From 289e438c59ed707f6335404da2e4b15589583075 Mon Sep 17 00:00:00 2001
From: Dario Viva <darioviva@gmail.com>
Date: Sat, 2 Dec 2023 03:26:34 +0100
Subject: [PATCH] only add hsts header with https. fixes
 https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1005 for more
 information look at:
 https://websistent.com/add-the-hsts-header-only-for-https-requests-nginx/

---
 backend/templates/_hsts.conf            | 2 +-
 backend/templates/_hsts_map.conf        | 3 +++
 backend/templates/_location.conf        | 2 ++
 backend/templates/dead_host.conf        | 3 +++
 backend/templates/proxy_host.conf       | 3 +++
 backend/templates/redirection_host.conf | 3 +++
 6 files changed, 15 insertions(+), 1 deletion(-)
 create mode 100644 backend/templates/_hsts_map.conf

diff --git a/backend/templates/_hsts.conf b/backend/templates/_hsts.conf
index 11aecf24..26c83ee8 100644
--- a/backend/templates/_hsts.conf
+++ b/backend/templates/_hsts.conf
@@ -2,7 +2,7 @@
 {% if ssl_forced == 1 or ssl_forced == true %}
 {% if hsts_enabled == 1 or hsts_enabled == true %}
   # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
-  add_header Strict-Transport-Security "max-age=63072000;{% if hsts_subdomains == 1 or hsts_subdomains == true -%} includeSubDomains;{% endif %} preload" always;
+  add_header Strict-Transport-Security $hsts_header always;
 {% endif %}
 {% endif %}
 {% endif %}
diff --git a/backend/templates/_hsts_map.conf b/backend/templates/_hsts_map.conf
new file mode 100644
index 00000000..27dd1f8f
--- /dev/null
+++ b/backend/templates/_hsts_map.conf
@@ -0,0 +1,3 @@
+map $scheme $hsts_header {
+    https   "max-age=63072000;{% if hsts_subdomains == 1 or hsts_subdomains == true -%} includeSubDomains;{% endif %} preload";
+}
\ No newline at end of file
diff --git a/backend/templates/_location.conf b/backend/templates/_location.conf
index 2ee0d31b..c561c274 100644
--- a/backend/templates/_location.conf
+++ b/backend/templates/_location.conf
@@ -1,3 +1,5 @@
+  {% include "_hsts_map.conf" %}
+
   location {{ path }} {
     proxy_set_header Host $host;
     proxy_set_header X-Forwarded-Scheme $scheme;
diff --git a/backend/templates/dead_host.conf b/backend/templates/dead_host.conf
index d94dff57..7a06469a 100644
--- a/backend/templates/dead_host.conf
+++ b/backend/templates/dead_host.conf
@@ -1,6 +1,9 @@
 {% include "_header_comment.conf" %}
 
 {% if enabled %}
+
+{% include "_hsts_map.conf" %}
+
 server {
 {% include "_listen.conf" %}
 {% include "_certificates.conf" %}
diff --git a/backend/templates/proxy_host.conf b/backend/templates/proxy_host.conf
index 81a542ea..d23ca46f 100644
--- a/backend/templates/proxy_host.conf
+++ b/backend/templates/proxy_host.conf
@@ -1,6 +1,9 @@
 {% include "_header_comment.conf" %}
 
 {% if enabled %}
+
+{% include "_hsts_map.conf" %}
+
 server {
   set $forward_scheme {{ forward_scheme }};
   set $server         "{{ forward_host }}";
diff --git a/backend/templates/redirection_host.conf b/backend/templates/redirection_host.conf
index 339fe72e..7dd36079 100644
--- a/backend/templates/redirection_host.conf
+++ b/backend/templates/redirection_host.conf
@@ -1,6 +1,9 @@
 {% include "_header_comment.conf" %}
 
 {% if enabled %}
+
+{% include "_hsts_map.conf" %}
+
 server {
 {% include "_listen.conf" %}
 {% include "_certificates.conf" %}