From c5a8357f1d521a86f2455faa05d3220f878962e7 Mon Sep 17 00:00:00 2001
From: Elvin Efendi <elvin.efendiyev@gmail.com>
Date: Tue, 24 Sep 2019 14:57:17 -0400
Subject: [PATCH] handle hsts header injection in lua

---
 .../ingress/controller/template/template.go    | 18 +++++++++++++++++-
 rootfs/etc/nginx/lua/lua_ingress.lua           | 11 +++++++++++
 rootfs/etc/nginx/template/nginx.tmpl           |  6 ------
 3 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go
index 6cec582da..a45e4cc6a 100644
--- a/internal/ingress/controller/template/template.go
+++ b/internal/ingress/controller/template/template.go
@@ -302,7 +302,23 @@ func configForLua(input interface{}) string {
 		is_ssl_passthrough_enabled = %t,
 		http_redirect_code = %v,
 		listen_ports = { ssl_proxy = "%v", https = "%v" },
-	}`, all.Cfg.UseForwardedHeaders, all.IsSSLPassthroughEnabled, all.Cfg.HTTPRedirectCode, all.ListenPorts.SSLProxy, all.ListenPorts.HTTPS)
+
+		hsts = %t,
+		hsts_max_age = %v,
+		hsts_include_subdomains = %t,
+		hsts_preload = %t,
+	}`,
+		all.Cfg.UseForwardedHeaders,
+		all.IsSSLPassthroughEnabled,
+		all.Cfg.HTTPRedirectCode,
+		all.ListenPorts.SSLProxy,
+		all.ListenPorts.HTTPS,
+
+		all.Cfg.HSTS,
+		all.Cfg.HSTSMaxAge,
+		all.Cfg.HSTSIncludeSubdomains,
+		all.Cfg.HSTSPreload,
+	)
 }
 
 // locationConfigForLua formats some location specific configuration into Lua table represented as string
diff --git a/rootfs/etc/nginx/lua/lua_ingress.lua b/rootfs/etc/nginx/lua/lua_ingress.lua
index 4fdb04618..e3ea01b75 100644
--- a/rootfs/etc/nginx/lua/lua_ingress.lua
+++ b/rootfs/etc/nginx/lua/lua_ingress.lua
@@ -142,6 +142,17 @@ function _M.rewrite(location_config)
 
     ngx_redirect(uri, config.http_redirect_code)
   end
+
+  if config.hsts and ngx.var.scheme == "https" and certificate_configured_for_server(ngx.var.host) then
+    local value = "max-age=" .. config.hsts_max_age
+    if config.hsts_include_subdomains then
+      value = value .. "; includeSubDomains"
+    end
+    if config.hsts_preload then
+      value = value .. "; preload"
+    end
+    ngx.header["Strict-Transport-Security"] = value
+  end
 end
 
 return _M
diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
index c8f13eba3..f2c266c02 100755
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@@ -1051,12 +1051,6 @@ stream {
                 plugins.run()
             }
 
-            {{ if (and $server.SSLCert $all.Cfg.HSTS) }}
-            if ($scheme = https) {
-            more_set_headers                        "Strict-Transport-Security: max-age={{ $all.Cfg.HSTSMaxAge }}{{ if $all.Cfg.HSTSIncludeSubdomains }}; includeSubDomains{{ end }}{{ if $all.Cfg.HSTSPreload }}; preload{{ end }}";
-            }
-            {{ end }}
-
             {{ if not $location.Logs.Access }}
             access_log off;
             {{ end }}