From e538066bf4eb2e1356c55c1ed7a46d79c94cda3e Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 28 Jul 2021 13:36:31 +0200 Subject: [PATCH] Optionally include subdomains in transport security. --- defaults/main.yml | 2 ++ templates/nginx-server-ssl.conf.j2 | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 407b7fc..3ccdc89 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -13,6 +13,8 @@ nginx_org_modules: [] # enabled: yes # See https://mozilla.github.io/server-side-tls/ssl-config-generator/ nginx_ssl_level: intermediate +nginx_strict_transport_security_expire: 15768000 +nginx_strict_transport_security_include_subdomains: False nginx_snippets_dir: /etc/nginx/snippets diff --git a/templates/nginx-server-ssl.conf.j2 b/templates/nginx-server-ssl.conf.j2 index f09f52e..d578f53 100644 --- a/templates/nginx-server-ssl.conf.j2 +++ b/templates/nginx-server-ssl.conf.j2 @@ -45,5 +45,5 @@ ssl_trusted_certificate {{ letsencrypt_acme_certs_dir }}/fullchain; {% else %} ssl_trusted_certificate {{ nginx_ssl_fullchain_file | default('/etc/nginx/ssl/cacert.crt') }}; {% endif %} -add_header Strict-Transport-Security max-age=15768000; +add_header Strict-Transport-Security "max-age={{ nginx_strict_transport_security_expire }}{% if nginx_strict_transport_security_include_subdomains %}; includeSubdomains{% endif %}"; {% endif %}