAge string `json:"hsts-max-age,omitempty"` HSTSMaxAge string `json:"hsts-max-age,omitempty"`
// Enables or disables the preload attribute in HSTS feature
HSTSPreload bool `json:"hsts-preload,omitempty"`
// Time during which a keep-alive client connection will stay open on the server side. // Time during which a keep-alive client connection will stay open on the server side.
// The zero value disables keep-alive client connections // The zero value disables keep-alive client connections
// http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout // http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout
@ -271,6 +274,7 @@ func NewDefault() Configuration {
HSTS: true, HSTS: true,
HSTSIncludeSubdomains: true, HSTSIncludeSubdomains: true,
HSTSMaxAge: hstsMaxAge, HSTSMaxAge: hstsMaxAge,
HSTSPreload: false,
GzipTypes: gzipTypes, GzipTypes: gzipTypes,
KeepAlive: 75, KeepAlive: 75,
LargeClientHeaderBuffers: "4 8k", LargeClientHeaderBuffers: "4 8k",

2
controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
View file

@ -229,7 +229,7 @@ http {
{{ end }} {{ end }}
{{ if (and (not (empty $server.SSLCertificate)) $cfg.HSTS) }} {{ if (and (not (empty $server.SSLCertificate)) $cfg.HSTS) }}
more_set_headers "Strict-Transport-Security: max-age={{ $cfg.HSTSMaxAge }}{{ if $cfg.HSTSIncludeSubdomains }}; includeSubDomains{{ end }}; preload"; more_set_headers "Strict-Transport-Security: max-age={{ $cfg.HSTSMaxAge }}{{ if $cfg.HSTSIncludeSubdomains }}; includeSubDomains{{ end }}; {{ if $cfg.HSTSPreload }}preload{{ end }}";
{{ end }} {{ end }}
{{ if $cfg.EnableVtsStatus }}vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name;{{ end }} {{ if $cfg.EnableVtsStatus }}vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name;{{ end }}