From 43b9cb8c41d4cb455ce5c6004ea93100055cd53d Mon Sep 17 00:00:00 2001 From: root Date: Mon, 18 Sep 2017 18:37:21 +0200 Subject: [PATCH] reverse: allow to disable hsts and headers --- reverse/rootfs/nginx/conf.d/hsts.conf | 1 + reverse/rootfs/nginx/conf.d/ssl.conf | 2 -- .../rootfs/nginx/sites-enabled/template_ssl | 1 + reverse/rootfs/usr/local/bin/startup | 18 ++++++++++++++++-- 4 files changed, 18 insertions(+), 4 deletions(-) create mode 100644 reverse/rootfs/nginx/conf.d/hsts.conf diff --git a/reverse/rootfs/nginx/conf.d/hsts.conf b/reverse/rootfs/nginx/conf.d/hsts.conf new file mode 100644 index 0000000..c3b0734 --- /dev/null +++ b/reverse/rootfs/nginx/conf.d/hsts.conf @@ -0,0 +1 @@ +add_header Strict-Transport-Security "max-age=31536000"; diff --git a/reverse/rootfs/nginx/conf.d/ssl.conf b/reverse/rootfs/nginx/conf.d/ssl.conf index 08cc05b..e94fd68 100644 --- a/reverse/rootfs/nginx/conf.d/ssl.conf +++ b/reverse/rootfs/nginx/conf.d/ssl.conf @@ -6,5 +6,3 @@ ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:20m; ssl_session_timeout 15m; ssl_session_tickets off; - -add_header Strict-Transport-Security "max-age=31536000"; diff --git a/reverse/rootfs/nginx/sites-enabled/template_ssl b/reverse/rootfs/nginx/sites-enabled/template_ssl index 70a6fc5..d8d8206 100644 --- a/reverse/rootfs/nginx/sites-enabled/template_ssl +++ b/reverse/rootfs/nginx/sites-enabled/template_ssl @@ -17,6 +17,7 @@ server { ssl_trusted_certificate /nginx/ssl/certificates/.chain.pem; include /nginx/conf.d/ssl.conf; include /nginx/conf.d/headers.conf; + include /nginx/conf.d/hsts.conf; include /nginx/path.d//*.conf; diff --git a/reverse/rootfs/usr/local/bin/startup b/reverse/rootfs/usr/local/bin/startup index 57ad10b..7385a3a 100644 --- a/reverse/rootfs/usr/local/bin/startup +++ b/reverse/rootfs/usr/local/bin/startup @@ -36,6 +36,12 @@ f_gen_sites_enabled() { template_sites=/nginx/sites-enabled/template fi sed -e 's||'${FRONTEND_DOMAIN}'|' ${template_sites} > /nginx/sites-enabled/${FRONTEND_DOMAIN}.conf + if [ "${FRONTEND_HSTS}" == "false" ]; then + sed -i -e "s|include /nginx/conf.d/hsts.conf|#include /nginx/conf.d/hsts.conf|g" /nginx/sites-enabled/${FRONTEND_DOMAIN}.conf + fi + if [ "${FRONTEND_HEADERS}" == "false" ]; then + sed -i -e "s|include /nginx/conf.d/headers.conf|#include /nginx/conf.d/headers.conf|g" /nginx/sites-enabled/${FRONTEND_DOMAIN}.conf + fi } f_gen_location() { @@ -101,9 +107,11 @@ f_make_conf() { FRONTEND_PATH="/" FRONTEND_SSL=false FRONTEND_AUTH="" + FRONTEND_HSTS=true + FRONTEND_HEADERS=true container_name=$1 - IFS=$'\n' + IFS=$'\n' if [ "${CONTAINER_LABELS}" != "" ]; then for label in ${CONTAINER_LABELS}; do case "$(echo ${label} | awk '{print $1}')" in @@ -123,15 +131,21 @@ f_make_conf() { "reverse.frontend.domain_max_body_size") FRONTEND_MAX_BODY_SIZE="$(echo ${label} | awk '{print $2}')" ;; + "reverse.frontend.headers") + FRONTEND_HEADERS="$(echo ${label} | awk '{print $2}')" + ;; "reverse.frontend.ssl") FRONTEND_SSL="$(echo ${label} | awk '{print $2}')" ;; + "reverse.frontend.hsts") + FRONTEND_HSTS="$(echo ${label} | awk '{print $2}')" + ;; "reverse.backend.port") BACKEND_PORT="$(echo ${label} | awk '{print $2}')" ;; esac done - f_log INF "Generate files for ${FRONTEND_DOMAIN}, with path=${FRONTEND_PATH}, auth=${FRONTEND_AUTH}, ssl_type=${FRONTEND_SSLTYPE}, ssl=${FRONTEND_SSL} and port=${BACKEND_PORT}" + f_log INF "Generate files for ${FRONTEND_DOMAIN}, with path=${FRONTEND_PATH}, auth=${FRONTEND_AUTH}, hsts=${FRONTEND_HEADERS}, ssl_type=${FRONTEND_SSLTYPE}, ssl=${FRONTEND_SSL}, hsts=${FRONTEND_HSTS} and port=${BACKEND_PORT}" f_gen_location ${container_name} f_gen_sites_enabled f_gen_certs ${container_name}