handle hsts header injection in lua

2019-09-24 14:57:17 -04:00 · 2019-09-24 14:57:17 -04:00 · c5a8357f1d
commit c5a8357f1d
parent daf8634acf
3 changed files with 28 additions and 7 deletions
--- a/rootfs/etc/nginx/lua/lua_ingress.lua
+++ b/rootfs/etc/nginx/lua/lua_ingress.lua
@ -142,6 +142,17 @@ function _M.rewrite(location_config)

    ngx_redirect(uri, config.http_redirect_code)
  end
+
+  if config.hsts and ngx.var.scheme == "https" and certificate_configured_for_server(ngx.var.host) then
+    local value = "max-age=" .. config.hsts_max_age
+    if config.hsts_include_subdomains then
+      value = value .. "; includeSubDomains"
+    end
+    if config.hsts_preload then
+      value = value .. "; preload"
+    end
+    ngx.header["Strict-Transport-Security"] = value
+  end
 end

 return _M
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@ -1051,12 +1051,6 @@ stream {
                plugins.run()
            }

-            {{ if (and $server.SSLCert $all.Cfg.HSTS) }}
-            if ($scheme = https) {
-            more_set_headers                        "Strict-Transport-Security: max-age={{ $all.Cfg.HSTSMaxAge }}{{ if $all.Cfg.HSTSIncludeSubdomains }}; includeSubDomains{{ end }}{{ if $all.Cfg.HSTSPreload }}; preload{{ end }}";
-            }
-            {{ end }}
-
            {{ if not $location.Logs.Access }}
            access_log off;
            {{ end }}