diff --git a/backend/templates/_hsts.conf b/backend/templates/_hsts.conf index 11aecf24..26c83ee8 100644 --- a/backend/templates/_hsts.conf +++ b/backend/templates/_hsts.conf @@ -2,7 +2,7 @@ {% if ssl_forced == 1 or ssl_forced == true %} {% if hsts_enabled == 1 or hsts_enabled == true %} # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years) - add_header Strict-Transport-Security "max-age=63072000;{% if hsts_subdomains == 1 or hsts_subdomains == true -%} includeSubDomains;{% endif %} preload" always; + add_header Strict-Transport-Security $hsts_header always; {% endif %} {% endif %} {% endif %} diff --git a/backend/templates/_hsts_map.conf b/backend/templates/_hsts_map.conf new file mode 100644 index 00000000..27dd1f8f --- /dev/null +++ b/backend/templates/_hsts_map.conf @@ -0,0 +1,3 @@ +map $scheme $hsts_header { + https "max-age=63072000;{% if hsts_subdomains == 1 or hsts_subdomains == true -%} includeSubDomains;{% endif %} preload"; +} \ No newline at end of file diff --git a/backend/templates/_location.conf b/backend/templates/_location.conf index 2ee0d31b..c561c274 100644 --- a/backend/templates/_location.conf +++ b/backend/templates/_location.conf @@ -1,3 +1,5 @@ + {% include "_hsts_map.conf" %} + location {{ path }} { proxy_set_header Host $host; proxy_set_header X-Forwarded-Scheme $scheme; diff --git a/backend/templates/dead_host.conf b/backend/templates/dead_host.conf index d94dff57..7a06469a 100644 --- a/backend/templates/dead_host.conf +++ b/backend/templates/dead_host.conf @@ -1,6 +1,9 @@ {% include "_header_comment.conf" %} {% if enabled %} + +{% include "_hsts_map.conf" %} + server { {% include "_listen.conf" %} {% include "_certificates.conf" %} diff --git a/backend/templates/proxy_host.conf b/backend/templates/proxy_host.conf index 81a542ea..d23ca46f 100644 --- a/backend/templates/proxy_host.conf +++ b/backend/templates/proxy_host.conf @@ -1,6 +1,9 @@ {% include "_header_comment.conf" %} {% if enabled %} + +{% include "_hsts_map.conf" %} + server { set $forward_scheme {{ forward_scheme }}; set $server "{{ forward_host }}"; diff --git a/backend/templates/redirection_host.conf b/backend/templates/redirection_host.conf index 339fe72e..7dd36079 100644 --- a/backend/templates/redirection_host.conf +++ b/backend/templates/redirection_host.conf @@ -1,6 +1,9 @@ {% include "_header_comment.conf" %} {% if enabled %} + +{% include "_hsts_map.conf" %} + server { {% include "_listen.conf" %} {% include "_certificates.conf" %}