Merge pull request #3866 from dialoghq/feature/HSTS

mboersma · mboersma · commit 11a6698af073 · 2015-06-18T12:41:19.000-06:00
feat(router): enable HSTS when enforceHTTPS is set
diff --git a/docs/customizing_deis/router_settings.rst b/docs/customizing_deis/router_settings.rst
@@ -59,6 +59,10 @@ setting                                      description
 /deis/router/gzipVary                        nginx gzipVary setting (default: on)
 /deis/router/gzipDisable                     nginx gzipDisable setting (default: "msie6")
 /deis/router/gzipTypes                       nginx gzipTypes setting (default: "application/x-javascript application/xhtml+xml application/xml application/xml+rss application/json text/css text/javascript text/plain text/xml")
+/deis/router/hsts/enabled                    enable HTTP Strict Transport Security headers for HTTPS requests (default: false)
+/deis/router/hsts/maxAge                     maximum number of seconds user agents should observe HSTS rewrites (default: 10886400)
+/deis/router/hsts/includeSubDomains          enforce HSTS for requests on all subdomains (default: false)
+/deis/router/hsts/preload                    allow the domain to be included in the HSTS preload list (default: false)
 /deis/router/maxWorkerConnections            maximum number of simultaneous connections that can be opened by a worker process (default: 768)
 /deis/router/serverNameHashMaxSize           nginx server_names_hash_max_size setting (default: 512)
 /deis/router/serverNameHashBucketSize        nginx server_names_hash_bucket_size (default: 64)
diff --git a/router/boot.go b/router/boot.go
@@ -59,6 +59,7 @@ func main() {
 	mkdirEtcd(client, "/deis/builder")
 	mkdirEtcd(client, "/deis/certs")
 	mkdirEtcd(client, "/deis/router/hosts")
+	mkdirEtcd(client, "/deis/router/hsts")
 
 	setDefaultEtcd(client, etcdPath+"/gzip", "on")
 
diff --git a/router/image/templates/nginx.conf b/router/image/templates/nginx.conf
@@ -69,7 +69,17 @@ http {
       ''      $scheme;
     }
 
-    {{ $enforceHTTPS := or (getv "/deis/router/enforceHTTPS") "false" }}
+    ## HSTS instructs the browser to replace all HTTP links with HTTPS links for this domain until maxAge seconds from now
+    {{ $enableHSTS := or (getv "/deis/router/hsts/enabled") "false" }}
+    {{ $maxAgeHSTS := or (getv "/deis/router/hsts/maxAge") "10886400" }}
+    {{ $includeSubdomainsHSTS := or (getv "/deis/router/hsts/includeSubDomains") "false" }}
+    {{ $preloadHSTS := or (getv "/deis/router/hsts/preload") "false" }}
+    map $access_scheme $sts {
+      'https' 'max-age={{ $maxAgeHSTS }}{{ if eq $includeSubdomainsHSTS "true" }}; includeSubDomains{{ end }}{{ if eq $preloadHSTS "true" }}; preload{{ end }}';
+    }
+
+    ## since HSTS headers are not permitted on HTTP requests, 301 redirects to HTTPS resources are also necessary
+    {{ $enforceHTTPS := or (getv "/deis/router/enforceHTTPS") $enableHSTS "false" }}
 
     ## start deis-controller
     {{ if exists "/deis/controller/host" }}
@@ -115,6 +125,10 @@ http {
           return 301 https://$host$request_uri;
         }
         {{ end }}
+
+        {{ if eq $enableHSTS "true" }}
+        add_header Strict-Transport-Security $sts always;
+        {{ end }}
     }
     ## end deis-controller
 
@@ -230,6 +244,10 @@ http {
             }
             {{ end }}
 
+            {{ if eq $enableHSTS "true" }}
+            add_header Strict-Transport-Security $sts always;
+            {{ end }}
+
             ## workaround for nginx hashing empty string bug http://trac.nginx.org/nginx/ticket/765
             {{ if exists "/deis/router/affinityArg" }}
             set_random $prng 0 99;
@@ -288,6 +306,10 @@ http {
             }
             {{ end }}
 
+            {{ if eq $enableHSTS "true" }}
+            add_header Strict-Transport-Security $sts always;
+            {{ end }}
+
             proxy_pass                  http://{{ $app }};
         }
         {{ else }}
